Phishing still a mystery to most web users

Phishing attacks can seriously affect public trust in an organisation

Phishing web sites are still a mystery to the majority of internet users, according to a recent study by VeriSign.

The report is part of the company's research into the clues people use to spot potentially unsafe sites. VeriSign set up a Phish or No Phish site, and asked visitors to identify which of two web site images presented side by side is a phishing site.

The most commonly missed indication was the poor level of spelling on the phishing site. Around 88 per cent of those who took part in the test failed to spot the typographical mistakes that would have identified the site as bogus.

The lack of a padlock symbol was missed by 57 per cent of respondents, and 34 per cent failed to spot a suspiciously altered domain name. A request for additional account information, such as bank log-in details, duped 23 per cent of visitors.

To help educate users, VeriSign has created Extended Validation for SSL Certificates, which turns the address bar of a genuine site green, making it difficult for phishers and counterfeiters to hijack a brand and its customers.

"With nine out of 10 people in the UK vulnerable to phishing scams, a method for easily identifying a genuine site from a phishing site is a must for all businesses online," said Tim Callan, vice president of product marketing at VeriSign.

"By adopting Extended Validation, a site owner makes it easy for web users to see that the site they are on is genuine. When a shopper visits a site secured in this way, a high-security browser will trigger the address bar to turn green. For additional clarity, the name of the organisation listed in the certificate, as well as the certificate's security vendor, is also displayed."

Callan added that he would like to see a greater drive to educate web users in how to spot a potentially dangerous site, such as making sure the web address has no anomalies, checking the presence of a padlock and noting that the address starts with 'https' when entering sensitive information. He also encouraged users to make sure they use web browsers that support Extended Validation.

"Phishing continues to be a major challenge for online businesses," said Andrew McClelland, director of business development at industry body IMRG.

"It takes only one phishing attack to dramatically reduce the web browsing public's trust in an organisation. Once that trust is lost, it is very difficult to regain. And, with competition just a click away, it is something that businesses cannot afford to lose."

Callan pointed out that, although phishing is still a major part of all cyber-criminal activity, the growth of malware is catching up fast, as fraudsters change their attack vectors to circumvent technologies such as Extended Validation.

A similar code-signing certification created for operating systems would give users more information on who is creating and supplying applications that are installed on their PCs, said Callan.