Online Safety Survey Spots Big Disconnect

Consumers say that they know how to stay safe on the Internet, but they don't practice what they preach, a survey released Wednesday concluded.

Conducted for the National Cyber Security Alliance (NCSA), a group that counts AOL, Microsoft, Symantec, and several government agencies as members, the poll showed that while nearly 9 in 10 American consumers were confident they could spot phishing e-mails, more than 6 in 10 couldn't separate legitimate messages from fraudulent, fake mail.

"They think they know what they're doing, and think they can spot online scams," said Ron Teixeira, the NCSA's executive director, "but the reality is that they really don't know.

"There's still a big disconnect between perception and reality."

The survey asked consumers to point out legit and bogus e-mails and Web sites, but in most cases, they failed miserably. When asked to finger fake sites from a line-up, 3 out of 10 rated them as extremely or very safe; likewise, only a third thought a real page was safe."That's what really surprised me," said Teixeira. "How few people could determine phishing versus legitimate mail, how quick they were to say everything was a phishing e-mail.

"Their sense of confidence in their ability to identify scams is misplaced," he said.

That even extends to safe computing practices. Consumers have a good idea of what can keep them safe while on the Internet, said the survey: Over 8 in 10 say that not opening e-mail from unknown senders, using security software, keeping passwords private, and updating software can prevent online fraud.

But they don't follow through there either, noted Teixeira, who pointed out the results of a 2005 poll that NCSA did in conjunction with America Online, which found 81 percent of home PCs lacking at least one of three critical defenses: updated anti-virus software, anti-spyware protection, or a firewall.

At least Wednesday's survey had some bright spots."More people are willing to use [additional] technology to be more secure," said Teixeira.

As more Americans conduct financial transactions on the Internet -- 8 in 10 of those who connect to the Web said they did -- they're realizing they need more security. Better still, they're ready and willing to try alternatives to the basic username-password combination that secures most sites.

"Consumers are holding sites responsible for combating online fraud," Teixeira said, "but they also realize that it's up to them to protect themselves. There can't be a cop on every corner of the Internet."

Nearly 7 in 10, said the NCSA poll, are willing to try additional layers of log-in security, such as answering personal questions about themselves to confirm their identity.

"They're not necessarily looking for additional devices for more security, but they're willing to go through additional security mechanisms," said Teixeira. Bank of America, which co-sponsored the poll, has deployed an additional log-in technology, dubbed "SiteKey," that relies on an image, a brief phrase, and other identifiers previously agreed upon by both the bank and the customer to authenticate online banking users.

"It's not just financial institutions that are pushing additional security," said Teixeira. "We're seeing a transition in the industry. Internet service providers are offering users free security software, for example."

But even those steps won't stymie every fraud. The fight between cyber crooks and consumers -- and their agents, such as banks and online retail sites -- will continue indefinitely, Teixeira concluded.

"There's nothing we can do to prevent phishing. Some people are just going to walk down those dark alleys. All we can do is try to get people to understand safe practices so they stay ahead of the next threat."