The Internet has become a very important medium of communication. Internet access is no longer limited to technical people only. All ages are now connected online, and they use Internet for conducting a wide range of business. Because of the growth of the Internet and so many users connected, collecting personal information through a phishing website is also easy for a fraudster. They use websites that look similar to those of legitimate organizations and exploit the end-user’s lack of knowledge of web browser clues and security indicators. This research study was conducted to empirically investigate the factors that influence Internet user’s ability to correctly identify phishing websites. Quantitative data was collected by simulating a phishing attack where participants were required to complete a task by signing into one of their e-mail accounts online. The impact of age, gender, education, awareness of phishing and previous encounter with phishing had on their ability to correctly identify the phishing website was measured. We found that many Internet users do not understand phishing attacks or realize how sophisticated such attacks can be. However, we found users who were victims of phishing in past did well to identify the phishing website.

The word phishing has been derived from ‘fishing’. The idea of phishing is similar to that of fishing, where a bait is thrown to an unsuspected user, in order to lure him to visit a fictitious website, where the site captures the personal and confidential data of the user (James, 2006). In most cases, the bait is either an e-mail or an instant messaging site, which will take the user to hostile phishing websites, mostly to an exact replica of a financial institution’s website (Knight, 2005). The fake website will have similar look and feel of the original one and will be asking for the sensitive information like user name, password, credit card details, etc. When the victim (user) enters the information, the data is sent to the fraudster who thereby uses the same for his personal gain. Phishing has become the most common channel for thieves to acquire personal information to aid them in identity theft (Brody et al., 2007; and Anderson et al., 2008).

Studies show a steady increase in phishing activities as well as the related cost. APWG in their annual report published in October 2010 reported 48,244 phishing attacks in that last 12 months (APWG, 2010). PhishTank, the online website which collects data on websites engaged in phishing, received 8,468 valid submissions of phishing websites only in the month of October 2010 (PhishTank, 2010). According to Gartner (2010), more than 5 million US consumers lost money due to phishing attacks between October 2007 and September 2008, about 40% increase since last year. Table 1 gives a year-wise summary of phishing incidents handled by the Indian Computer Emergency Response Team (Cert-In) in India (CERT, 2011).

Information Technology Journal, Phishing, Anti-phishing, Cyber crime, Internet security, User awareness.