Studies show Internet users are easily fooled by frauds

by  Alan Zisman (c) 2006 First published in Business in Vancouver April 18-24, 2006; issue 860-

High Tech Office column; 


You’re at work and have a computer connected to the Internet. You use e-mail for communicating with business contacts and use the Web in a variety of ways connected to your job. But all the time, that Internet connection is temptingly available.

According to a recent survey of over 10,000 employees by employee Internet management solutions provider Burstek, 78 per cent use that Internet access for personal use.

On average, employees spend over a fifth of their at-work online time on personal entertainment or personal business activities.

These include shopping, entertainment, personal e-mail, sports, chat, job searches and game playing.

Some eight per cent of the personal use involves gambling and pornography.

Other personal use includes file sharing and activities that can result in the installation of spyware onto business computers.

Employers face loss of employee productivity and network bandwidth, potential legal liability and network and computer security risks.

While it might be tempting for employers to limit personal Internet access, San Francisco attorney Eric J. Sinrod notes, “Some freedom actually can boost employee morale and can lead to increased employee productivity.”

Nevertheless, he concludes, “It is important for employers to develop acceptable Internet usage policies and to utilize appropriate Web filtering.”

The full report can be found at www.burstek.com/resource_page.htm.

Phishing involves using e-mail to lure users to websites that appear to be from financial institutions.

On those Web pages, users are asked to enter account numbers and passwords.

This information is used to gain fraudulent access to financial accounts.

Phishing e-mails have gotten as many as two million users to give out information that led to US$1.2 billion in losses in 2003. Harvard researcher Rachma Dhamija along with University of California (Berkeley) researchers J. D. Tygar and Marti Hearst have been looking at why phishing works.

The researchers showed subjects 20 websites to see whether participants could determine which were fraudulent.

Well-designed phishing websites fooled 90 per cent of their test subjects.

Overall, subjects were wrong about 40 per cent of the time, partly because they didn’t pay attention to the cues that their Web browsers (both Internet Explorer and Firefox) gave relating to security.

Nearly three-quarters of the participants ignored pop-up warnings about fraudulent security certificates, for example.

Vulnerability to phishing was not related to education, age, sex, experience or hours of computer use.

The study notes some of the techniques often used to mimic legitimate websites.

These include substituting letters in Web addresses, for instance using “www.paypai.com” in place of “www.paypal.com” or “bankofthevvest.com” for “bankofthewest.com” or using non-standard font characters.

An image of a legitimate link can be used to cover up the rogue link, while other images of legitimate browser windows or dialogue boxes can be used to help mimic a legitimate website.

Links to legitimate bank Web pages can make fraudulent Web pages appear more trustworthy.

While these phishing websites go to great lengths to fool visitors, Web browsers often give clues to their fraudulent nature if users pay attention.

For instance, placing the mouse on a link shows the linked address on the status bar along the bottom of the browser window.

A quick glance would show if the actual address didn’t match the one displayed on the webpage. Too often, however, users are focused on their primary task, and fail to read the fine print. Even users who are scanning for the presence of the closed-padlock icon that indicates SSL security can be fooled if a picture of the icon appears in the body of the fraudulent (and unsecured) Web page rather than in the address and status bars where they belong.

Bottom-line: your financial institution will never send you an e-mail requesting that you go online and enter your user information. Never.

If in doubt, contact the institution directly. The full study is available at: www.deas.harvrd.edu/~rachna/papers/wh_phishing_works.pdf