Tuesday, March 30, 2010
In our recent post on the Google Online Security Blog, we described our system for identifying phishing pages. Of the millions of webpages that our scanners analyze for phishing, we successfully identify 9 out of 10 phishing pages. Our classification system only incorrectly flags a non-phishing site as a phishing site about 1 in 10,000 times, which is significantly better than similar systems. In our experience, these "false positive" sites are usually built to distribute spam or may be involved with other suspicious activity. If you find that your site has been added to our phishing page list ("Reported Web Forgery!") by mistake, please report the error to us. On the other hand, if your site has been added to our malware list ("This site may harm your computer"), you should follow the instructions on fixing issues with malware. Our team tries to address all complaints within one day, and we usually respond within a few hours.
Unfortunately, sometimes when we try to follow up on your reports, we find that we are just as confused as our automated system. If you run a website, here are some simple guidelines that will allow us to quickly fix any mistakes and help keep your site off our phishing page list in the first place.
Don't ask for usernames and passwords that do not belong to your site.
We consider this behavior phishing by definition, so don't do it! If you want to provide an add-on service to another site, consider using a public API or OAuth instead.