accurately, it paints a dismal picture of a very
small sample of academic staff and students at a prestigious
American university. The rest of us might back ourselves to
do rather better, but the results are interesting nevertheless.)
In this study, 22 participants were sent to 19 different
websites allegedly belonging to a range of well-known banks
and other companies associated with on-line financial
transactions. Of these, seven were real and 12 were spoofed.
The goal was to identify which ones were bogus. Only one
site (a real one) was identified correctly by all 22 participants.
All the other sites, real and fake, got a mixture of answers.
Eight of the sites (including six spoofed ones) were
misidentified by 11 (50%) or more of the participants. In the
worst two results, more than 80% of the participants said that
a bogus site was real.
The study explains these results quite clearly. It is worth
repeating the explanation (or, as the study more
conservatively calls it, a hypothesis) because it emphasizes
how hard it is for us to be aware of everything we need to take
into account when making value judgements on-line, and
shows how easy it is for phishers and other on-line fraudsters
to exploit this:
‘…Participants made incorrect judg[e]ments because they
lacked knowledge of how computer systems worked and
did not have an understanding of security systems and
indicators. More experienced participants were tripped up
by visual deception, e.g. when the address was spoofed or
when images of the browser [user interface] with security
indicators were
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24