Article

Why phishing works

Authors:

Rachna Dhamija,

Marti HearstAuthors Info & Claims

CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 581 - 590

https://doi.org/10.1145/1124772.1124861

Published: 22 April 2006 Publication History

Abstract

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

References

[1]

Ang, L., C. Dubelaar, & B. Lee. To Trust or Not to Trust? A Model of Internet Trust From the Customer's Point of View. Proc. 14th Bled E-Commerce Conf. (2001), 25--26.]]

[2]

Anti-Phishing Working Group. Phishing Activity Trends Report November 2005 (2005).]]

[3]

Anti-Phishing Working Group Phishing Archive. http://anti-phishing.org/phishing_archive.htm]]

[4]

Ba, S. & P. Pavlov. Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior. MIS Quarterly, 26, 3 (2002), 243--268.]]

[5]

Cheskin Research. E-commerce Trust Study (1999).]]

[6]

Dhamija, R. Authentication for Humans: The Design and Analysis of Usable Security Systems. Ph.D. Thesis, University of California Berkeley (2005).]]

Digital Library

[7]

Dhamija, R. & J. D. Tygar. The Battle Against Phishing: Dynamic Security Skins. Proc. SOUPS (2005).]]

Digital Library

[8]

Egger, F.N. Affective Design of E-commerce User Interfaces: How to Maximize Perceived Trustworthi-ness. Proc. Intl. Conf. Affective Human Factors De-sign (2001), 317--324.]]

[9]

Fogg, B. J. Stanford Guidelines for Web Credibility. Res. Sum. Stanford Persuasive Tech. Lab. (2002).]]

[10]

Fogg, B. J. et al. How Do Users Evaluate the Credibility of Web Sites?: A Study with Over 2,500 Par-ticipants. Proc. DUX (2003).]]

Digital Library

[11]

Fogg, B. J. et al. What Makes Web Sites Credible?: A Report on a Large Quantitative Study. Proc. CHI (2001), 61--68.]]

Digital Library

[12]

Franco, R. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. IEBlog, Nov. 21, 2005.]]

[13]

Friedman, B. et al. Users' Conceptions of Risks and Harms on the Web: A Comparative Study. Ext. Abs. CHI (2002), 614--615.]]

Digital Library

[14]

Friedman, B. et al. Users' Conceptions of Web Security: A Comparative Study. Ext. Abs. CHI (2002), 746--747.]]

Digital Library

[15]

Gefen, D. Reflections on the Dimensions of Trust and Trustworthiness Among Online Consumers. ACM SIGMIS Database, 33, 3 (2002), 38--53.]]

Digital Library

[16]

Hemphill, T. Electronic Commerce and Consumer Privacy: Establishing Online Trust in the U.S. Digital Economy. Bus. & Soc. Rev., 107, 2 (2002), 331--239.]]

[17]

Jagatic, T., N. Johnson, & M. Jakobsson. Phishing Attacks Using Social Networks (Indiana U. Human Subject Study 05-9892 & 05-9893). (2005).]]

[18]

Kim, D., Y. Song, S. Braynov, & H. Rao. A B-to-C Trust Model for Online Exchange. Proc. Americas Conf. on Inf. Sys. (2001), 784--787.]]

[19]

Lee, M. & E. Turban. A Trust Model for Consumer Internet Shopping. Intl J. Elec. Commerce, 6, 1, (2001), 75--91.]]

Digital Library

[20]

Litan, A. Phishing Attack Victims Likely Targets for Identity Theft. Gartner Research (2004).]]

[21]

Loftesness, S. Responding to ""Phishing"" Attacks. Glenbrook Partners (2004).]]

[22]

MailFrontier, MailFrontier Phishing IQ Test II (2005).]]

[23]

Princeton Survey Research Associates, A Matter of Trust. (2002).]]

[24]

Secunia. http://secunia.com/.]]

[25]

Secunia, Internet Explorer URL Spoofing Vulnerability (2004).]]

[26]

Secunia, Multiple Browsers Vulnerable to the IDN Spoofing Vulnerability (2005).]]

[27]

Stone, D. et al. User Interface Design & Evaluation. Elsevier (2005).]]

Digital Library

[28]

Wang, Y & H. Emurian. An Overview of Online Trust. Computers in Human Behavior, 21, 1 (2005), 105--125.]]

[29]

Wu, M., R. Miller, & S. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? Posters SOUPS (2005).]]

Cited By

Agnes Kikelomo AIsrael Oludayo O(2024)Development of a Phishing Detection System Using Support Vector MachineInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAY353(247-257)Online publication date: 17-May-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAY353
Kwizera IMicheal S(2024)Developing a Multi-Layered Defence System to Safeguard Data against Phishing AttacksInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24FEB1107(2022-2033)Online publication date: 5-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24FEB1107
Aslam SAslam HManzoor AChen HRasool A(2024)AntiPhishStack: LSTM-Based Stacked Generalization Model for Optimized Phishing URL DetectionSymmetry10.3390/sym1602024816:2(248)Online publication date: 17-Feb-2024
https://doi.org/10.3390/sym16020248
Show More Cited By

Index Terms

Why phishing works
1. Applied computing
  1. Electronic commerce
2. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

A Sender-Centric Approach to Detecting Phishing Emails
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber Security

Email-based online phishing is a critical security threat on the Internet. Although phishers have great flexibility in manipulating both the content and structure of phishing emails, phishers have much less flexibility in completely concealing the ...
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

Phishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
How Experts Detect Phishing Scam Emails
CSCW

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2006

1353 pages

ISBN:1595933727

DOI:10.1145/1124772

Editors:
Rebecca Grinter
Georgia Institute of Technology, USA
,
Thomas Rodden
University of Nottingham, UK
,
Paul Aoki
Intel, USA
,
Ed Cutrell
Microsoft, USA
,
Robin Jeffries
Google, USA
,
Gary Olson
University of Michigan, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 April 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CHI06

Sponsor:

CHI06: CHI 2006 Conference on Human Factors in Computing Systems

April 22 - 27, 2006

Québec, Montréal, Canada

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI '25

Sponsor:
sigchi

CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

802
Total Citations
View Citations
15,237
Total Downloads

Downloads (Last 12 months)1,095
Downloads (Last 6 weeks)158

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Agnes Kikelomo AIsrael Oludayo O(2024)Development of a Phishing Detection System Using Support Vector MachineInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAY353(247-257)Online publication date: 17-May-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAY353
Kwizera IMicheal S(2024)Developing a Multi-Layered Defence System to Safeguard Data against Phishing AttacksInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24FEB1107(2022-2033)Online publication date: 5-Apr-2024
https://doi.org/10.38124/ijisrt/IJISRT24FEB1107
Aslam SAslam HManzoor AChen HRasool A(2024)AntiPhishStack: LSTM-Based Stacked Generalization Model for Optimized Phishing URL DetectionSymmetry10.3390/sym1602024816:2(248)Online publication date: 17-Feb-2024
https://doi.org/10.3390/sym16020248
Trad FChehab A(2024)Prompt Engineering or Fine-Tuning? A Case Study on Phishing Detection with Large Language ModelsMachine Learning and Knowledge Extraction10.3390/make60100186:1(367-384)Online publication date: 6-Feb-2024
https://doi.org/10.3390/make6010018
Burda PAllodi LSerebrenik AZannone N(2024)'Protect and Fight Back': A Case Study on User Motivations to Report Phishing EmailsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688473(30-43)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688473
Cao YDhekne AAmmar MKim YKim JKoushanfar FRasmussen K(2024)UWB-Auth: A UWB-based Two Factor Authentication PlatformProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656113(185-195)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656113
Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Pourmohamad RWirsz SOest ABao TShoshitaishvili YWang RDoupé ABazzi RQuek TGao DZhou JCardenas A(2024)Deep Dive into Client-Side Anti-Phishing: A Longitudinal Study Bridging Academia and IndustryProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3657027(638-653)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3657027
Jiang HJi PZhang TCao HLiu D(2024)Two-Factor Authentication for Keyless Entry System via Finger-Induced VibrationsIEEE Transactions on Mobile Computing10.1109/TMC.2024.336833123:10(9708-9720)Online publication date: Oct-2024
https://doi.org/10.1109/TMC.2024.3368331
Huang LZhu Q(2024)ZETAR: Modeling and Computational Design of Strategic and Adaptive Compliance PoliciesIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332353911:3(4001-4015)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3323539
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents