Phishing is one of the fastest growing threats against IT security. Even though security vendors are constantly developing tools to protect the users from being tricked, this form of fraud activity is raising. The reason: people are easily fooled.

A recent study performed by scientists at UC Berkeley and Harvard University shows that even though people have been warned about the increasing number of phishing attacks, users still get fooled. Phishing tend to work because of peoples naivety.

The report states that good phishing sites fooled 90 % of the participants and that they made mistakes on the test set 40 % of the time. 23 % of them did not look at the address bar, status bar or the security indicators. 15 out of 22 participants proceeded without hesitation when presented with warnings, showing that security tools might not be as effective as wanted.

There are mainly three reasons as to why people are being fooled.

1. Lack of knowledge:

Many users lack basic knowledge of how operating system, applications, email and the web work and how to distinguish among those. Phishing sites exploit this lack of knowledge in several ways. For instance, some users do not understand the meaning or the syntax of domain names and cannot distinguish legitimate versus fraudulent URLs. Other attacks fake the email header and in many cases users do not even understand security indicators, indicating that SSL are not an appropriate security tool.

2. Visual deception:

Phishers use visual deception tricks to mimic legitimate text, images and windows. Even users with good knowledge may be deceived by these: 

• Visually deceptive text: Users may be fooled of a domain by the syntax of a domain name in “typejacking" attacks, which substitute letters that may go unnoticed ( e.g. paypaI.com uses the  uppercase “i" which look similar to the letter “l" (lowercase "L")
• Images masking underlying text 
• Images mimicking windows 
• Windows masking underlying windows 
• Deceptive look and feel

3. Bounded attention:

Even if users have sufficient knowledge and can detect visual deception described above they may still be deceived if they fail to notice security indicators.
Here are some possible ways to overlook such indicators: 

Lack of attention to security indicators:

Security is often a secondary goal. When users are focused on their primary tasks, they may not notice security indicators or read warning messages. 

Lack of attention to the absence of security indicators.

Users do not reliably notice the absence of a security indicator

The report clearly illustrates that even when users expect spoofs to be present, they are easily fooled into giving information to phishers. In the study, the best phishing site was able to fool as much as 90 % of the participants. Indicators that are designed to signal trustworthiness were not understood and 23 % only used the content of the website to evaluate its authenticity, without looking at other portions of the browser.

The reports indicates that there is an urgent need for increasing users' awareness and knowledge concerning phishing attacks and fraudulent web pages. In addition to effective protection tools that prevent phising emails from entering the inbox, these are some of the main tasks for the people working with Internet security.

Read more about how to prevent phishing attacks and effective protection tools here.