Phishers use webpage spoofing to dupe Internet users into believing that they are visiting trusted websites, and giving out their passwords (or other credentials) to these sites.
Phishers are only successful if
(a) they manage to trick their intended victims; and
(b) the resulting actions of these victims are beneficial to the fraudsters.
Both conditions are necessary.
Typical security measures aim to mitigate the threat of spoofing by addressing the first condition, i.e., by avoiding that intended victims are tricked. This is done by conveying security and risk to users – e.g., using locks and conveying recognizable URLs to represent security, and by using warnings and requiring unusual user action to represent risk. This general approach is not very effective, as it relies on users paying close attention to subtle cues and to not act out of habit. The approach we take to achieve this goal relies on undermining the second condition for success for phishers, namely that the resulting actions of victims are beneficial to the fraudsters. The simple but somewhat ironic beauty of the approach we introduce is that it turns reflexive user behavior from being a danger (as it is today) to being a distinct advantage.
Read more about a novel way of addressing this problem! But first, get ready to challenge traditional thinking.