Researchers at Harvard and the University of California at Berkeley found that the best fraudulent sites could still fool more than 90 percent of the survey's highly educated participants.
[Read more of this fabulous review]

Why Phishing Works

What makes a web site credible? This question has been addressed extensively by researchers in computer-human interaction. This paper examines a twist on this question: what makes a bogus website credible? In the last two years, Internet users have seen the rapid expansion of a scourge on the Internet: phishing, the practice of directing users to fraudulent web sites. This question raises fascinating questions for user interface designers, because both phishers and anti-phishers do battle in user interface space. Successful phishers must not only present a highcredibility web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in web browsers.

Data suggest that some phishing attacks have convinced up to 5% of their recipients to provide sensitive information to spoofed websites [21]. About two million users gave information to spoofed websites resulting in direct losses of $1.2 billion for U.S. banks and card issuers in 2003 [20]. [Over 16,000 unique phishing attack websites were reported to the Anti-Phishing Working Group in November 2005 [2].]

If we hope to design web browsers, websites, and other tools to shield users from such attacks, we need to understand which attack strategies are successful, and what proportion of users they fool. However, the literature is sparse on this topic.

This paper addresses the question of why phishing works. We analyzed a set of phishing attacks and developed a set of hypotheses about how users are deceived. We tested these hypotheses in a usability study: we showed 22 participants 20 web sites and asked them to determine which ones were fraudulent, and why. Our key findings are:
• Good phishing websites fooled 90% of participants.
• Existing anti-phishing browsing cues are ineffective. 23% of participants in our study did not look at the address bar, status bar, or the security indicators.
• On average, our participant group made mistakes on our test set 40% of the time.
[Read the paper]