Phish Scams Fooling 28% of Users

Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking. The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."

This is an excellent quiz.

[eaglebtc]

I passed with flying colors! This is an excellent quiz to send to your friends who are less internet-savvy. I found a common thread throughout all of them: "if you don't verify your account information, it will be suspended."

Not my users

[Seth+Finklestein]

At my place of business, I run a strictly whitelist-only policy of Internet use permissal. If a user goes to a web site that is not on my comprehensive whitelist, he instead sees a small form with which he may explain the business-related uses of the web page in question.

Needless to say, this policy is entirely foolproof as a means of deterring so-called "phishing" in my workplace. I haven't heard any complaints, so I can only assume that the users enjoy my protecting of their identities.

Sincerely,
Seth Finklestein
Proud Systems Administrator

Now plot this data vs. time

[Politicus]

Is it really so surprising that as spam matures it gets better at impersonating real email? It would be useful to repeat such a test periodically to see it trend over time. Likewise, it would be interesting to see the nature of valid business email content change over time to adjust. Perhaps we can have an internet age Darwin elaborate on the mechanics.

Re:I got a 3

[The0retical]

I got them all right, what most people forget is that reputable companies will never send you a link to update your account info. They will give instructions but never the latter. That is the dead give away that it is fake.

Talk to Verizon

[RealityMogul]

I got Verizon DSL service back in February. A month later, I got an e-mail that basically stated there was a problem applying the DSL charges to my phone bill. In the e-mail, which was sent to "Verizon Customer", they suggested I reply to the e-mail with my account name and credit card information.

I thought it was a scam, but left it in my inbox. Two weeks later my service was shutoff. Apparently the message was legit.

After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.

Re:Talk to Verizon

[RobertB-DC]

After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.

They're not the only company to have this problem. I signed up for email from Palm, but never clicked on the links because they were always in the form of "palm.somemarketingcompany.com/offer/etc".

I finally went to the Palm site's Contact Us link and sent a note. To my surprise, they replied quickly and said the same thing -- they're re-evaluating their email procedures.

Happy ending: about a month later, the URLs all pointed to a clearly Palm-owned domain, and I'm considering replacing my over-the-hill Palm III with a refurbished low-end Zire (underpowered, but cheaper than eBay).

Re:script kiddies in the media!

[PitaBred]

The problem is that "phishing" is describing this action specifically, rather than going out to the lake with a pole and a bunch of worms. It's been accepted into the lexicon, same as "phreaking".
Phishing also has the connotation of hoodwinking users, getting passwords, whatever, not just credit card info.

My girlfriend got an email last month...

[BandwidthHog]

...telling her she had won a trip for two to the ESPN Espy Awards show in Hollywood on July 14th. She sent me an IM about it, and I (rather condescendingly) informed her that she was almost certainly being spammed. Well, after going to espn.com and finding that the person listed in the email was really in their PR department, and contacting her through their 800 number, guess what?

That was the coolest hotel I've ever stayed in. The show sucked, but the view from the room almost made up for it.

Re:My girlfriend got an email last month...

[argent]

I got an email "from Microsoft" in 2000 that I thought was spam or a con job. I almost bounced it to abuse because there's no way Microsoft wanted to give me a free Pocket PC... I'm obviously not a Microsoft fan.

Free trip to Redmond, tour of the new Experience Music Project, *three* Pocket PCs and a bunch of other swag... and they actually listened to what a bunch of Palm fans with a general bias against Microsoft thought and significantly improved Pocket PC 2002 as a result.

(am I using a Pocket PC now? No, in fact I'm using an older Clie and have no idea where I'm going to go when it eventually fails... all the new models have that damned "Graffiti 2")

Email #6 is Fraud???

[ferrellcat]

I responded that #6 was legitimate, so only got a 90%. It looks legit to me. The visible link as well as the rollover link point to the earthlink.net domain. How is this one fraud???

Re:Catching them on the subtleties

[JaredOfEuropa]

One easy metric would be to check if a URL claims to point at one domain, but actually links to another. Like this bogus link to www.youcantrustus.org

Heh, the other day I got an email from EA concerning my Ultima Online account, asking me to provide some account details. The URL in the mail pointed to some weird domain I had never heard of, not ea.com or uo.com. Turned out, the email was completely legit... the URL was for some subcontratcor or affiliate of UO. Boy did they regret that, they must have gotten thousands of questions about that.

Re:I call BS on that "test"

[crucini]

Speaking of which - are there any 'demoronizer' type utilities that can reasonably create ascii version of html email?

lynx -dump filename.html

REGISTER.COM did

Register.com sent email to all registrants telling them to log in and update their information, because of new ICANN regulations. It was sent by a 3rd-party mailing company, but I called register.com's phone support, and they said that it was in fact real. Of course, when I went to check my info, I typed it in rather than using the link from the email.

They need a bonehead-of-the-year award for that little stunt.

Re:Sadly, most of those fooled are lower class

[ZackSchil]

I was going to use AC to reply but I have to say I agree with the parent. I don't agree with all of his language (cowering below letterheads and such), but I do agree that a good deal of people suffering from this are already poor. I say this because the rich are neither seriously hurt monitarily or are treated like dirt by credit card companies (those who ultimately decide who pays for the fraudulent purchases). You try getting Visa to erase that $3000 purchase off your card when you're already struggling just to pay off the interest on your debt to them. Trust me, it's hard.

Broken in Mozilla

[Jagasian]

I am using Mozilla 1.6 on Linux, and none of the links work, nor do they show anything in the status bar. I think the test is broken for Mozilla. Since when did Slashdot become a hangout for Windows users that pretend to be Linux zealots?

Perhaps a Mozilla plug in would help here?

[hedgehog2097]

Here's an idea:

Mozilla plug in that traps HTML anchors, and if they don't match what they are linking to, shows a popup -

"Are you sure you want to click this link? Because it really points to here..."

It could even attach a danger level to the popup. e.g. a mouseover status bar change to another URL would be questionable, as would dodgy characters in the URL to cause problems (there was one with a % in it floating around a while ago). Maybe even a database of fraudulent websites? It would have to remember the false positives to prevent annoyance.

Just an idea. Somebody might have already done it. I wouldn't know where to start to write it, but if this was a software patent - it wouldn't matter.. snigger

This test does not reflect a real life situation..

[Fuzzums]

Why? The links are not working.

All the fraud-mails I get refer to illegitimate websites or servers in China or Russia.

An other way to check the validity of the mail is to check the mailheaders and see is they are correct.

But still I scored 70%

The funny thing is I would have scored 100% is this was for real. Why? I don't do PayPal, Visa, Earthlink and so on :)

And GENERAL MOBUTU is not my african friend, so I'm not falling for his sweet talk either...

Bogus test

Funny .... All of the links pointed to "http://survey.mailfrontier.com/". How am I supposed to determine if a message is legit, if I can't check the target ?

In short : this test is BOGUS. :(