Full Text

photo, Markus Jakobsson

The following is excerpted with permission from a BankInfoSecurity.com's interview with Dr. Markus Jakobsson, a professor at Indiana University who is conducting research on phishing, and was originally conducted by Linda McGleeson.

Dr. Jakobsson is an Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc., an RSA Security spinoff. He is a Research Fellow of the Anti-Phishing Working Group (APWG). His latest book, "Phishing and Countermeasures," was released last year. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks. He has laid the foundations to the discipline of how to perform experiments to assess risk arising from socio-technical vulnerabilities in the context of current and potential future user interfaces. He consults to the financial industry and heads the efforts at www.stop-phishing.com.

CUJ: In your most recent research, The Human Factor and Phishing, you showed the importance of understanding the psychological aspects of phishing. For the banks and credit unions who want to educate and protect their customers, what are some of the most important points they need to know about your findings?

Jakobsson: I would say that they could hire the most brilliant techies, who know everything about cryptography and network security, to secure their website and make it hacker-proof, they could pay companies like Cyota for quick takedown, and they could hire people like the guys at the Internet Law Group to go after the phishers and bring them to court. These, of course, are good things to do. But still the client might fall prey to phishing in large numbers. Why? Well, first of all, having a safe, safe site doesn't mean that your clients will not be fooled to give out the information at sites impersonating your site. Your client didn't come to your site to learn about security-they came to pay their bills and that's their primary thing. Security is a secondary concern to them. And they may not even pay attention to the warning (or) the absence of indicators that they are not at the correct site. So a hacker can deceive them to go to another site. Well, now your basic self-protection doesn't do much good. And, most people reacting to phishing attacks actually...