Surfers failing to spot phishing sites

Web users are still missing the tell-tale phishing signs

Web users largely ignore the browser warning signals that could allow them to verify the authenticity and trustworthiness of a website, research has claimed.

In a study conducted by the universities of Berkeley and Harvard, a group of testers failed to identify 40 per cent of fraudulent websites. In one case, 91 per cent of the testers wrongly identified a website for an online bank as legitimate.

The exercise presented a group of 22 participants with 20 websites and asked them to determine which ones were fraudulent.

"These results illustrate that the standard security indicators are not effective for a substantial fraction of the users, and suggest that alternative approaches are needed," the researchers concluded.

Security certificates issued by a credited certificate authority currently offer the only method to verify the authenticity of a website.

The certificate indicates that internet traffic is encrypted and displays the website's URL in the bottom of the window, allowing the users to verify that they are on the website that they intended to visit.

In the Firefox and forthcoming Internet Explorer 7 browsers, the address bar will also change colour depending on the URL's security level. Browser developers are currently formulating a cross-browser standard. 

Internet Explorer 7 will turn the bar red for a known phishing website, yellow for a suspected website and green for a trusted, encrypted website.

But the test subjects in the study largely ignored the padlock and address bar features, and few were aware of the role of certificate authorities.

Instead they used the webpage content as their primary way to judge the site's authenticity, allowing them to be fooled by well constructed phishing websites.

The researchers blamed the poor results on a lack of general computer knowledge and of security and security indicators, and recommended that software designers pay closer attention to the user instead of focusing on security technology.

"Our study suggests that a different approach is needed in the design of security systems. A usable design must take into account what humans do well and what they don't do well," said the researchers.

A PDF of the study is available for download from the Harvard website. 

• Can you spot a phishing email? Take the Phishing IQ Test here