Lorrie Faith Cranor, a computer security researcher at Carnegie Mellon University, has been researching phishing attacks and new ways to spot them. She has published, in Scientific American, some of her insight into the human factors that make people vulnerable to online scams and how this insight can improve security training as well as technology.
"Because phishing exploits human vulnerabilities, studying the factors that make people fall for phishing scams can improve antiphishing training and technology. The combined efforts of law enforcement, computer security experts and computer users are needed to reduce the success of phishing," says Cranor.
The research has uncovered that users will repeatedly fall for phishing attacks, even if taught about phishing. The learning does not become effective unless users first fall for a phishing attack and then are taught about how to prevent falling for future attacks.
On the technology side, anti-phishing programs that only rely on blacklists are not as effective as those that use heuristics. This is because blacklist programs catch fewer than 20% of phishing sites that are new, which of course is always happening.