Team for Research in
Ubiquitous Secure Technology

Why Phishing Works
Rachna Dhamija, Doug Tygar, Marti Hearst

Citation
Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing Works". CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, ACM Special Interest Group on Computer-Human Interaction, 581-590, January, 2006;

Note: Slashdot mentions a Security Focus Interview about this paper. .

Abstract
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

Electronic downloads

Citation formats  
  • HTML
    Rachna Dhamija, Doug Tygar, Marti Hearst. <a
    href="http://www.truststc.org/pubs/104.html">Why
    Phishing Works</a>, CHI '06: Proceedings of the SIGCHI
    conference on Human Factors in computing systems, ACM
    Special Interest Group on Computer-Human Interaction,
    581-590, January, 2006; <p>Note: <a
    href="http://it.slashdot.org/article.pl?sid=06/06/28/1430257"
    >Slashdot</a>
    mentions a
    <a
    href="http://www.securityfocus.com/columnists/407"
    >Security Focus Interview</a> about this paper.
    .
  • Plain text
    Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing
    Works". CHI '06: Proceedings of the SIGCHI conference
    on Human Factors in computing systems, ACM Special Interest
    Group on Computer-Human Interaction, 581-590, January, 2006;
    <p>Note: <a
    href="http://it.slashdot.org/article.pl?sid=06/06/28/1430257"
    >Slashdot</a>
    mentions a
    <a
    href="http://www.securityfocus.com/columnists/407"
    >Security Focus Interview</a> about this paper.
    .
  • BibTeX
    @inproceedings{DhamijaTygarHearst06_WhyPhishingWorks,
        author = {Rachna Dhamija, Doug Tygar, Marti Hearst},
        title = {Why Phishing Works},
        booktitle = {CHI '06: Proceedings of the SIGCHI conference on
                  Human Factors in computing systems},
        organization = {ACM Special Interest Group on Computer-Human
                  Interaction},
        pages = {581-590},
        month = {January},
        year = {2006},
        note = {<p>Note: <a
                  href="http://it.slashdot.org/article.pl?sid=06/06/28/1430257"
                  >Slashdot</a>
    mentions a
    <a
                  href="http://www.securityfocus.com/columnists/407"
                  >Security Focus Interview</a> about this paper.
    },
        abstract = {To build systems shielding users from fraudulent
                  (or phishing) websites, designers need to know
                  which attack strategies work and why. This paper
                  provides the first empirical evidence about which
                  malicious strategies are successful at deceiving
                  general users. We first analyzed a large set of
                  captured phishing attacks and developed a set of
                  hypotheses about why these strategies might work.
                  We then assessed these hypotheses with a usability
                  study in which 22 participants were shown 20 web
                  sites and asked to determine which ones were
                  fraudulent. We found that 23% of the participants
                  did not look at browser-based cues such as the
                  address bar, status bar and the security
                  indicators, leading to incorrect choices 40% of
                  the time. We also found that some visual deception
                  attacks can fool even the most sophisticated
                  users. These results illustrate that standard
                  security indicators are not effective for a
                  substantial fraction of users, and suggest that
                  alternative approaches are needed. },
        URL = {http://www.truststc.org/pubs/104.html}
    }
    

Posted by Christopher Brooks on 28 Jun 2006.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.