Dangerous game
Those running the study said website designers needed to re-think ways of flagging dangers to users.
The study looked at bogus websites created by phishing gangs and what made users believe that these sites were legitimate. Industry statistics suggest that, on average, 5% of those that get phishing e-mails visit an associated website and are conned into handing over data.
Although low, this figure is far more than the phishing gangs need to turn a healthy profit.
The study, carried out by post graduate student Rachna Dhamija of the Harvard Center for Research on Computation and Society, Professor Doug Tygar in the department of Computer Science at Berkeley and Professor Marti Hearst at Berkeley, suggests that on relatively sophisticated scams, many times more people are taken in.
The study presented real online banking and fake phishing sites to subjects to see if they could tell the two types apart.
On average, 40% of users failed to spot the phishing sites. The most sophisticated site caught out 90% of the 22 people participating.
The study revealed that people were caught out because they were generally ignorant about what did, and did not, indicate that a site was legitimate.
For instance, few of those participating looked at the domain name, such as bbc.co.uk, being displayed in a browser address bar.
Users generally did not look at the address bar, status bar or other security indicators that could flag if they had unwittingly strayed on to a phishing site.
The problem, said the researchers, was that "the indicators of trust presented by the browser are trivial to spoof".
Many participants also ignored more direct warnings contained in pop-up windows that a site may not be legitimate.
The researchers also said phishing gangs were being successful because many of the scams being mounted were very sophisticated and could catch out even seasoned users.
The academics said the results would help educate users about relevant dangers and to help those who create websites know which attacks succeed and why.
The researchers said: "These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed."
The trio of researchers said the traditional security approach looks at what can be made secure rather than work out what humans do well and exploit that to make sites safer. The team is now working on ways to make fake sites far more obvious when reached by users likely to be caught out.
The researchers presented their results at the 2006 E-Crime Congress held in London.