Citation
Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing Works". CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, ACM Special Interest Group on Computer-Human Interaction, 581-590, January, 2006;

Note: Slashdot mentions a Security Focus Interview about this paper. .

Abstract
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

Electronic downloads

• http://doi.acm.org/10.1145/1124772.1124861. (See also http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf)

Citation formats

• HTML

  Rachna Dhamija, Doug Tygar, Marti Hearst. <a
  href="http://www.truststc.org/pubs/104.html">Why
  Phishing Works</a>, CHI '06: Proceedings of the SIGCHI
  conference on Human Factors in computing systems, ACM
  Special Interest Group on Computer-Human Interaction,
  581-590, January, 2006; <p>Note: <a
  href="http://it.slashdot.org/article.pl?sid=06/06/28/1430257">Slashdot</a>
  
  mentions a
  <a
  href="http://www.securityfocus.com/columnists/407">Security
  Focus Interview</a> about this paper.
  .

• Plain text

  Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing
  Works". CHI '06: Proceedings of the SIGCHI conference on
  Human Factors in computing systems, ACM Special Interest
  Group on Computer-Human Interaction, 581-590, January, 2006;
  Note: Slashdot
  
  mentions a
  Security
  Focus Interview about this paper.
  .

• BibTeX

  @inproceedings{DhamijaTygarHearst06_WhyPhishingWorks,
      author = {Rachna Dhamija, Doug Tygar, Marti Hearst},
      title = {Why Phishing Works},
      booktitle = {CHI '06: Proceedings of the SIGCHI conference on
                Human Factors in computing systems},
      organization = {ACM Special Interest Group on Computer-Human
                Interaction},
      pages = {581-590},
      month = {January},
      year = {2006},
      note = {
  Note: Slashdot
                
  mentions a
  Security
                Focus Interview about this paper.
  },
      abstract = {To build systems shielding users from fraudulent
                (or phishing) websites, designers need to know
                which attack strategies work and why. This paper
                provides the first empirical evidence about which
                malicious strategies are successful at deceiving
                general users. We first analyzed a large set of
                captured phishing attacks and developed a set of
                hypotheses about why these strategies might work.
                We then assessed these hypotheses with a usability
                study in which 22 participants were shown 20 web
                sites and asked to determine which ones were
                fraudulent. We found that 23% of the participants
                did not look at browser-based cues such as the
                address bar, status bar and the security
                indicators, leading to incorrect choices 40% of
                the time. We also found that some visual deception
                attacks can fool even the most sophisticated
                users. These results illustrate that standard
                security indicators are not effective for a
                substantial fraction of users, and suggest that
                alternative approaches are needed. },
      URL = {http://www.truststc.org/pubs/104.html}
  }
  

Posted by Christopher Brooks on 28 Jun 2006.
For additional information, see the Publications FAQ or contact webmaster at www truststc org..

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.