posted on 2006-01-01, 00:00authored byJulie S Downs, Mandy B Holbrook, Lorrie Faith Cranor
Phishing emails are semantic attacks that con people into
divulging sensitive information using techniques to make the user
believe that information is being requested by a legitimate source.
In order to develop tools that will be effective in combating these
schemes, we first must know how and why people fall for them.
This study reports preliminary analysis of interviews with 20 nonexpert
computer users to reveal their strategies and understand
their decisions when encountering possibly suspicious emails.
One of the reasons that people may be vulnerable to phishing
schemes is that awareness of the risks is not linked to perceived
vulnerability or to useful strategies in identifying phishing emails.
Rather, our data suggest that people can manage the risks that they
are most familiar with, but don’t appear to extrapolate to be wary
of unfamiliar risks. We explore several strategies that people use,
with varying degrees of success, in evaluating emails and in
making sense of warnings offered by browsers attempting to help
users navigate the web.