Why phishing works

John Gruber has a brief note about the 'Facebook login' problem, pointing to the unfolding trainwreck at ReadWriteWeb. The core problem is that many users seem to have only a very shaky grasp of how to use the Web. Their strategy for finding, say, Facebook, is simply to type what they're looking for into Google, and then click the first result that comes up. As the ReadWriteWeb case demonstrates, once they get there they have no idea that they're not where they want to be.

I see the same thing. Our database of spam-advertised domains contains the names of many domains and in some cases our entry for the domain in question actually ranks higher than the domain in Google's results. To judge from some of the angry or desperate messages we get sent, many of the users who land on the site don't realize that they have landed on a page about Site X, rather than Site X itself.

Sometimes this is a good thing. Users who get an email come-on from a fake-storefront or money-transfer scammer often end up searching for the domain name given in the mail and ending up on our page describing the scam. A small number of those may learn something and go away wiser. A larger number probably just become still more confused, but at least they've failed to reach the scammer's site, so that's still a positive outcome.

The problem is that these users — who can most politely be described as 'clueless' — are prime targets for phishing. If they click a link in an email and end up on a phishing site (and the odds are that they will click that link, because they don't know any better), they aren't going to realize they're being tricked. Look at all the people who entered comments on ReadWriteWeb — a site that looks nothing like Facebook — under the impression that they were on Facebook. Now put those people on a site that actually looks like the site they're expecting. Of course they're going to enter their username and password, and their mother's maiden name and anything else the site asks for.

We can think about ways that technology developers can make it easier for users to do the right thing than the wrong one — default start pages pre-seeded with large icons representing common sites, search results massaged to steer people in the right direction, and so on — but the problem runs deeper than that. Until everyone who uses the Internet has what might be called 'web literacy' — basic skills in finding and interpreting information on the web — the phishing problem is not going to go away.

Posted by spamnation on February 12, 2010 12:07 PM |

Tags: , ,

« He go chop your dollar | Main | Buddy, can you spare a link? »

weblognewsstocksstatstoolsnoteslinksmisc