EVANSVILLE Ind.
The e-mail appeared to be a routine correspondence between
two friends. “Check this out!” it read, then listed a Web address.
But the note was fake, part of an online ruse called
phishing that has become a scammer’s favorite way to get sensitive information
from unsuspecting computer users.
The catch? The scammers were Indiana University researchers,
the e-mail an experiment.
“I didn’t know I was being used,” said Kevin
McGrath, 25, a doctoral student at Indiana University whose e-mail address was
one of hundreds used as “passive participants” for an experiment to
study who gets duped by phishing.
As universities nationwide study ways to protect online
security, methods at Indiana are raising ethical and logistical questions for
researchers elsewhere: Does one have to steal to understand stealing? Should
study participants know they are being attacked as part of a study? Can
controlled phishing ever mimic real life?
Indiana researchers say the best way to understand online
security is to act like the bad guys.
