Studies
show Internet users are easily fooled by frauds
by
Alan Zisman (c) 2006 First published in
Business
in Vancouver April 18-24, 2006; issue 860-
High Tech Office column;
You’re at work and have a computer connected to the Internet. You
use e-mail for communicating with business contacts and use the Web in
a variety of ways connected to your job. But all the time, that
Internet connection is temptingly available.
According to a recent survey of over 10,000 employees by employee
Internet management solutions provider
Burstek,
78 per cent use that Internet access for personal use.
On average, employees spend over a fifth of their at-work online time
on personal entertainment or personal business activities.
These include shopping, entertainment, personal e-mail, sports, chat,
job searches and game playing.
Some eight per cent of the personal use involves gambling and
pornography.
Other personal use includes file sharing and activities that can result
in the installation of spyware onto business computers.
Employers face loss of employee productivity and network bandwidth,
potential legal liability and network and computer security risks.
While it might be tempting for employers to limit personal Internet
access, San Francisco attorney
Eric
J. Sinrod notes, “Some freedom actually can boost employee
morale and can lead to increased employee productivity.”
Nevertheless, he concludes, “It is important for employers to
develop acceptable Internet usage policies and to utilize appropriate
Web filtering.”
The full report can be found at
www.burstek.com/resource_page.htm.
Phishing involves using e-mail to lure users to websites that appear to
be from financial institutions.
On those Web pages, users are asked to enter account numbers and
passwords.
This information is used to gain fraudulent access to financial
accounts.
Phishing e-mails have gotten as many as two million users to give out
information that led to US$1.2 billion in losses in 2003.
Harvard researcher
Rachma Dhamija along with
University of California (Berkeley)
researchers
J. D. Tygar and
Marti Hearst have been looking at
why phishing works.
The researchers showed subjects 20 websites to see whether participants
could determine which were fraudulent.
Well-designed phishing websites fooled 90 per cent of their test
subjects.
Overall, subjects were wrong about 40 per cent of the time, partly
because they didn’t pay attention to the cues that their Web
browsers (both Internet Explorer and Firefox) gave relating to security.
Nearly three-quarters of the participants ignored pop-up warnings about
fraudulent security certificates, for example.
Vulnerability to phishing was not related to education, age, sex,
experience or hours of computer use.
The study notes some of the techniques often used to mimic legitimate
websites.
These include substituting letters in Web addresses, for instance using
“www.paypai.com” in place of “www.paypal.com”
or “bankofthevvest.com” for “bankofthewest.com”
or using non-standard font characters.
An image of a legitimate link can be used to cover up the rogue link,
while other images of legitimate browser windows or dialogue boxes can
be used to help mimic a legitimate website.
Links to legitimate bank Web pages can make fraudulent Web pages appear
more trustworthy.
While these phishing websites go to great lengths to fool visitors, Web
browsers often give clues to their fraudulent nature if users pay
attention.
For instance, placing the mouse on a link shows the linked address on
the status bar along the bottom of the browser window.
A quick glance would show if the actual address didn’t match the
one displayed on the webpage. Too often, however, users are focused on
their primary task, and fail to read the fine print. Even users who are
scanning for the presence of the closed-padlock icon that indicates SSL
security can be fooled if a picture of the icon appears in the body of
the fraudulent (and unsecured) Web page rather than in the address and
status bars where they belong.
Bottom-line: your financial institution will never send you an e-mail
requesting that you go online and enter your user information. Never.
If in doubt, contact the institution directly. The full study is
available at:
www.deas.harvrd.edu/~rachna/papers/wh_phishing_works.pdf