"Why Phishing Works" is a recent study (PDF) that examines phishing website techniques. The most visually deceptive website spoof in the study was able to fool 90% of the study's participants. That 90% figure includes the most technically advanced users among the participants. It was the look, not the spoofing of security features that did the job - something that our resident phishing expert found quite interesting.

Crossing disciplines and summing up this article published last summer in the journal Neuron - If you don't see something often, you won't often see it. Perhaps you could also say - If you don't see fakes often, you won't often see fakes. Therefore, many phishers while designing visually deceptive phishing sites count less on technical subterfuge than on the failings of the human brain's power of perception. If it looks like what the brain is expecting, then the brain often won't see that it isn't.

I like their proposal: let the user design a custom login interface. If you personalized it enough, then a spoofer would have much less chance. It would be much more complicated, and leave far more footprints.

Imagine if you log into your credit card online site by supplying a username. The next page has a picture of you, and that's when you enter your password. The only way to spoof this effectively would be some form of man-in-the-middle attack. But now the spoofer has much less control of when and where they apply their fraud (as opposed to passively collecting data through a third-party site... the third-party site is now "hot" and potentially monitored).

F-Secure : News from the Lab