The ability of non-techy individuals to recognize and spot fraud and dangers on the Internet is still largely underdeveloped.

Few people are aware of the dangers, risks and types of hooks that malicious software, online devices, misleading emails and apparently normal web pages utilize to get access to their computers or to confidential, private information they may have saved in it.

Photo credit: Alex Maher

We know too little of the deceptive strategies and fake scenarios that serve as direct traps for capturing and attacking Web users ignorant web wanderings.

The lack of real-world clues that we have learned to utilize to know whether to trust a business vendor or marketplace offering in the real, physical world, makes it extremely difficult and time consuming for the average Internet user to be able to recognize fraud and deception when they present themselves online.

Here is Dr Eric Shaffer own take on the interesting results of a research study entitled "Perils of Internet Fraud: An Empirical Investigation of Deception and Trust with Experienced Internet Consumers", originally published in 2000, but still very relevant today.

PHISHING AND PHARMING AND PHRAUD, OH MY

The ability to recognize people who want to take advantage you is core to survival. Researchers studying the evolution of cognition suggest that we begin to develop generic "cheating detection algorithms" through exposure to the types of deception that occur day to day (Cosmides and Tooby, 1989; Cheng and Holyoak, 1985; Vasek, 1986)

In a general way, we learn to suspect deception and become cautious when there is a notable inconsistency between what is happening and what we expected to happen.

Yet, consumers' ability to spot fraud in the Internet is still not very good. This is because our ability to hone our generic "cheater detectors" depends on our specific or "mediating knowledge" of the deception environment. When you think about it, it's not hard to imagine why. Even savvy users find it hard to keep up with the newest scam. Can you define Phishing? How about Pharming?

Here are the Wikipedia definitions for these Internet deception methods:

- Phishing: (also carding and spoofing) is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and
passwords.

- Pharming: is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect that Web site's traffic to another Web site.

And there's more:

- Page-jacking and mouse-trapping: are techniques used by scammers to divert Internet users from their intended Web destination (page-jacking) to the scammers site from which the user is unable to leave using their browsers back, forward or even close buttons (mouse-trapping).

And, with all the excitement about phishing and pharming, people forget about just plain fraud.

Its not surprising that people have a hard time identifying Internet deception.

The specific cues you use to detect fraud in the rest of your life work don't really apply in cyberspace.

In bricks-and-mortar transactions you can see who you are dealing with. In cyberspace, grifters are harder to spot... if they are even there at all.

THE AVERAGE VICTIM OF INTERNET FRAUD LOSES OVER $700 NOT COUNTING LOST TIME.

The good news is that as consumers learn more about how the Internet works they will, by extension, learn more about how Internet deception works. It will become much harder to dupe them. Like magic, deception is usually not so tricky if you know where to look.

The challenge then, is to help consumers learn where to look.

Organizations like Consumer WebWatch, the Internet arm of Consumers Union, have published reports intended to guide consumers to correctly identify the characteristics of a credible Internet site.

One problem is that not enough consumers read their reports. And of those that do read them, not enough actually check the cues. Another problem is that those who practice Internet fraud do seem to read the reports.

Researchers like Grazioli are taking a different route. Grazioli's work (and his work with colleagues like Jarvenpaa) contrasts the differences between the behavior of successful and unsuccessful deception detectors.

Consumers good at detecting deception on the Internet evaluate on assurance cues -- concrete parameters of an organization or its business model that can be evaluated for truthfulness (e.g., the phone number) or legal validity (e.g., a warranty).

In contrast, consumers who fail to notice deception tend to assign credibility based on trust cues -- self-report marketing elements (e.g., customer testimonials or product sales
reports) which are difficult to verify, at best.

WHEN PEOPLE ARE LYING THEY TEND TO TOUCH THEIR FACES. WHAT DO WEB SITES DO?

Grazioli observed these differences in a controlled study of deception detection. In this study, 80 "business and IT savvy"
participants were asked to visit a specific used laptop reseller site and help a friend to decide if purchasing a $625 laptop from that particular site was a good idea -- essentially to give a second opinion about the credibility of a site. If the participant felt comfortable with the site, he or she would then purchase the laptop using the friend's credit card number.

Half of the participants in Grazioli's study visited an active and functioning laptop reseller Web site. The other were "page-jacked" to a "deception" site.

The deception site was identical to the base site, except that six known deception cues (Yamagishi and Yamagishi, 1994) had been added or altered.

The altered cues included:

• A forged Better Business Bureau assurance Seal leading to a real looking report
• A warranty that was too good to be true
• False business location information
• Forged newsclips from professional magazines
• Impossibly exaggerated Company sales statistics
• Universally positive, hyperbolic customer endorsements

After viewing the site and purchasing the laptop (or not), participants completed a survey exploring whether they perceived the site to be deceptive or not... or were unsuccessful at detecting deception.

Participants were considered successful if they were suspicious of the altered site or recognized the real site as trustworthy.

Unsuccessful deception detectors either failed to register suspicion of the altered site or perceived significant deception even on the trustworthy site.

Overall, even these business and IT savvy users were not able to discriminate between the trustworthy and the deceptive site.

55% of participants trusted the deceptive site (30% correctly suspected; 15% were not sure). Only 38% correctly trusted the good site (32% were suspicious; 30% were not sure).

HAVE YOU EVER LOOKED AT THE REAR VIEW MIRROR BUT NOT INTO IT?

In this study the deception cues were abundant but they were subtle.
Participants could establish that the altered cues were deceptive by:

• Cross-checking the business entry from the BBB site. Although clicking on the assurance seal in the study led to a detailed report that contained links back to the BBB, the report was forged. The only way to definitively establish that a company has a relationship with the BBB is to check the BBB site.

• Reading and evaluating the business claims and promises realistically.

• If the warranty seems to good to be true -- in the study: No questions full refund. Any time. Forever.

• Evaluate the business claims. In this example, the disparity between exaggerated sales statistics claims (25,000 units sold) and the inventory (5 units) seems improbable.

• Validating the phone number against the address in a reverse directory. In the study the company presented a Seattle business address but a California area code. Careful participants also noticed that the office in the photo did not have the same address as the business address listed in the Web site.

• Validating 3rd party recommendations including news clips and professional recommendations. In the study, links back to the source were broken or dropped users on the homepage rather than the recommendation reference. Do link back to verify the source. Look for similar recommendations on the source pages.

• Verifying customer endorsements and testimonials. If that's not possible, be suspicious.

  LOUISIANA (ALABAMA, MISSISSIPPI AND TEXAS) ON MY MIND

  In his study, Grazioli also noticed that successful deception detectors focused on a different set of cues than those who failed. Deception detectors focused on assurance cues (trust seals, warranties, physical location).

  In contrast, those who missed the deception focused on trust cues (customer testimonials). To validate trust cues you must trust the company. To validate assurance cues, you must go to organizations outside the one you are seeking to do business with.

  Chasing validation at this level seems like a lot of work. Perhaps that's because for most of us, strategies for identifying bad risks don't include looking outside the business itself. For a bricks and mortar establishment we go to the address. We talk to the employees. We see the customer service/returns desk. We hold the receipt and warranty in our hands.

  On the Internet, those -- largely implicit -- cues are missing. Our general strategies for detecting deception in the world may work, but our ability to detect deception on the Internet still needs fine tuning.

  We need to find PRACTICAL ways to indicate that a site is the correct site and a trustworthy vendor. Let's look for creative solutions.

  Organizations like EBay and PayPal provide immediate access to seller information and buyer feedback. This allows users to instantly discriminate the trustworthy sellers.

  But now we need effective strategies for detecting deception in all the online environments.

  We can forget subtle discrimination of counterfeit logos and painstaking research. Let's all work to find quick, simple, common sense, and powerful methods that can really work. Otherwise the information spaces will be increasingly perilous, filled with invisible thugs and muggers.

  
  
  Originally entitled:
  Phishing and Pharming and Phraud, oh my

  first published on September 2005
  in the HFI User Interface Design Update Newsletter

  The HFI User Interface Design Update Newsletter discusses the latest research in the field of usability. To learn more about the practical application of recent usability research and how it impacts user-centered design, consider attending HFI Putting Research into Practice course.

  http://www.humanfactors.com/downloads/sep05.asp

  by The Pragmatic Ergonomist, Dr. Eric Schaffer CEO and founder of Human Factors International.
  In the last quarter century of human factors development, Dr. Schaffer has become known as the visionary who recognized that usability would be the driving force of the "Third Wave of the Information Age."

  Dr. Schaffer foresaw that the most profound impact on corporate computing would be a positive online user experience—the ability for a user to get the job done efficiently, easily, and without frustration.

  Dr. Schaffer has worked in the professional human factors field since 1977, completing projects for more than 100 Fortune 500 clients, providing extensive high-level systems analysis, design, integration, documentation and implementation consulting.

  Dr. Schaffer is a member of the Human Factors and Ergonomics Society and a Certified Professional Ergonomist.
  

  Dr. Eric Shaffer -
  Reference: Human Factors International [ Read more ]