The Psychology of Phishing

An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

well

[Osgeld]

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Re:well

[s.petry]

Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).

Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

How are spammers successful so often? Simple, companies don't train people.

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).

Re:well

[vasanth]

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once

or 1 out of 5,800 realised that they were being phished and many more never realised it...

Not everyone is train-able

[Taco Cowboy]

How are spammers successful so often? Simple, companies don't train people

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

If you tried fixing that you did it wrong

[Anonymous Coward]

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Doesn't help if you start out with not even trying.

You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.

This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.

Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.

Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.

Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.

At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.

Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.

This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.

Re:

[GTRacer]

Why would you slap a single line atop someone's letter and send the entire thing back?

Because we can and bytes are cheap? Hiya! I promise I'm not trying to start a religious war over top-versus-bottom posting or the like, but I'm genuinely curious:

I save all emails. Always have. I can usually find a thread easily enough, but there are times when multiple people are in a thread and the subject gets manually mangled, so Outlook won't incorporate those in its "conversation" search. So having the whole

Re:

[tsqr]

Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works.

Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

Re:

[tlhIngan]

Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

Well, given the default to most company emails requires reply-all, it's not a surprise, really. I mean, if you're on a project and you need to send information to others, you probably will

Re:

[s.petry]

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

I agree, but those are not people you want working for you if you are concerned about security.

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages t

Re:

[Tom]

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Not everyone can train people. Almost nobody can train all kinds of people, because they need to be trained differently.

More importantly, not everyone is acceptable as a trainer. Many, especially smart people, don't like being trained by someone they consider to be their inferior.

Re:

[phantomfive]

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link.

How did you know that others didn't click on it and then not mention it to anyone?

Re:

[Antique Geekmeister]

> How did you know that others didn't click on it and then not mention it to anyone?

Of course they did. Why would anyone normal report this kind of incident to a security department that is bombarding them with warnings, and will fire you if you can't prove you've read their warnings?

Re:

[GTRacer]

I'm going to give s.petry the benefit of the doubt here and assume their systems are tightly locked down and they have various antivirus / tripwire / ip rules in place. That said:

If someone got phished leading to trojan installation, *BAM* alerts go off in the NOC. If phishing led to credential leakage, eventual usage of the credentials by the outside attackers would set off alarms in the NOC, assuming we aren't dealing with valid external staff. If phishing led to credit card / invoicing info loss, un

Re:

[s.petry]

As I replied above, it's much simpler than that. Proxy logs are used to determine who clicked a bad link.

Re:

[GTRacer]

I may have missed it but I never saw you proffer specific technology in place for detecting phished users ^^

Re:

[q4Fry]

Clearly, you didn't read the security email and will be fired. ;^)

Re:

[s.petry]

Actually it's a post ordering thing. It shows _below_ your post after reloading the page, but when I added comments it was showing above your post.

Re:well

[gstoddart]

How did you know that others didn't click on it and then not mention it to anyone?

The company I work for does periodic in-house phishing/spam tests.

If you fail and click the link, you get sent for extra security training. They know, because they're the ones who own the machines you went to.

I gather a surprising amount of people actually fall for them. I find myself looking at "1 in 5800" and thinking "wow, you have some good training".

When my parents got on the interwebs, in so uncertain terms, I sat them down and had "the talk": The internet is a dark and scary place, and not something you just trust. I explained phishing and spam, as well as how to spot fake telemarketers and scams.

My parents have learned to be wary and a little skeptical when someone initiates contact with them, and know to ask for proof. On many occasions they've spotted stuff, though I still worry they might miss something.

But, I still remain amazed at how many people who work in technology fields still blindly click stuff. I expect senior citizens and the like to be less aware of this stuff, but if you've worked in technology for any period of time, you should know better.

Re:

[gfxguy]

Interesting... I should stop clicking on those links, then. I feel like, since I'm using linux, I likely won't get a virus, so when I get a "you need to change your password" link, I usually just curse them out in it. Email: eat@shit.and.die, password: youfuckingasshole. I know it doesn't solve any problems, but it feels good.

Hey, if enough people did it, they'd have to wade through tons of insults before finding one where the person actually fell for it.

Re:

[s.petry]

Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.

Re:

[gfxguy]

That'd be a fair warning if phishers weren't pussy ass scaredy cat losers who wouldn't actually be able to inflict harm in any way except with a keyboard.

Re:

[s.petry]

Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.

I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.

Re:

[s.petry]

Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.

Sadly many people think a proxy is a bad thing and believe direct access is better.

Re:

[phantomfive]

Sadly many people think a proxy is a bad thing and believe direct access is better.

Well yeah, because often their either used for censorship, or are cheap and end up slowing the internet down.

Re:

[s.petry]

People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

Re:

[phantomfive]

you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

Yes, well, not every IT person is as competent as you

Re:

[s.petry]

I would surely hope that is not true. Perhaps there is a segment that doesn't care

Re:

[drinkypoo]

How are spammers successful so often? Simple, companies don't train people.

Also, people are stupid. It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

Re:

[gstoddart]

It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

Of course, the problem with this is, anybody who does that more or less gets called a bit of a paranoid loon now and then. :-P

Not everybody understands that a certain level of paranoia is actually required to survive the internet and other scams.

Sometimes people look at you like you're over-reacting, right up until they realize they've given their credit card information to someone who was lying to them.

Re:

[gfxguy]

Yes! My wife is terrible, and when I say "just don't click on anything," she asks "what about the legitimate ads?" So I repeat "just don't click on anything... there's no SPAM that is legitimate." Sadly, she does it anyway. I missed a whole day of world cup group games "fixing" her computer... and it wasn't the first time. I should just cut her off.

Re:

[s.petry]

Or install ad-block and no-script and don't show her how to disable them

Re:

[oobayly]

They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

This is also made harder with the use of CDNs nowadays. A while ago our office started receiving large numbers of "InterFax" notification with a download link. I don't know what a proper InterFax notification looks like, but as you said, they did look professional, and in some cases the URL didn't look too dissimilar to some CDN URLs we've used.

I tend to visit web pages used in phishing attacks for a couple of reasons. First, I like to input useless data. Second, I like to rate what sort of job the scammers

Re:

[gfxguy]

I pretty much do the same thing, but instead of useless data I put insulting data. Sometimes I'm impressed with the effort... sometimes it links to a google form, and that's pretty sad. Some of them are so good, though, if they just put that much effort into honest work, they'd be pretty well off.

Re:

[clickety6]

They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

It doesn't help that legitimate companies that should know better do the same. I recently got a survey from PayPal, but rathet than going through their verified site at www.paypal.com, the links in the email directed only to www.paypal-survey.com. It looked like a classic phishing scam but was apparently a legitimate survey request.

Re:

[gfxguy]

Which I (and a lot of other people) would then not have participated in, so PayPal should learn from it.

Re:well

[FireFury03]

How are spammers successful so often? Simple, companies don't train people.

Or they train them with exactly the opposite of good behaviour.

Case in point: a few years ago my (at the time) bank sent me a marketing email (and yes, I confirmed it was legit). It wasn't from the bank's normal domain name and it contained lots of links to product descriptions that were also on an unusual domain. It said that I could verify it's authenticity because it contained the first half of my post code (i.e. something that's trivial for anyone to find out). I complained to the bank and the regulator - neither of them would do anything. The bank's excuse was that none of the pages linked from the email asked for my bank credentials so it was ok. This kind of thing trains people to expect that their bank will legitimately send them emails with clickable links that don't go to the bank's main website - the distinction between a link that asks for your credentials and one that doesn't is going to be lost on a lot of people.

Similarly, my Paypal account is currently suspended because they sent me an email telling me I needed to "verify my ID" (by sending them a scan of my driving licence)... this email went into the bin along with all the phishing emails asking me to "verify my paypal account", so when I didn't send them any ID they suspended the account.

Now, banks _do_ need to communicate with their customers, and I can't discount email as a viable method for them to communicate, but they really really need to start providing a sensible method for people to authenticate the legitimacy of the email - why the hell don't they MIME sign the messages, for example? At the moment they are sending out emails that are indistinguishable from phishing messages and then blaming the customer when they get phished.

Re:

[gfxguy]

The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.

Re:

[FireFury03]

The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.

It is some kind of a hardship because you still have to figure out which emails are legit - I'm not going to go log in to my bank every time I get a phishing email. When the vast majority of emails claiming to come from my bank are phishing mails, I'm pretty much guaranteed to miss legitimate ones unless the bank give me a trivial way to know that they're legit - MIME signed emails would allow that, but no banks seem to be interested.

Re:

[gfxguy]

That makes no sense to me, though... how does a phisher succeed when they don't send you a link? Since they can't blindly lead you somewhere else, you wouldn't receive a phishing scam email without links.

Re:well

[T.E.D.]

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated.

Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

- IT Team

Re:

[gfxguy]

Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

- IT Team

... and don't forget to sign in with your username and password so that you get credit for having read the memo!

Re:

[nabsltd]

How are spammers successful so often? Simple, companies don't train people.

Companies also don't often have the infrastructure set up to help their people do the right thing.

As an example, every company should provide users with unlimited e-mail addresses that end up in their real e-mail inbox but can be filtered using rules. Employees should then be instructed that they should never use their "real" e-mail address for anything that gets put into a database. This means that if they sign up at Cisco's support portal, they don't use "realaddress@example.com", but instead something

Re:

[Tom]

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average").

Security awareness training in companies is largely nonsense. Your scenario is different not because of your memo, but because your people realize that something more important than shareholder value is at stake. And I dare to say that your weekly reminders are the secret, not any awareness training. Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up. It doesn't matter if people read it at all, what matters is that they consider it long enough to activat

Re:

[s.petry]

Security awareness training in companies is largely nonsense.

Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.

Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.

That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.

And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than

Re:

[Tom]

Rubbish! If you are starting from scratch you have to lay the foundation.

Which foundation? Boring people for half an hour with stuff they couldn't care less about? I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

therefor the amount of people with genuine concern will never increase.

For all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why

Re:

[s.petry]

I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

Ahh, so you work at one of those places with horrible culture.

or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

Got it, you are a lively participant in the horrible culture and happy to propagate the culture.

If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.

In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).

As stated in a previous post, this is all behavioral psychology. Whe

Re:

[Tom]

Ahh, so you work at one of those places with horrible culture.

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor sup

Re:

[s.petry]

I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.

I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.

Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.

Most people are not experts, and most people don

Re:

[Tom]

I gave an example of ensuring it's not.

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

Writing policy is not the same as educating people.

That is true. But you missed the point I was making. Of course you need in-depth technica

Re:

[s.petry]

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

This does not match what you state later, which is in essence claims that all 3,000 people in your company need in depth knowledge of your security policy. That is, plainly, nonsense.

Corporate "Security Awareness Training" has to address the needs of _many_, and not everyone needs that level of detail. In fact very few do, and a small percentage could even understand them. Which could explain your repeated claims of bad experiences.

Jane and John, the new accountants, need to know what Phishing is, not wh

Re:well

[dunkindave]

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Except the article is about spear-phishing. In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts, such as an email from their boss or their HR department, and the emails normally include information that the victim assumes isn't public which adds to the email's trust. Such emails may pretend to contain important employee training updates, company newsletters, specific conference information for conferences the target is known to attend, references by project name to projects the victim is working on, etc. This means the spear-phishing email is very different from typical spam which is clearly marketing, or so generic as to be obvious spam. It also means that without confirming the email's legitimacy via out-of-band methods, it may be virtually impossible to verify if it is real or not.

The problem for the defenders is the only real defense against a well crafted spear-phishing email is to instruct people NEVER to open an attachment, to click on a link, to visit a website if so instructed, or even to respond with information that may be requested. But such a world would render most business email useless.

Re:

[techno-vampire]

In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts...

You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?

Re:well

[dunkindave]

No, like if they want to gain access to data in company ACME Co, they do some research about that company, find people who belong to it, often in specific groups they are particularly interested in (the missile division of ACME for example), then seak out information on these people, like what conferences they have attended (attendee lists are often published on the web) or what projects at the company they are working on (a newsletter on the web mentions them in a small article about the Ramrod SuperAgile Counterstrike Missile System), then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

The spam from your bank doesn't normally address you by name, or mention details like your account number or which local branch you use and when. In fact, it is the lack of such details that most people use for clues that it is spam, so when those details are there they typically trust it. That is the gist of the article.

Re:

[techno-vampire]

The spam from your bank doesn't normally address you by name...

Actually, much of the spam/phishing email I get claiming to be from my bank has my name in the subject. I'm rather glad it does because I never get any real email from my bank that does this, so seeing my name there is a dead giveaway.

Solutions -- require tokens & connection phase

[Paul Fernhout]

In the past, I used whether an email contained my first name as an indicator (a textual token) of whether the email was legitimate, as a sort of password to gain access to your attention. That stopped being useful several years ago as many spammers must have a name database to go with email addresses now. That also would not work for people whose entire first name was in their email address, as is often a corporate practice. Still, the idea of filtering email on a token can make sense, where the token says

Re:

[nabsltd]

then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

Frank doesn't sign his e-mail that way, so something must be up. Or, I don't know Frank personally, why would he send this to me? Or, Frank always sticks his head in my office right after he sends and e-mail and asks "did you see my e-mail?", so this must be fake. If your investigations that allow you to "spear phish" are good enough to solve these sorts of problems, you don't need to phish for stuff, you've paid off the cleaning crew and they can just take the papers.

As for technological solutions (afte

Re:

[N1AK]

You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?

What exactly's your point? Obviously emails about accounts with banks you don't use aren't going to catch many people (although if they're threatening consequences like fines or rewards it'll catch some of the more naive), but when it gets to someone who does use that bank/business the effectiveness increases considerably. W

Re:

[Sique]

Even if I get spam that claims to be from my bank, I can see it being spam because I got similar spam allegedly from other banks I never did business with. The same with the two messages of unclear status, I seem to have with so many sites, that the one that claimed to have sent by a site I actually have an account with was easily spotted.

Re:

[techno-vampire]

My point is that all of those emails I get about accounts I don't have is a counter-example to the claim that spear-phishing is carefully crafted to look real.

Re:

[Anonymous Coward]

You don't grasp the concept of spear-phishing at all, and you've almost certainly never been targeted by it. Generic emails crafted to look like they're from your bank are NOT spear-phishing - they're sent out en masse, along with lots of others crafted to look like different banks, just like any other phishing attempt.

A hypothetical spear-phishing attack from your bank would address you by your real name, with specific reference to the names of accounts and products you actually hold with them (not just "y

You're thinking of phishing, not spear phishing

[raymorris]

You're talking about regular phishing. Phishing is not spear-phishing. Phishing, like fishing, involves casting out a bait and hoping that someone (anyone) takes the bait.

Spear-phishing, like spear-fishing, is DEFINED as identifying a specific target and launching your weapon against that target specifically.

Re:

[kajla00007]

That i well said

Re:well

[Joe Gillian]

I think it's more that the criminals tend to structure their phishing emails around things that look like they need to be clicked - I've seen a lot of phishing emails that purport to be from the reader's bank (I've gotten a few of these, all mimicking banks I don't use) telling them that fraud has been detected on their account or that there's some other urgent issue threatening their money. A lot of people will click these things without even giving it a second thought because to them, it looks like their life savings/credit score are at stake.

Remember

[djupedal]

It's the singer....not the song.

School smarts lose to street smarts.

Fake emails are so convincing....

[tquasar]

No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?

Re:Fake emails are so convincing....

[Cryacin]

Do you have some kind of confusion that prevents you from distinguishing phone calls from e-mails?

He has trouble relating to Phemails

Stopped using LinkedIn

[Animats]

I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?

Re:

[Bigbutt]

Yea, I closed my account with linked in. Far too much noise and very very little signal.

[John]

Re:

[Tom]

Frankly speaking, the reason I never used LinkedIn at all is that even their legitimate mails are indistinguishable from spam. Including the fact that if you ask them to stop, they won't.

Like everything else..

[Anonymous Coward]

Trying harder counts. The fact that these people only have to think about how make people read and click, and not any legalities also helps considerably.

If your English sucketh, your link prolly doeth 2

[xxxJonBoyxxx]

>> can tell-apart

You can't fool me...I'm not going to click any links on this craptacular "story."

Re:

[StormReaver]

I'm not going to click any links on this craptacular "story."

I did, and it really is a craptacular article. I can sum it up thusly: "Phishers do illegal things, therefore getting more clicks. If legitimate marketers did the same thing, their click rate would skyrocket."

And, "Don't use Windows XP on the Internet." This, by the way, was always good advice. And it still applies to all versions of Windows.

Irony..

[super_scalt]

.. would be if the link in this article was in itself a phishing scam

Trained to be clickers

[dilvish_the_damned]

Trained to click on shit by bad interface design. It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

Re:

[bondsbw]

It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

In my experience: 's/UI designers/the customer/'

"Sophisticated"? Not from what I see...

[gweihir]

The phishing emails I get (and I get a few...) are targeted at semi-literal morons that have no clue how the world works. But it may be that there are a lot of these people around, judging from other observations.

Phishing?

[PPH]

From TFA:

people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds

That's not really phishing. More like a drive-by download. Phishing is where the e-mail or web site attempt to truck the luser into entering an ID/password for the legitimate site being masqueraded.

Phishing attempts to exploit a weakness in the user, downloads exploit the o/s or client software.

too good to be true

[pr100]

Criminals can promise things that legit marketing emails can't.

Because cybercriminals cheat

[curty]

If the marketing experts used the same tactics (disguising their emails as linked-in requests) they could compete with the cybercriminals.

Some things about this article smell. The author is a director of the company whose research the article cites. And what about the claim that "a dating website was hacked and approximately 10% of the passwords were âoelove1234â"

That seems like a lot! (Unless there were only 10 accounts....)

utf-8 copy/paste bug

[curty]

"love1234"
oops

Re:

[ArcadeMan]

I'd be interested to know, with a total from all those password surveys, how many are "luggage12345". A search on Google gives "About 10,600 results", so that's already a possible hint about how popular it could be as a password.

always use pgp

[pereric]

What about making it as wide-spread as possible organization policy to alway *sign* your e-mail with pgp / gpg?
That would at least increase the effort needed (ie, actual access to someones computer) to send "genuine" e-mail from a coworker ...

People should look where they are going

[blackest_k]

The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.

Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... [slashdot.org] of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org

Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.

Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.

People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.

It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.

Security issues of emails ..

[lippydude]

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

Re:

[sociocapitalist]

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

A live CD isn't going to help against a redirect attack and subsequent harvest of your login credentials.

The only real protection for this type of attack is if your banks, credit card companies, etc. and you use one time passwords (i.e. one or more tokens of some sort)

Re:

[GuB-42]

Mainly because Windows doesn't know the difference between OPEN and RUN.

And what is the difference between "open" and "run" ?

If you are at a system level, of course windows makes a difference between open (as in "give me a handle to a resource") or run (execute code).

If you are at a GUI level, and it's probably what you are thinking about, it's not about windows or linux or whatever, it's about the program you are using to do the "open". When you are clicking on an URL or an email attachment, the browser or mail program decides what to do with it.
On windows, many apps use the "

How are they outmarketing the experts?

[mark_reh]

That's easy. They don't care about laws that are intended to protect people from "legitimate" marketers. When you don't worry about the law you can literally do and say whatever you want.

New news:
Bank robbers withdraw more money from banks than they have in their accounts!

I know!

[sabbede]

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.

Re:Advertisers and marketee aren't allowed to lie.

[DocSavage64109]

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.

I'm not so sure about the advertisers not being allowed to lie thing. I worked as a minion at an ad agency for a brief time and pictures comparing the results of various products and such were from completely unrelated stock photos. I'm not sure I'd trust the text (copy) that much either, though it's a lot easier to catch them in it.

Re:

[Stan92057]

Sure you can lie but if you get caught the penalties will be high. Its called false advertising and there are laws against it.

Re:

[sabbede]

Oh, I'm not saying that marketers aren't bad people whose job it is to deceive and mislead consumers, but there are rules and agencies that enforce those rules. Spammers and scammers don't have to worry about their company being punished so there is nothing holding them back.

Princess Bride

[ArcadeMan]

Life is pain, Highness. Anyone who says differently is selling something.

"tell-apart"

[Arancaytar]

What?

Some phishing campaigns are quite elaborate

[ruir]

I have received a couple of years ago a dozen emails with messages of account terminations-or-you-have-to-click here to review from "Apple" that looked like the real deal, and only at looking to the headers you would notice they were coming from someplace else, and where using strange URLs. If you were looking at the emails, they looked like the real deal.

There could be a solution in the browser

[iMadeGhostzilla]

And it would be simple: the browser would know that it's reading email (from URL -- gmail, yahoo, custom) and *would not open any links* the user may click on unless the link URL is on the click-to-open whitelist (initially empty). It would still let you copy the link to the clipboard (possibly with a warning) that you could paste yourself in a new tab (possibly with another warning), but this speed bump of having to take the destination URL in your hands, so to speak, would -- I'm assuming -- be good enoug

tell-apart

[oldmac31310]

just what the f*** is that?