This paper addresses the question of why phishing works.
We analyzed a set of phishing attacks and developed a set
of hypotheses about how users are deceived. We tested
these hypotheses in a usability study: we showed 22 participants
20 web sites and asked them to determine which
ones were fraudulent, and why. Our key findings are:
• Good phishing websites fooled 90% of participants.
• Existing anti-phishing browsing cues are ineffective.
23% of participants in our study did not look at the
address bar, status bar, or the security indicators.
• On average, our participant group made mistakes on
our test set 40% of the time.