Why phishing works

@article{Dhamija2006WhyPW,
  title={Why phishing works},
  author={Rachna Dhamija and J. Tygar and Marti A. Hearst},
  journal={Proceedings of the SIGCHI Conference on Human Factors in Computing Systems},
  year={2006}
}
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites… Expand
Why phishing still works: User strategies for combating phishing attacks
TLDR
It is found that gaze time on browser chrome elements does correlate to increased ability to detect phishing and users' general technical proficiency does not correlate with improved detection scores. Expand
Does domain highlighting help people identify phishing sites?
TLDR
It is concluded that domain highlighting, while providing some benefit, cannot be relied upon as the sole method to prevent phishing attacks. Expand
Decision strategies and susceptibility to phishing
TLDR
Preliminary analysis of interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails suggests that people can manage the risks that they are most familiar with, but don't appear to extrapolate to be wary of unfamiliar risks. Expand
Phish Phactors: Offensive and Defensive Strategies
TLDR
This chapter aims to provide an overview of the fundamental phishing techniques for delivering a successful attack, such as bulk emailing, fake websites and detection avoidance using a variety of obfuscation techniques, and survey more sophisticated methods that may deceive even knowledgeable and vigilant users. Expand
PhishZoo: Detecting Phishing Websites by Looking at Them
TLDR
This paper proposes a phishing detection approach that uses profiles of trusted websites' appearances to detect phishing, and provides similar accuracy to blacklisting approaches (96%), with the advantage that it can classify zero-day phishing attacks and targeted attacks against smaller sites (such as corporate intranets). Expand
On the Effectiveness of Techniques to Detect Phishing Sites
TLDR
Over a period of three weeks, the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs was tested, and the existence of page properties that can be used to identify phishing pages were explored. Expand
Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders
TLDR
It is observed that participants who paid attention to more clues were better in distinguishing legitimate messages from phishing, hence training regimes should check for reasoning strategies, not just who did not click on a link or download an attachment. Expand
Verilogo : proactive phishing detection via logo recognition
Defending users against fraudulent Web sites (i.e., phishing) is a task that is reactive in practice. Blacklists, spam filters and takedowns all depend on first finding new sites and verifying thatExpand
Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing
TLDR
A way of using the URL itself for automated detection of phishing websites by extracting and verifying different terms of a URL using search engine spelling recommendation is presented. Expand
Password Rescue: A New Approach to Phishing Prevention
TLDR
This work proposes a scheme that offers very little protection if a small fraction of users participate, but makes phishing almost impossible as the deployment increases, and makes Password Rescue suitable for large deployment or not at all. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 38 REFERENCES
Do security toolbars actually prevent phishing attacks?
TLDR
It is found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be, and security toolbars are found to be ineffective at preventingPhishing attacks. Expand
The battle against phishing: Dynamic Security Skins
TLDR
A new scheme is proposed, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. Expand
Authentication for humans: the design and evaluation of usable security systems
How can we make computer security systems usable by human users? Computer security demands that we establish the identity of human users who access individual computers and online services.Expand
Phishing Attack Victims Likely Targets for Identity Theft
© 2004 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has beenExpand
How do users evaluate the credibility of Web sites?: a study with over 2,500 participants
In this study 2,684 people evaluated the credibility of two live Web sites on a similar topic (such as health sites). We gathered the comments people wrote about each siteís credibility and analyzedExpand
Users' conceptions of web security: a comparative study
TLDR
The results show that many users across the three diverse communities mistakently evaluated whether a connection is secure or not secure. Expand
Users' conceptions of risks and harms on the web: a comparative study
In this study, we analyzed Web users concerns about potential risks and harms from Web use to themselves and to society at large. In addition, we assessed how strongly users felt something should beExpand
What makes Web sites credible?: a report on a large quantitative study
TLDR
This large-scale study investigated how different elements of Web sites affect people's perception of credibility, and found which elements boost and which elements hurt perceptions of Web credibility. Expand
Reflections on the dimensions of trust and trustworthiness among online consumers
  • D. Gefen
  • Psychology, Computer Science
  • DATB
  • 2002
TLDR
A three-dimensional scale of trustworthiness dealing with integrity, benevolence, and ability in the unique case of online consumer trust is proposed, and the importance of examining the effects of each dimension individually is shown. Expand
An overview of online trust: Concepts, elements, and implications
TLDR
An overview of the nature and concepts of trust from multi-disciplinary perspectives is provided, and a framework of trust-inducing interface design features articulated from the existing literature is presented. Expand
...
1
2
3
4
...