A new paper published by three academics tries to explain why, after all the press about phishing scams, so many computer users continue to fall for them.

"Why Phishing Works," written by Rachna Dhamija of Harvard University and Marti Hearst and J. D. Tygar of the University of California at Berkeley, points out that despite a general awareness of phishing rackets, most users are unable to discern the difference between a legitimate Web site and one spoofed to look like the site of a bank or other financial institution.

In one exercise, the researchers created a fake bank site that fooled 91 percent of subjects participating in the experiment.

Similarly, 77 percent misidentified a legitimate E*Trade e-mail as fraudulent. Experts attribute some of the problem to ignorance and some to users' not taking simple precautions, such as looking closely at the address bar of Web pages.

Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, noted that in one recent phishing scam, a number of users went to a site pretending to be that of a prominent bank and entered personal information even though they were not even customers of that bank.

ZDNet, 3 April 2006