Phish Scams Fooling 28% of Users 618
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
80% right, 100% ugly colour scheme. (Score:3, Insightful)
I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.
IT's colour schemes are giving me a seizure...
This test is bogus (Score:3, Insightful)
Catching them on the subtleties (Score:5, Insightful)
Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.
But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.
Seems that a plug-in could be written for Outlook, Eudora, etc.
- Greg
I call BS on that "test" (Score:4, Insightful)
Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP [dnsstuff.com] to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.
It's scary how many people fall for this stuff. (Score:5, Insightful)
When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.
Tax on the stupid? (Score:1, Insightful)
Re:Sadly, most of those fooled are lower class (Score:2, Insightful)
Some of these scams look pretty real (Score:1, Insightful)
1. They are intimidated the moment they sit at the computer.
2. The same people who might be skeptical as ever when dealing with a live human do not have a clue that the "internet" can be an evil place at times.
3. Some of these sights look exactly like the page they are emulating including all the other links on the page going to the real site. These people just do not know to look for "www.ebay.com" instead of 200.50.66.71 in the address bar. That is (sadly) still meaningless to a lot of people.
Education and experience on the web is likely to reduce these issues over time, but for now, it's just a way-too-easy niche opportunity for thieves and scammers to prey upon the naive.
Companies do not help. (Score:3, Insightful)
What caused me to think it was fraudulant? Well, the URLs in the email was going for something like sony.<somecompany>.com. The URL did not finish with "sony.com". The only way to figure out if an email is phoney or not is to check the URLs (assuming your browser does not have the famous URL bug which shows you a legite URL but once clicked, sends you to another site while still showing the legite URL in the URL bar), but when companies use 3rd parties to email their users and provide services, they cause these confusions.
Re:script kiddies in the media! (Score:5, Insightful)
disgusted. you are disgusted. i make this mistake all the time :/
agree about the leet speak.
i came very very close the other day to falling for a fake eBay "your account has been hacked, verify your account details" type scam. it was brilliant, no typos, perfect grammar, good layout, and most of all: i was tired when i got it. felt like a right plonker for even believing it for a second. now i have a lot more sympathy for people who fall for these things. thank god i did check the url.
Re:I call BS on that "test" (Score:2, Insightful)
Maybe you don't live in the real world, but in my company we deal with clients that send HTML emails when plaintext would do, we send HTML (or even Flash) newsletters for clients, and we have a 1-5 geek ratio. So checking headers, looking up the IP originator, or viewing the source isn't an option for the four of us that aren't geeks.
Since I'm one of the geeks, I do my best to educate and inform my colleagues. But I can't do that for everyone - my wife's grandparents will probably fall for every phishing scam. Hell, they forward every cute email, virus warning, (and usually virus) they get.
Re:This test is bogus (Score:5, Insightful)
No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.
Re:This is an excellent quiz. (Score:5, Insightful)
Re:I call BS on that "test" (Score:2, Insightful)
Can the four non-geeks in your company manage to hover the mouse cursor over a link to see where it really goes to?
(Also, do they use a browser/MUA that tells correct information in its address/status bar?)
Re:Catching them on the subtleties (Score:2, Insightful)
Re:This test is bogus (Score:5, Insightful)
No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.
Congratulations. However, by ALLOWING YOUR FINANCIAL INSTITUTION to send you correct and verifiable information over email, and since email is sent unencrypted they have in effect, published your information to the web at large. I would consider this a CONTRIBUTION TO FRAUD, and therefore equivalent to fraud, in my book. If I were to get that kind of information from a bona-fide financial institution I'm associated with, I will immediately contact them and treat it like an actual fraud-- change my account, etc.
This site is bogus because it is giving you a false sense of security...
9 out of 10 right, but that doesn't mean... (Score:3, Insightful)
If I get any message that smells remotely like phish (i.e. any email that tells me to do something with my account), I go to my browser, and visit the site by manually entering the name of the website. If it then turns out to be a bogus email, I send a copy to the admins of the site, so they can track the insensitive clods down, and do whatever it is they do with them.
The IQ test would be a lot easier with access to full mail headers, too...
Re:script kiddies in the media! (Score:1, Insightful)
Re:hard? (Score:1, Insightful)
Com'on puhlease !!!
Do you really really expect just about anyone to do do this ? It simply kills the whole purpose of the web ! It's like the typical MS security apporach to the IE activeX scripting problem : "disable everything".
Jeez... is that's your view on safety, i bet you never come out of the house. Come to think of it , when was the last time you had a breath ?
Re:I looked at the URLs of the links (Score:2, Insightful)
Re:I got a 3 (Score:1, Insightful)
Re:Catching them on the subtleties (Score:2, Insightful)
Re:This test is bogus (Score:2, Insightful)
This is why... (Score:5, Insightful)
...I won't use an email client that renders HTML. Or at least, won't let me turn that off.
When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)
Every so often a friend will send me HTML mail, but I can cope. :-)
Re:This is an excellent quiz. (Score:2, Insightful)
I dont live in the US. I haven't heard of most of the companies in the poll at all, and those I've heard of (paypal, msn etc) have never crossed my mind to use. If i would have received any of those mails, of course it would have been fraud.
What I'm trying to say is, if my bank, with secure connection and proper URL, send me an email telling me to do something, i'd probably look into it. If the bank is called "usbank.com", I wouldn't click on it.
Basically, how on EARTH am I going to be able to determine whether they are frauds or not, if I'm marked incorrect when stating "usbank.com" isnt fraud?
If you disregard any messages you dont recognize, and are cautious with the rest, you are fine.
Re:Unfair test (Score:3, Insightful)
Let the user login as usual, and he/she will be safer.
That logic gave me a 10/10 result on the test.
Re:80% right, 100% ugly colour scheme. (Score:4, Insightful)
Besides, you are right about HTML mail. If I subscribe to e-mail notifications from websites, I always choose plain text e-mails. If I do get HTML mail, I look at its headers first (without opening content and certainly not loading any images) - most of it is spam/fraud/whatever. So, maybe there should have been a way to display headers in the test.
Re:80% right, 100% ugly colour scheme. (Score:5, Insightful)
I answered one incorrectly as fraud (the MSN one), and the rest perfect. But I was surprised I actually scored so highly as the test removed all the methods I use to spot fakes:
1) I couldn't see where the links were pointing as they had been removed.
2) I couldn't see the email headers.
3) I had no idea if any personal information (at the most basic level, name) was correct or not. Though I would err slightly on the side of counting any email that has personal details in it as legit, it is obviously fraud if it carries somebody else's name.
4) Am I supposed to be actually subsribed to any of these services or not? If I get something from citibank like that in my inbox, I'm going to mark it as fraud as I have absolutely nothing to do with them. (This is my excuse for the hotmail/MSN one!)
It's very possible most people don't check the first two at all, in which case I have slightly more sympathy with them seeing how confusing it can be now.
Maybe an added layer of security could be to go to the site in question and log in from there manually to check everything?
Re:Unfair test (Score:2, Insightful)
I agree, it was made much harder with the actual URLs removed. I think the point of the test though was see how people faired based on the look (logos, etc) and obvious content. There are the things that your *average* user looks at to determine legitimacy (not reverse lookups, urls, etc).
I got caught marking a PayPal one as fraudulent (the one where some one had made a payment), which the article says happens 20% of the time. My misread was based on the long and ugly URL with a cgi call in the middle. In real life, if I had been expecting a payment, I would most certainly have been less skeptical.
So yeah, the test isn't perfect, but it's interesting to see (from all the previous posts) just how bad tech savvy users do when they are faced with the same knowledge base as a regular user.
Re:Catching them on the subtleties (Score:2, Insightful)
Sadly, this led me astray with the MSN "legitimate" email. One more reason not to use M$ for anything!
Re:I got a 3 (Score:5, Insightful)
The only example that really made me think was the MSN account expiring message. At first I thought that had to be a fake because what's the point of sending you an email telling you that you need to log into your email to save your account? Then I realized it was actually an ad for a related pay MSN service and immediatly knew that it was real.
Re:This is an excellent quiz. (Score:3, Insightful)
I usually am suspicions but I check where the link takes me. This test wouldnt let me check this, so I assumed that the links pointed to where they said to (www.paypal.com/whatever/ points to www.paypal.com/whatever/)
I think that makes the test inaccurate. if I click a link, it should show me the real target (even if they do a fake replica (something like 201.123.123.34/www.usbank.com/account/blah/)
Re: 100% Bad 'test' (Score:4, Insightful)
It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.
This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.
Re:80% right, 100% ugly colour scheme. (Score:2, Insightful)
Re:I got a 3 (Score:4, Insightful)
I've recently been getting some spam that has my name and some address info in the subject line. It's obviously spam, and someone trying to rip me off. I've also been getting a lot more 419 spam, and that usually has my name (although they always refer to me by my last name *sigh*). But I just wanted to point out that we all probably have a lot of info about us out there ready to be used against us. As you say, it's a good "first pass" test, but nothing more than that.
Re: 100% Bad 'test' (Score:5, Insightful)
It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.
Re:script kiddies in the media! (Score:1, Insightful)
I call BS too, but for 2 different reasons (Score:3, Insightful)
1) Does it make sense that I would get this? If I don't use US Bank, for instance, it's obvious it's fraud. But for the sake of the test, I think they assume you're involved with those companies, and that's okay.
2) More importantly, they don't let you check where the links are going to. If I rollover "www.paypal.com" and in the little bar in my browser it says "www.paypal.com," I know it's alright. But if it says "ccnums.steal-this-suckers-identity.com"...
Re: 100% Bad 'test' (Score:3, Insightful)
The reason is that there's one way you can tell: ALL the frauds had text saying "click this link" The two legitimate ones other than #9 told you to sign in, but didn't provide a link. (although they did provide other hyperlinks -- just not to the login page)
#9 fooled me because it had a link to click.
Some bad examples (Score:3, Insightful)
In fact, I've seen a version very similar to the credit card expiration link that warns about typing in the URL but then goes ahead and provides a clickable link anyway. When you look at the code, the link actually goes to a completely different URL than what is displayed, using the old trickery of "http://paypal.com@12356789/cgi-bin/trickedyou.cg
For those not familiar with the trick, "paypal.com" in the above url is the login name the web browser is instructed to provide to the web server while 12356789 is the decimal representation of the web server IP address.
Only the shipping notice fails to smell fraudulent. Even that could be rigged if you wanted to, by having the tracking link require you to "open a free UPS tracking account."
Of course, if they'd provided the entire emails instead of just the html representation, any techie could have sorted it out. But not the mere mortals.
Re:This is why... (Score:4, Insightful)
Re:This is why... (Score:3, Insightful)
I'm stupid. Nevermind.
Re: 100% Bad 'test' (Score:4, Insightful)
Re:80% right, 100% ugly colour scheme. (Score:2, Insightful)
In this case, I had to use non-techie logic, which is what we need to teach the non-geeks how to use.
What a stupid test (Score:3, Insightful)
The morons who run the test changed them all to point to their own site; so every one of them is clearly fake.
Relying on any other content in the email is just stupid; the phishers will just improve their spelling and wording until it starts fooling enough people again.
Re:80% right, 100% ugly colour scheme. (Score:1, Insightful)
Re:This is why... (Score:5, Insightful)
There is a meaning to this word confirm.
If they list the information they wish to confirm, it might be legitimate.
If they list no information that is to be confirmed, it's a scam.
There is a problem if several pieces of information with one of them wrong.
"your account has been hacked, verify your account details"
Which account has been hacked?
You know the account has been hacked.
You know the account is mine.
You will not tell me which account, how you know it is hacked, and how you know it is mine.
It's not the misspellings, bad grammar, etc. There's something missing that any legitimate message of that sort would have. Essentially it's insider information pertinent to why this comes from you to me.
I've seen "phishing" used on the evening news... (Score:4, Insightful)
This isn't new.