Indian American researcher Arun Vishwanath from the University at
Buffalo has revealed that online phishers are increasingly using
"information-rich" e-mails with graphics, logos and markers that
communicate authenticity to lure people.
Such e-mails alter recipients' cognitive processes in a way that facilitates their victimisation.
In addition, the text is carefully framed to sound personal, arrest attention and invoke fear.
"It
will often include a deadline for response for which the recipient must
use a link to a spoof 'response' website. Such sites, set up by the
phisher, can install spyware that data mines the victim's computer for
usernames, passwords, address books and credit card information,"
explained Vishwanath, professor of communication.
The study
involved 125 undergraduate university students - a group often targeted
by phishers - who were sent an experimental phishing e-mail from a Gmail
account prepared for use in the study.
The message used a reply-to address and sender's address, both of which included the name of the university.
The e-mail was framed to emphasise urgency and invoke fear.
It
said there was an error in the recipients' student e-mail account
settings that required them to use an enclosed link to access their
account settings and resolve the problem.
They had to do so within a short time period, they were told, otherwise they would no longer have access to the account.
According to Vishwanath, 49 participants replied to the phishing request immediately and another 36 replied after a reminder.
"'Presence'
makes a message feel more personal, reduces distrust and also provokes
heuristic processing, marked by less care in evaluating and responding
to it," he pointed out.
In these circumstances, researchers found
that if the message asks for personal information, people are more
likely to hand it over, often very quickly.
In this study, such an information-rich phishing message triggered a victimisation rate of 68 percent among participants.
"These
are significant findings that indicate the importance of developing
anti-phishing interventions that educate individuals about the threat
posed by richness and presence cues in e-mails," he explained.
The results were shared at the 48th Hawaii International Conference on System Sciences at the University of Hawaii recently.
