Why Phishing Works

[bargainbloodhound]

A research paper by 3 Harvard/UC Berkeley professors: Why Phishing Works

The opening section on user interfaces was interesting.

What makes a web site credible? This question has been
addressed extensively by researchers in computer-human
interaction. This paper examines a twist on this question:
what makes a bogus website credible? In the last two
years, Internet users have seen the rapid expansion of a
scourge on the Internet: phishing, the practice of directing
users to fraudulent web sites. This question raises
fascinating questions for user interface designers, because
both phishers and anti-phishers do battle in user interface
space. Successful phishers must not only present a highcredibility
web presence to their victims; they must create
a presence that is so impressive that it causes the victim to
fail to recognize security measures installed in web
browsers.

the entire reasearch paper: http://people.deas.harvard.edu/~rachna/p..._works.pdf

According to the study, 5% of people who receive phishing emails fall for them.  I'm being lazy now and not searching TulipTools to verify my next statement, but I think that 5% figure isn't much different than the percentage of email recipients who respond to legitimate marketing emails.  The study also found that anti-phishing indicators in browser toolbars (like the eBay toolbar) are ineffective because 23% of people don't bother to look at the browser status indicators.