Slashdot Mirror


Phish Scams Fooling 28% of Users

Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking. The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."

21 of 618 comments (clear)

  1. 80% right, 100% ugly colour scheme. by grub · · Score: 3, Insightful


    I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.

    IT's colour schemes are giving me a seizure...

    --
    Trolling is a art,
    1. Re:80% right, 100% ugly colour scheme. by zurab · · Score: 3, Insightful

      I only got the first one wrong - MS Hotmail e-mail was actually legitimate and I marked it as fraud. But I don't have Hotmail, and I don't plan on ever having it - so for me it would be illegitimate.

      Besides, you are right about HTML mail. If I subscribe to e-mail notifications from websites, I always choose plain text e-mails. If I do get HTML mail, I look at its headers first (without opening content and certainly not loading any images) - most of it is spam/fraud/whatever. So, maybe there should have been a way to display headers in the test.

    2. Re:80% right, 100% ugly colour scheme. by silverfuck · · Score: 5, Insightful

      I answered one incorrectly as fraud (the MSN one), and the rest perfect. But I was surprised I actually scored so highly as the test removed all the methods I use to spot fakes:

      1) I couldn't see where the links were pointing as they had been removed.
      2) I couldn't see the email headers.
      3) I had no idea if any personal information (at the most basic level, name) was correct or not. Though I would err slightly on the side of counting any email that has personal details in it as legit, it is obviously fraud if it carries somebody else's name.
      4) Am I supposed to be actually subsribed to any of these services or not? If I get something from citibank like that in my inbox, I'm going to mark it as fraud as I have absolutely nothing to do with them. (This is my excuse for the hotmail/MSN one!)

      It's very possible most people don't check the first two at all, in which case I have slightly more sympathy with them seeing how confusing it can be now.

      Maybe an added layer of security could be to go to the site in question and log in from there manually to check everything?

      --
      You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
  2. This test is bogus by stecoop · · Score: 3, Insightful

    This test is like a Kobayashi Maru test on star trek. You have to alter the conditions to win. You can't see the details in the hyper links nore the refer information in the header.

    1. Re:This test is bogus by PhxBlue · · Score: 4, Insightful

      No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.

      --
      !#@%*)anks for hanging up the phone, dear.
    2. Re:This test is bogus by Kazoo+the+Clown · · Score: 4, Insightful

      No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.

      Congratulations. However, by ALLOWING YOUR FINANCIAL INSTITUTION to send you correct and verifiable information over email, and since email is sent unencrypted they have in effect, published your information to the web at large. I would consider this a CONTRIBUTION TO FRAUD, and therefore equivalent to fraud, in my book. If I were to get that kind of information from a bona-fide financial institution I'm associated with, I will immediately contact them and treat it like an actual fraud-- change my account, etc.

      This site is bogus because it is giving you a false sense of security...

  3. Catching them on the subtleties by gbulmash · · Score: 5, Insightful
    I scored 90%, incorrectly IDing one legit e-mail as a fraud, meaning I missed one because of being overly cautious.

    Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.

    But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.

    Seems that a plug-in could be written for Outlook, Eudora, etc.

    - Greg

  4. I call BS on that "test" by mabu · · Score: 4, Insightful

    Let me be among the first to call "Bullshit" on this supposed test.

    Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.

  5. It's scary how many people fall for this stuff. by bennomatic · · Score: 4, Insightful
    I had a client recently who called me complaining that she was getting hundreds of e-mails bounced to her that she didn't send out. I asked her if she had recently opened any email attachments, and sure enough, she said, "Only the one that Microsoft sent me that was a required security upgrade. Come to think of it, that's about when this problem started"

    When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.

    --
    The CB App. What's your 20?
  6. Re:script kiddies in the media! by real_smiff · · Score: 4, Insightful
    "I am genuinely disgusting.."

    disgusted. you are disgusted. i make this mistake all the time :/

    agree about the leet speak.

    i came very very close the other day to falling for a fake eBay "your account has been hacked, verify your account details" type scam. it was brilliant, no typos, perfect grammar, good layout, and most of all: i was tired when i got it. felt like a right plonker for even believing it for a second. now i have a lot more sympathy for people who fall for these things. thank god i did check the url.

    --

    This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.

  7. Re:This is an excellent quiz. by ameoba · · Score: 5, Insightful

    The problem with the test is that they obscure the links. To me, the big test of a scam v. a real email is where the links point to rather than the content and the test uses javascript to obscure where they're going.

    --
    my sig's at the bottom of the page.
  8. This is why... by devphil · · Score: 5, Insightful


    ...I won't use an email client that renders HTML. Or at least, won't let me turn that off.

    When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.

    (Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)

    Every so often a friend will send me HTML mail, but I can cope. :-)

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
    1. Re:This is why... by OneSeven · · Score: 4, Insightful

      but... the work around is so easy, that it's barely worth even trying to protect the images. It's called 'Print Screen'.

    2. Re:This is why... by OneSeven · · Score: 3, Insightful

      oh...... wait.
      I'm stupid. Nevermind.

    3. Re:This is why... by Tony-A · · Score: 4, Insightful

      "confirm my information".

      There is a meaning to this word confirm.
      If they list the information they wish to confirm, it might be legitimate.
      If they list no information that is to be confirmed, it's a scam.
      There is a problem if several pieces of information with one of them wrong.

      "your account has been hacked, verify your account details"
      Which account has been hacked?

      You know the account has been hacked.
      You know the account is mine.
      You will not tell me which account, how you know it is hacked, and how you know it is mine.
      It's not the misspellings, bad grammar, etc. There's something missing that any legitimate message of that sort would have. Essentially it's insider information pertinent to why this comes from you to me.

  9. Re:I got a 3 by jandrese · · Score: 4, Insightful

    The biggest tipoff is when it starts off with "Dear Paypal user" or something like that. Most companies go to the trouble of putting your actual name in there, so if whoever is sending you the email doesn't even know your name...well, you figure it out. This tactic even worked in the example quiz! It's a great first pass (the second pass is of course to mouseover any URLs (or check the source) and see exactly where they're sending you.

    The only example that really made me think was the MSN account expiring message. At first I thought that had to be a fake because what's the point of sending you an email telling you that you need to log into your email to save your account? Then I realized it was actually an ad for a related pay MSN service and immediatly knew that it was real.

    --

    I read the internet for the articles.
  10. Re: 100% Bad 'test' by @madeus · · Score: 3, Insightful

    The test was completly meaningless as you couldn't do all the correct things you SHOULD to to check the authenticity of an email.

    It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.

    This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.

  11. Re:I got a 3 by Chibi · · Score: 3, Insightful
    The biggest tipoff is when it starts off with "Dear Paypal user" or something like that. Most companies go to the trouble of putting your actual name in there, so if whoever is sending you the email doesn't even know your name...well, you figure it out. This tactic even worked in the example quiz! It's a great first pass (the second pass is of course to mouseover any URLs (or check the source) and see exactly where they're sending you.


    I've recently been getting some spam that has my name and some address info in the subject line. It's obviously spam, and someone trying to rip me off. I've also been getting a lot more 419 spam, and that usually has my name (although they always refer to me by my last name *sigh*). But I just wanted to point out that we all probably have a lot of info about us out there ready to be used against us. As you say, it's a good "first pass" test, but nothing more than that.

    --
    If all you have are silver bullets, everything looks like a werewolf.
  12. Re: 100% Bad 'test' by meta-monkey · · Score: 4, Insightful

    On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."

    It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.

    --
    We don't have a state-run media we have a media-run state.
  13. Re: 100% Bad 'test' by SloWave · · Score: 3, Insightful

    I counted them all as fraud because of the Javascript mouseovers for links.

  14. I've seen "phishing" used on the evening news... by Xhad · · Score: 3, Insightful
    ...more than once. Enough people have computers now that slang related to email in particular (i.e. SPAM) affects enough people to make its way into the media.

    This isn't new.