Most Web users are unable to spot phishing sites

(21/07/2009)

According to a YouGov survey commissioned by VeriSign, Inc., 88 per cent of Web users in the UK are at risk from online fraud by not being able to identify the different forms of phishing currently happening online.

The research asked each respondent to identify which of two Web site images presented side by side was a fraudulent phishing site. The most frequently missed “tell tale” was the spelling on the site, with 88 per cent failing to spot the spelling mistakes that would have identified the phishing site.

The other “tell tales” include:
· No padlock symbol in the browser address bar – 57 per cent duped
· URL containing unspecified, numerical, domain name – 34 per cent duped
· Request for additional account information – 23 per cent duped

“Phishing continues to be a major challenge for online businesses,” said Andrew McClelland, Director of Business Development at industry body IMRG. “It takes only one phishing attack to dramatically reduce the Web browsing public’s trust in an organization. Once that trust is lost, it is very difficult to regain, and with competition just a click away, something that businesses cannot afford to lose.”

Phishing scams and online fraud have created doubt and concern among online shoppers. To regain their trust, site owners need an easy, reliable way to show customers that their transactions are secure – and they are who they say they are. Security vendors and Internet browsers have combined forces to establish the Extended Validation standard for SSL Certificates. With this technology, the browser and the certificate authority control the display, making it difficult for phishers and counterfeiters to hijack a brand and its customers.

“Since adding extended validation authentication, which produces a green address bar in our browser, Quickrooms.com’s sales have increased by nearly seven per cent,” said Stephen Mills, product manager for QuickRooms.com. “The green glow generates an extra level of trust, which helps reassure customers that they’ve come to the authentic Quickrooms.com Web site. Thanks to VeriSign EV SSL, and the increased level of trust our users now have, we’ve seen an increase in bookings.”

“With nine out of ten people in the UK vulnerable to phishing scams, a method for easily identifying a genuine site from a phishing site is a must for all businesses online,” said Tim Callan, vice president of product marketing at VeriSign. “By adopting Extended Validation, a site owner makes it easy for Web users to see that the site they are on is genuine. When a shopper visits a site secured in this way, a high-security browser will trigger the address bar to turn green. For additional clarity, the name of the organization listed in the certificate as well as the certificate’s security vendor is also displayed.”

Regional findings

The research also provides insight into the vulnerability of different parts of the population. Women are 12 per cent more likely to be a victim of phishing than men, while people in Northern Ireland are the least likely to fall into the Internet fraudsters’ traps. The most vulnerable age group is the over 55s, who are 10 per cent more likely to be a victim of phishing than average and 30 per cent more likely to be duped by phishing than an 18 to 24 year old.

Knowledge is key to fighting phishing and to this end VeriSign has compiled its Top five tips to distinguish a real site from a phishing site.

Consumers should check whether or not a site is genuine and is taking measures to protect their personal details by looking for the following:

1. https:// The “s” in https:// means the site is encrypted, so the information you enter is secured. While some phishing sites do have a secured Web address, many do not. Therefore, site visitors should be on the lookout for missing security on sites that should have it.
2. The padlock icon: To be meaningful this icon must appear in the actual browser interface and not inside the content of the page itself.
3. Trust marks: Simple visual cues in the form of popular logos can show that a Web site is authenticated, secured, and the company is reputable.
4. Check the Web address: Be suspicious of any site with an unknown domain that contains the name of a well known site in the latter part of the Web address.
5. Green address bar: This signifies that this site has undergone extensive identity authentication so that you can be confident it is the site it claims to be.

Related topics:  Hacking and intrusion prevention   Internet and Web security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources