Cool stuff and UX resources

< Back to newsletters

Phishing and Pharming and Phraud, oh my

The ability to recognize people who want to take advantage of you is core to survival. Researchers studying the evolution of cognition suggest that we begin to develop generic "cheating detection algorithms" through exposure to the types of deception that occur day to day (Cosmides and Tooby, 1989; Cheng and Holyoak, 1985; Vasek, 1986) In a general way, we learn to suspect deception and become cautious when there is a notable inconsistency between what is happening and what we expected to happen.

Yet, consumers' ability to spot fraud in the Internet is still not very good. This is because our ability to hone our generic "cheater detectors" depends on specific or "mediating knowledge" of the deception environment. When you think about it, it's not hard to imagine why. Even savvy users find it hard to keep up with the newest scam. Can you define Phishing? How about Pharming?

Here are the Wikipedia definitions for these Internet deception methods:

  • Phishing: (also carding and spoofing) is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
  • Pharming: is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect that Web site's traffic to another Web site.

And there's more:

  • Page-jacking and mouse-trapping: are techniques used by scammers to divert Internet users from their intended Web destination (page-jacking) to the scammers site from which the user is unable to leave using their browsers back, forward or even close buttons (mouse-trapping).

And, with all the excitement about phishing and pharming, people forget about just plain fraud.

Its not surprising that people have a hard time identifying Internet deception. The specific cues you use to detect fraud in the rest of your life work don't really apply in cyberspace. In bricks-and-mortar transactions you can see who you are dealing with. In cyberspace, grifters are harder to spot... if they are even there at all.

Toyota Prius

The average victim of Internet fraud loses over $700 not counting lost time

The good news is that as consumers learn more about how the Internet works they will, by extension, learn more about how Internet deception works. It will become much harder to dupe them. Like magic, deception is usually not so tricky if you know where to look. The challenge then, is to help consumers learn where to look.

Organizations like Consumer WebWatch, the Internet arm of Consumer Union, have published reports intended to guide consumers to correctly identify the characteristics of a credible Internet site. One problem is that not enough consumers read their reports. And of those that do read them, not enough actually check the cues. Another problem is that those who practice Internet fraud do seem to read the reports.

Researchers like Grazioli are taking a different route. Grazioili's work (and his work with colleagues like Jarvenpaa) contrasts the differences between the behavior of successful and unsuccessful deception detectors. Consumers good at detecting deception on the Internet evaluate on assurance cues – concrete parameters of an organization or its business model that can be evaluated for truthfulness (e.g., the phone number) or legal validity (e.g., a warranty). In contrast, consumers who fail to notice deception tend to assign credibility based on trust cues – self-report marketing elements (e.g., customer testimonials or product sales reports) which are difficult to verify, at best.

When people are lying they tend to touch their faces. What do Web sites do?

Grazioli observed these differences in a controlled study of deception detection. In this study, 80 "business and IT savvy participants were asked to visit a specific used laptop reseller site and help a friend to decide if purchasing a $625 laptop from that particular site was a good idea – essentially to give a second opinion about the credibility of a site. If the participant felt comfortable with the site, he or she would then purchase the laptop using the friend's credit card number.

Half of the participants in Grazioli's study visited an active and functioning laptop reseller Web site. The other were "page-jacked" to a "deception" site. The deception site was identical to the base site, except that six known deception cues (Yamagishi and Yamagishi, 1994) had been added or altered. The altered cues included:

  • A forged Better Business Bureau assurance Seal leading to a real looking report
  • A warranty that was too good to be true
  • False business location information
  • Forged newsclips from professional magazines
  • Impossibly exaggerated Company sales statistics
  • Universally positive, hyperbolic customer endorsements

After viewing the site and purchasing the laptop (or not), participants completed a survey exploring whether they perceived the site to be deceptive or not... or were unsuccessful at detecting deception.

Participants were considered successful if they were suspicious of the altered site or recognized the real site as trustworthy. Unsuccessful deception detectors either failed to register suspicion of the altered site or perceived significant deception even on the trustworthy site.

Overall, even these business and IT savvy users were not able to discriminate between the trustworthy and the deceptive site. 55% of participants trusted the deceptive site (30% correctly suspected; 15% were not sure). Only 38% correctly trusted the good site (32% were suspicious; 30% were not sure).

Have you ever looked at the rear view mirror but not into it?

In this study the deception cues were abundant but they were subtle. Participants could establish that the altered cues were deceptive by:

  • Cross checking the business entry from the BBB site. Although clicking on the assurance seal in the study led to a detailed report that contained links back to the BBB, the report was forged. The only way to definitively establish that a company has a relationship with the BBB is to check the BBB site.
  • Reading and evaluating the business claims and promises realistically.
    • If the warranty seems to good to be true – in the study: No questions full refund. Any time. Forever.
    • Evaluate the business claims. In this example, the disparity between exaggerated sales statistics claims (25,000 units sold) and the inventory (5 units) seems improbable.
  • Validating the phone number against the address in a reverse directory. In the study the company presented a Seattle business address but a California area code. Careful participants also noticed that the office in the photo did not have the same address as the business address listed in the Web site.
  • Validating 3rd party recommendations including news clips and professional recommendations. In the study, links back to the source were broken or dropped users on the homepage rather than the recommendation reference. Do link back to verify the source. Look for similar recommendations on the source pages.
  • Verifying customer endorsements and testimonials. If that's not possible, be suspicious.

Louisiana (Alabama, Mississippi and Texas) on my mind.

In his study, Grazioli also noticed that successful deception detectors focused on a different set of cues than those who failed. Deception detectors focused on assurance cues (trust seals, warranties, physical location). In contrast, those who missed the deception focused on trust cues (customer testimonials). To validate trust cues you must trust the company. To validate assurance cues, you must go to organizations outside the one you are seeking to do business with.

Chasing validation at this level seems like a lot of work. Perhaps that's because for most of us, strategies for identifying bad risks don't include looking outside the business itself. For a bricks and mortar establishment we go to the address. We talk to the employees. We see the customer service/returns desk. We hold the receipt and warranty in our hands. On the Internet, those – largely implicit – cues are missing. Our general strategies for detecting deception in the world may work, but our ability to detect deception on the Internet still needs fine tuning.


References

Cheng P.W. and Holyoak, K.J., (1985). Pragmatic Reasoning Schemas. Cognitive Psychology 17, 391–416.

Grazioli, S., (2004). Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet. Group Decision and Negotiation 13, 149–172.

Grazioli, S. and S. Jarvenpaa. (in press). Deceived: Under Target on Line. Communications of the ACM.

Tooby, J. and L. Cosmides. (1989). Evolutionary Psychology and the Generation of Culture, Part 1.Ethnology and Sociobiology 10, 29–49.

Vasek, M. E. (1986). Lying as a Skill: The Development of Deception in Children. In R.W. Mitchell (Ed.),Deception, Perspectives on Human and Non-Human Deceit. NY: State University of New York Publishing.

Yamagishi, T. and Yamagishi, M., (1994). Trust and Commitment in the United States and Japan.Motivation and Emotion 18 (2), 129–165.

Message from the CEO, Dr. Eric Schaffer — The Pragmatic Ergonomist

Leave a comment here

Reader comments

David Harley
NHS Connecting for Health

1) Wikipedia's definition is slightly misleading: phishing is a special case of carding, which can include many aspects of credit card fraud, rather than a synonym, while spoofing has many other meanings in computer security.

2) The application of the concepts of assurance cues and trust cues is important in this context, but it applies in many Internet contexts. The really interesting question is why 419s and chainmail/hoaxes, which are usually crudely engineered compared to the "better" phishing and money mule recruitment scams and have been around a lot longer, continue to reel in so many victims. There are many reasons for this, but clearly long-term publicity and education hasn't stopped people being distracted by trust cues in these contexts.

3) Practical solutions are (or would be) highly desirable. But the examples of creative thinking (eBay and PayPal) are also examples of heavily phished organizations confusing the end user with the mixed signals that result when understanding of the problems is not uniform across all staff – classically, there is often an enormous dissonance between security and marketing personnel. Many phished organizations compound the problem by using email distribution practices that blur the distinction between phish and legitimate marketing mail.

Linda Jo

Your article provided some important and very helpful information – thank you.

Subscribe

Sign up to get our Newsletter delivered straight to your inbox

Follow us

Privacy policy

Reviewed: 18 Mar 2014

This Privacy Policy governs the manner in which Human Factors International, Inc., an Iowa corporation (“HFI”) collects, uses, maintains and discloses information collected from users (each, a “User”) of its humanfactors.com website and any derivative or affiliated websites on which this Privacy Policy is posted (collectively, the “Website”). HFI reserves the right, at its discretion, to change, modify, add or remove portions of this Privacy Policy at any time by posting such changes to this page. You understand that you have the affirmative obligation to check this Privacy Policy periodically for changes, and you hereby agree to periodically review this Privacy Policy for such changes. The continued use of the Website following the posting of changes to this Privacy Policy constitutes an acceptance of those changes.

Cookies

HFI may use “cookies” or “web beacons” to track how Users use the Website. A cookie is a piece of software that a web server can store on Users’ PCs and use to identify Users should they visit the Website again. Users may adjust their web browser software if they do not wish to accept cookies. To withdraw your consent after accepting a cookie, delete the cookie from your computer.

Privacy

HFI believes that every User should know how it utilizes the information collected from Users. The Website is not directed at children under 13 years of age, and HFI does not knowingly collect personally identifiable information from children under 13 years of age online. Please note that the Website may contain links to other websites. These linked sites may not be operated or controlled by HFI. HFI is not responsible for the privacy practices of these or any other websites, and you access these websites entirely at your own risk. HFI recommends that you review the privacy practices of any other websites that you choose to visit.

HFI is based, and this website is hosted, in the United States of America. If User is from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law and User is registering an account on the Website, visiting the Website, purchasing products or services from HFI or the Website, or otherwise using the Website, please note that any personally identifiable information that User provides to HFI will be transferred to the United States. Any such personally identifiable information provided will be processed and stored in the United States by HFI or a service provider acting on its behalf. By providing your personally identifiable information, User hereby specifically and expressly consents to such transfer and processing and the uses and disclosures set forth herein.

In the course of its business, HFI may perform expert reviews, usability testing, and other consulting work where personal privacy is a concern. HFI believes in the importance of protecting personal information, and may use measures to provide this protection, including, but not limited to, using consent forms for participants or “dummy” test data.

The Information HFI Collects

Users browsing the Website without registering an account or affirmatively providing personally identifiable information to HFI do so anonymously. Otherwise, HFI may collect personally identifiable information from Users in a variety of ways. Personally identifiable information may include, without limitation, (i)contact data (such as a User’s name, mailing and e-mail addresses, and phone number); (ii)demographic data (such as a User’s zip code, age and income); (iii) financial information collected to process purchases made from HFI via the Website or otherwise (such as credit card, debit card or other payment information); (iv) other information requested during the account registration process; and (v) other information requested by our service vendors in order to provide their services. If a User communicates with HFI by e-mail or otherwise, posts messages to any forums, completes online forms, surveys or entries or otherwise interacts with or uses the features on the Website, any information provided in such communications may be collected by HFI. HFI may also collect information about how Users use the Website, for example, by tracking the number of unique views received by the pages of the Website, or the domains and IP addresses from which Users originate. While not all of the information that HFI collects from Users is personally identifiable, it may be associated with personally identifiable information that Users provide HFI through the Website or otherwise. HFI may provide ways that the User can opt out of receiving certain information from HFI. If the User opts out of certain services, User information may still be collected for those services to which the User elects to subscribe. For those elected services, this Privacy Policy will apply.

How HFI Uses Information

HFI may use personally identifiable information collected through the Website for the specific purposes for which the information was collected, to process purchases and sales of products or services offered via the Website if any, to contact Users regarding products and services offered by HFI, its parent, subsidiary and other related companies in order to otherwise to enhance Users’ experience with HFI. HFI may also use information collected through the Website for research regarding the effectiveness of the Website and the business planning, marketing, advertising and sales efforts of HFI. HFI does not sell any User information under any circumstances.

Disclosure of Information

HFI may disclose personally identifiable information collected from Users to its parent, subsidiary and other related companies to use the information for the purposes outlined above, as necessary to provide the services offered by HFI and to provide the Website itself, and for the specific purposes for which the information was collected. HFI may disclose personally identifiable information at the request of law enforcement or governmental agencies or in response to subpoenas, court orders or other legal process, to establish, protect or exercise HFI’s legal or other rights or to defend against a legal claim or as otherwise required or allowed by law. HFI may disclose personally identifiable information in order to protect the rights, property or safety of a User or any other person. HFI may disclose personally identifiable information to investigate or prevent a violation by User of any contractual or other relationship with HFI or the perpetration of any illegal or harmful activity. HFI may also disclose aggregate, anonymous data based on information collected from Users to investors and potential partners. Finally, HFI may disclose or transfer personally identifiable information collected from Users in connection with or in contemplation of a sale of its assets or business or a merger, consolidation or other reorganization of its business.

Personal Information as Provided by User

If a User includes such User’s personally identifiable information as part of the User posting to the Website, such information may be made available to any parties using the Website. HFI does not edit or otherwise remove such information from User information before it is posted on the Website. If a User does not wish to have such User’s personally identifiable information made available in this manner, such User must remove any such information before posting. HFI is not liable for any damages caused or incurred due to personally identifiable information made available in the foregoing manners. For example, a User posts on an HFI-administered forum would be considered Personal Information as provided by User and subject to the terms of this section.

Security of Information

Information about Users that is maintained on HFI’s systems or those of its service providers is protected using industry standard security measures. However, no security measures are perfect or impenetrable, and HFI cannot guarantee that the information submitted to, maintained on or transmitted from its systems will be completely secure. HFI is not responsible for the circumvention of any privacy settings or security measures relating to the Website by any Users or third parties.

Correcting, Updating, Accessing or Removing Personal Information

If a User’s personally identifiable information changes, or if a User no longer desires to receive non-account specific information from HFI, HFI will endeavor to provide a way to correct, update and/or remove that User’s previously-provided personal data. This can be done by emailing a request to HFI at hfi@humanfactors.com. Additionally, you may request access to the personally identifiable information as collected by HFI by sending a request to HFI as set forth above. Please note that in certain circumstances, HFI may not be able to completely remove a User’s information from its systems. For example, HFI may retain a User’s personal information for legitimate business purposes, if it may be necessary to prevent fraud or future abuse, for account recovery purposes, if required by law or as retained in HFI’s data backup systems or cached or archived pages. All retained personally identifiable information will continue to be subject to the terms of the Privacy Policy to which the User has previously agreed.

Contacting HFI

If you have any questions or comments about this Privacy Policy, you may contact HFI via any of the following methods:
Human Factors International, Inc.
PO Box 2020
1680 highway 1, STE 3600
Fairfield IA 52556
hfi@humanfactors.com
(800) 242-4480

Terms and Conditions for Public Training Courses

Reviewed: 18 Mar 2014

Cancellation of Course by HFI

HFI reserves the right to cancel any course up to 14 (fourteen) days prior to the first day of the course. Registrants will be promptly notified and will receive a full refund or be transferred to the equivalent class of their choice within a 12-month period. HFI is not responsible for travel expenses or any costs that may be incurred as a result of cancellations.

Cancellation of Course by Participants (All regions except India)

$100 processing fee if cancelling within two weeks of course start date.

Cancellation / Transfer by Participants (India)

4 Pack + Exam registration: Rs. 10,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the course (4 Pack-CUA/CXA) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.

Individual Modules: Rs. 3,000 per participant ‘per module’ processing fee (to be paid by the participant) if cancelling or transferring the course (any Individual HFI course) registration before three weeks from the course start date. No refund or carry forward of the course fees if cancelling or transferring the course registration within three weeks before the course start date.

Exam: Rs. 3,000 per participant processing fee (to be paid by the participant) if cancelling or transferring the pre agreed CUA/CXA exam date before three weeks from the examination date. No refund or carry forward of the exam fees if requesting/cancelling or transferring the CUA/CXA exam within three weeks before the examination date.

No Recording Permitted

There will be no audio or video recording allowed in class. Students who have any disability that might affect their performance in this class are encouraged to speak with the instructor at the beginning of the class.

Course Materials Copyright

The course and training materials and all other handouts provided by HFI during the course are published, copyrighted works proprietary and owned exclusively by HFI. The course participant does not acquire title nor ownership rights in any of these materials. Further the course participant agrees not to reproduce, modify, and/or convert to electronic format (i.e., softcopy) any of the materials received from or provided by HFI. The materials provided in the class are for the sole use of the class participant. HFI does not provide the materials in electronic format to the participants in public or onsite courses.