Cool stuff and UX resources
Phishing and Pharming and Phraud, oh my
The ability to recognize people who want to take advantage of you is core to survival. Researchers studying the evolution of cognition suggest that we begin to develop generic "cheating detection algorithms" through exposure to the types of deception that occur day to day (Cosmides and Tooby, 1989; Cheng and Holyoak, 1985; Vasek, 1986) In a general way, we learn to suspect deception and become cautious when there is a notable inconsistency between what is happening and what we expected to happen.
Yet, consumers' ability to spot fraud in the Internet is still not very good. This is because our ability to hone our generic "cheater detectors" depends on specific or "mediating knowledge" of the deception environment. When you think about it, it's not hard to imagine why. Even savvy users find it hard to keep up with the newest scam. Can you define Phishing? How about Pharming?
Here are the Wikipedia definitions for these Internet deception methods:
- Phishing: (also carding and spoofing) is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
- Pharming: is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect that Web site's traffic to another Web site.
And there's more:
- Page-jacking and mouse-trapping: are techniques used by scammers to divert Internet users from their intended Web destination (page-jacking) to the scammers site from which the user is unable to leave using their browsers back, forward or even close buttons (mouse-trapping).
And, with all the excitement about phishing and pharming, people forget about just plain fraud.
Its not surprising that people have a hard time identifying Internet deception. The specific cues you use to detect fraud in the rest of your life work don't really apply in cyberspace. In bricks-and-mortar transactions you can see who you are dealing with. In cyberspace, grifters are harder to spot... if they are even there at all.
The average victim of Internet fraud loses over $700 not counting lost time
The good news is that as consumers learn more about how the Internet works they will, by extension, learn more about how Internet deception works. It will become much harder to dupe them. Like magic, deception is usually not so tricky if you know where to look. The challenge then, is to help consumers learn where to look.
Organizations like Consumer WebWatch, the Internet arm of Consumer Union, have published reports intended to guide consumers to correctly identify the characteristics of a credible Internet site. One problem is that not enough consumers read their reports. And of those that do read them, not enough actually check the cues. Another problem is that those who practice Internet fraud do seem to read the reports.
Researchers like Grazioli are taking a different route. Grazioili's work (and his work with colleagues like Jarvenpaa) contrasts the differences between the behavior of successful and unsuccessful deception detectors. Consumers good at detecting deception on the Internet evaluate on assurance cues – concrete parameters of an organization or its business model that can be evaluated for truthfulness (e.g., the phone number) or legal validity (e.g., a warranty). In contrast, consumers who fail to notice deception tend to assign credibility based on trust cues – self-report marketing elements (e.g., customer testimonials or product sales reports) which are difficult to verify, at best.
When people are lying they tend to touch their faces. What do Web sites do?
Grazioli observed these differences in a controlled study of deception detection. In this study, 80 "business and IT savvy participants were asked to visit a specific used laptop reseller site and help a friend to decide if purchasing a $625 laptop from that particular site was a good idea – essentially to give a second opinion about the credibility of a site. If the participant felt comfortable with the site, he or she would then purchase the laptop using the friend's credit card number.
Half of the participants in Grazioli's study visited an active and functioning laptop reseller Web site. The other were "page-jacked" to a "deception" site. The deception site was identical to the base site, except that six known deception cues (Yamagishi and Yamagishi, 1994) had been added or altered. The altered cues included:
- A forged Better Business Bureau assurance Seal leading to a real looking report
- A warranty that was too good to be true
- False business location information
- Forged newsclips from professional magazines
- Impossibly exaggerated Company sales statistics
- Universally positive, hyperbolic customer endorsements
After viewing the site and purchasing the laptop (or not), participants completed a survey exploring whether they perceived the site to be deceptive or not... or were unsuccessful at detecting deception.
Participants were considered successful if they were suspicious of the altered site or recognized the real site as trustworthy. Unsuccessful deception detectors either failed to register suspicion of the altered site or perceived significant deception even on the trustworthy site.
Overall, even these business and IT savvy users were not able to discriminate between the trustworthy and the deceptive site. 55% of participants trusted the deceptive site (30% correctly suspected; 15% were not sure). Only 38% correctly trusted the good site (32% were suspicious; 30% were not sure).
Have you ever looked at the rear view mirror but not into it?
In this study the deception cues were abundant but they were subtle. Participants could establish that the altered cues were deceptive by:
- Cross checking the business entry from the BBB site. Although clicking on the assurance seal in the study led to a detailed report that contained links back to the BBB, the report was forged. The only way to definitively establish that a company has a relationship with the BBB is to check the BBB site.
- Reading and evaluating the business claims and promises realistically.
- If the warranty seems to good to be true – in the study: No questions full refund. Any time. Forever.
- Evaluate the business claims. In this example, the disparity between exaggerated sales statistics claims (25,000 units sold) and the inventory (5 units) seems improbable.
- Validating the phone number against the address in a reverse directory. In the study the company presented a Seattle business address but a California area code. Careful participants also noticed that the office in the photo did not have the same address as the business address listed in the Web site.
- Validating 3rd party recommendations including news clips and professional recommendations. In the study, links back to the source were broken or dropped users on the homepage rather than the recommendation reference. Do link back to verify the source. Look for similar recommendations on the source pages.
- Verifying customer endorsements and testimonials. If that's not possible, be suspicious.
Louisiana (Alabama, Mississippi and Texas) on my mind.
In his study, Grazioli also noticed that successful deception detectors focused on a different set of cues than those who failed. Deception detectors focused on assurance cues (trust seals, warranties, physical location). In contrast, those who missed the deception focused on trust cues (customer testimonials). To validate trust cues you must trust the company. To validate assurance cues, you must go to organizations outside the one you are seeking to do business with.
Chasing validation at this level seems like a lot of work. Perhaps that's because for most of us, strategies for identifying bad risks don't include looking outside the business itself. For a bricks and mortar establishment we go to the address. We talk to the employees. We see the customer service/returns desk. We hold the receipt and warranty in our hands. On the Internet, those – largely implicit – cues are missing. Our general strategies for detecting deception in the world may work, but our ability to detect deception on the Internet still needs fine tuning.
References
Cheng P.W. and Holyoak, K.J., (1985). Pragmatic Reasoning Schemas. Cognitive Psychology 17, 391–416.
Grazioli, S., (2004). Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet. Group Decision and Negotiation 13, 149–172.
Grazioli, S. and S. Jarvenpaa. (in press). Deceived: Under Target on Line. Communications of the ACM.
Tooby, J. and L. Cosmides. (1989). Evolutionary Psychology and the Generation of Culture, Part 1.Ethnology and Sociobiology 10, 29–49.
Vasek, M. E. (1986). Lying as a Skill: The Development of Deception in Children. In R.W. Mitchell (Ed.),Deception, Perspectives on Human and Non-Human Deceit. NY: State University of New York Publishing.
Yamagishi, T. and Yamagishi, M., (1994). Trust and Commitment in the United States and Japan.Motivation and Emotion 18 (2), 129–165.
Message from the CEO, Dr. Eric Schaffer — The Pragmatic Ergonomist
We need to find PRACTICAL ways to indicate that a site is the correct site and a trustworthy vendor. Let's look for creative solutions. Organizations like EBay and PayPal provide immediate access to seller information and buyer feedback. This allows users to instantly discriminate the trustworthy sellers. But now we need effective strategies for detecting deception in all the online environments. We can forget subtle discrimination of counterfeit logos and painstaking research. Let's all work to find quick, simple, common sense, and powerful methods that can really work. Otherwise the information spaces will be increasingly perilous, filled with invisible thugs and muggers.
Leave a comment here
Reader comments
David Harley
NHS Connecting for Health
1) Wikipedia's definition is slightly misleading: phishing is a special case of carding, which can include many aspects of credit card fraud, rather than a synonym, while spoofing has many other meanings in computer security.
2) The application of the concepts of assurance cues and trust cues is important in this context, but it applies in many Internet contexts. The really interesting question is why 419s and chainmail/hoaxes, which are usually crudely engineered compared to the "better" phishing and money mule recruitment scams and have been around a lot longer, continue to reel in so many victims. There are many reasons for this, but clearly long-term publicity and education hasn't stopped people being distracted by trust cues in these contexts.
3) Practical solutions are (or would be) highly desirable. But the examples of creative thinking (eBay and PayPal) are also examples of heavily phished organizations confusing the end user with the mixed signals that result when understanding of the problems is not uniform across all staff – classically, there is often an enormous dissonance between security and marketing personnel. Many phished organizations compound the problem by using email distribution practices that blur the distinction between phish and legitimate marketing mail.
Linda Jo
Your article provided some important and very helpful information – thank you.
Subscribe
Sign up to get our Newsletter delivered straight to your inbox