Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of so-called "phishing" e-mail as well as legitimate e-mail from companies such as eBay and PayPal. About 28 percent of the time, the consumers incorrectly identified the phishing messages as legitimate.
What's more, the legitimate e-mails were often dismissed as potential fraud. An e-mail message from the Federal Trade Commission was dismissed as a fraud by 50 percent of the consumers.
"We knew we'd fool a few people, but we're pretty surprised by 28 percent," said Anne Bonaparte, CEO of MailFrontier. "A number of (the phishing e-mails used in the study) have been around for a while."
'We are losing on both ends' One reason the look-alike e-mails continue to fool consumers: the people behind them are getting much better at their craft.
"We've definitely seen quite an improvement in grammar, for example," Bonaparte said. "Early versions wouldn't have fooled too many people. Now, they fool a number of us. We did the test here at work and some people had embarrassing results."
One very well-distributed PayPal look-alike e-mail, which claimed credit card information needed to be updated, fooled 31 percent of users surveyed, she said.
"That one was written widely about. You would not have thought that would have fooled people," she said.
Meanwhile, a simple note from PayPal indicating that a payment had been made, which asked for no personal information, was described as a fraud by 20 percent of those studied.
"We are losing on both ends right now," said Dave Jevens, chairman of the Anti-Phishing Working Group, a consortium of companies fighting the problem. He said he wasn't particularly surprised by the results of the study.
"I've seen professionals who work in the industry fall for these. As we can see from this report, it's hard to tell bad mail from good mail. ... It's undermining the ability of people to communicate."