Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2009
01:17 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Research: 88 Percent Of American Web Users Unable To Spot Phishing Sites

Respondents were asked to identify which of two Web site images presented side by side was a fraudulent phishing site, VeriSign explains

BOSTON, MA--(Marketwire - June 15, 2009) - Internet Retailer Conference & Expo, Booth #1043 - A YouGov survey* commissioned by VeriSign, Inc. (NASDAQ: VRSN) has revealed that 88 percent of Web users in the United States are at risk from online fraud because they can't identify the different forms of phishing currently happening online.

The research asked each respondent to identify which of two Web site images presented side by side was a fraudulent phishing site. The most frequently missed "tell tale" indicator was the misspelling on the site, with 88 percent failing to spot the spelling mistakes that would have identified the phishing site. The other such tell tale indicators respondents failed to spot include:

-- No padlock symbol in the browser address bar -- 68 percent duped -- URL containing unspecified, numerical, domain name -- 42 percent duped -- Unnecessary request for additional account information -- 33 percent duped

"In today's economic environment, businesses have a hard enough time competing without having to battle fraudulent, look-alike phishing sites," said Craig Spiezle, executive director of the Online Trust Alliance. "Just one phishing attack can dramatically diminish the relationship an online business has built with its customers. For these businesses, the stakes are enormous."

Phishing scams and online fraud have created doubt and concern among online shoppers. To regain their trust, site owners need an easy, reliable way to show customers that their transactions are secure -- and that they are who they say they are. Security vendors and Internet browsers have combined forces to establish the Extended Validation (EV) standard for SSL Certificates. With this technology, the browser and certificate authority control the display, making it difficult for phishers and counterfeiters to hijack a brand and its customers.

"With nine out of 10 people in the U.S. vulnerable to phishing scams, a method for easily identifying a genuine site from a phishing site is a must for all businesses online," said Tim Callan, vice president of product marketing at VeriSign. "By adopting Extended Validation, a site owner makes it easy for Web users to see that the site they are on is genuine. When a Web user visits a site secured in this way, a high-security browser will trigger the address bar to turn green. For additional clarity, the name of the organization listed in the certificate as well as the certificate's security vendor is also displayed."

"We were blown away by the impact our EV SSL Certificate had on our company; an 87 percent higher registration rate is tremendous," said Darren Shafae, founder and vice president of Paper-Check.com. "It's one thing to encrypt transmissions online, but quite another thing to assure customers that the recipient is the intended party and not an impostor. And that's just what the EV SSL green address bar signifies."

Phishing, a nationwide issue

Of the seven countries included in the research -- the United States, Germany, Sweden, Australia, India, Denmark and the United Kingdom -- the United States is the least likely to identify the tell tale signs of a phishing site that were tested for in the survey. In addition, the United States is the only country where the youngest section of the population, those between 18 and 24, is the least likely age group to identify a phishing site.

Knowledge is key to fighting phishing. To this end, VeriSign has compiled its Top five tips to distinguish a real site from a phishing site.

Consumers should check whether or not a site is genuine and whether it is taking measures to protect their personal details by looking for the following:

1. https:// in the URL: The "s" in https:// means the site is encrypted, so the information you enter is secured. While some phishing sites do have a secured Web address, many do not. Therefore, site visitors should be on the lookout for missing security on sites that should have it. 2. The padlock icon: To be meaningful, this icon must appear in the actual browser interface and not inside the content of the page itself. 3. Trust marks: Simple visual cues in the form of popular logos can show that a Web site is authenticated and secured, and that a company is reputable. 4. Check the Web address: Be suspicious of any site with an unknown domain that contains the name of a well known site in the latter part of the Web address. 5. Green address bar: Signifies that a site has undergone extensive identity authentication so that you can be confident it is the site it claims to be.

Take the Phish or No Phish Challenge yourself at www.phish-no-phish.com or visit Booth #1043 at the Internet Retailer Conference & Expo for a live demonstration.

The online survey was commissioned by VeriSign and conducted by YouGov on May 20-22, 2009. 1,015 U.S. adults (aged 18+) were polled in the sample.

About VeriSign

VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...