Indian American researcher Arun Vishwanath from the University at Buffalo has revealed that online phishers are increasingly using "information-rich" e-mails with graphics, logos and markers that communicate authenticity to lure people.
Such e-mails alter recipients' cognitive processes in a way that facilitates their victimisation. In addition, the text is carefully framed to sound personal, arrest attention and invoke fear. "It will often include a deadline for response for which the recipient must use a link to a spoof 'response' website.
Such sites, set up by the phisher, can install spyware that data mines the victim's computer for usernames, passwords, address books and credit card information," explained Vishwanath, professor of communication. The study involved 125 undergraduate university students - a group often targeted by phishers - who were sent an experimental phishing e-mail from a Gmail account prepared for use in the study.
The message used a reply-to address and sender's address, both of which included the name of the university. The e-mail was framed to emphasise urgency and invoke fear. It said there was an error in the recipients' student e-mail account settings that required them to use an enclosed link to access their account settings and resolve the problem.
They had to do so within a short time period, they were told, otherwise they would no longer have access to the account. According to Vishwanath, 49 participants replied to the phishing request immediately and another 36 replied after a reminder. "'Presence' makes a message feel more personal, reduces distrust and also provokes heuristic processing, marked by less care in evaluating and responding to it," he pointed out.
In these circumstances, researchers found that if the message asks for personal information, people are more likely to hand it over, often very quickly. In this study, such an information-rich phishing message triggered a victimisation rate of 68 percent among participants.
"These are significant findings that indicate the importance of developing anti-phishing interventions that educate individuals about the threat posed by richness and presence cues in e-mails," he explained. The results were shared at the 48th Hawaii International Conference on System Sciences at the University of Hawaii recently.