The Security Mentor

via Dancho Danchev's blog:

MIT researchers have done a study of how effective anti-phishing toolbars are in real life. Real life includes having them used by real people, and that's where the trouble started.

Their experimental subjects kept going to simulated phishing sites even after their protective software tried to warn them. Sometimes they decided the site looked right so the anti-phishing toolbar must have made a mistake. Sometimes they said they were in too much of a hurry to finish the simulated tasks in the experiment to get bogged down in warnings from security software. Sometimes they didn't even notice the warnings.

This newsletter is here to offer concrete advice. What can we learn from the MIT study?

• Read the tutorial documentation, if any, that comes with your anti-phishing software. The experimental subjects were much savvier if they had read tutorials.
• Check out SpoofGuard. I haven't tried it myself but it's simple to use and provided the best results in the MIT study.
• Don't try to draw conclusions from how a web site looks and acts. Phishing is a business now and when the crooks copy a web site from your bank or from eBay they do a professional job. The site can look right, work right, and be covered with seals of approval and still be a fraudulent copy.