Phish Scams Fooling 28% of Users

Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking. The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."

script kiddies in the media!

[garcia]

Personally I never cared for Phish. They attracted a lot of the same fanbase as the Dead but I just couldn't bring myself to like them. I tried, I really, really did. It's sorta sad that now that they are breaking up for good that they are scamming 28% of the population. I would have never guessed that a cool jam-band would have to resort to this sort of scheming in order to get money!

I guess after all those tours and all those basically unsuccessful albums they are in need of people's credit cards in order to support their own solo touring and promotion.

All kidding aside, I am genuinely disgusting that the authors of these articles did not call this sort of scam by a legitimate title such as "fishing" or "credit card scamming" or "you are a fucking moron for falling for the give me your Credit Card Number in an email" like it has been in the past. I wasn't aware that "scr1p+ K1dd13 sp34k" had crossed into "real journalism". I can see it now... Parents banning their children from listening to Phish because FoxNews told them that they could have their credit cards stolen.

-1 Troll for the authors of these articles.

Re:script kiddies in the media!

[real_smiff]

"I am genuinely disgusting.."

disgusted. you are disgusted. i make this mistake all the time :/

agree about the leet speak.

i came very very close the other day to falling for a fake eBay "your account has been hacked, verify your account details" type scam. it was brilliant, no typos, perfect grammar, good layout, and most of all: i was tired when i got it. felt like a right plonker for even believing it for a second. now i have a lot more sympathy for people who fall for these things. thank god i did check the url.

Re:script kiddies in the media!

[PitaBred]

The problem is that "phishing" is describing this action specifically, rather than going out to the lake with a pole and a bunch of worms. It's been accepted into the lexicon, same as "phreaking".
Phishing also has the connotation of hoodwinking users, getting passwords, whatever, not just credit card info.

Re:script kiddies in the media!

[Pharmboy]

Personally, I think replacing F with PH is pretty lame, in all things...

Re:script kiddies in the media!

Why don't you go phuck yourself, then?

I got a 3

[Sowbug]

Why did I have to provide a credit card number before the test showed me my score?

Re:I got a 3

[The0retical]

I got them all right, what most people forget is that reputable companies will never send you a link to update your account info. They will give instructions but never the latter. That is the dead give away that it is fake.

Re:I got a 3

[wo1verin3]

If you didn't find that funny, then you definately won't find this funny.

Re:I got a 3

[jandrese]

The biggest tipoff is when it starts off with "Dear Paypal user" or something like that. Most companies go to the trouble of putting your actual name in there, so if whoever is sending you the email doesn't even know your name...well, you figure it out. This tactic even worked in the example quiz! It's a great first pass (the second pass is of course to mouseover any URLs (or check the source) and see exactly where they're sending you.

The only example that really made me think was the MSN account expiring message. At first I thought that had to be a fake because what's the point of sending you an email telling you that you need to log into your email to save your account? Then I realized it was actually an ad for a related pay MSN service and immediatly knew that it was real.

Re:I got a 3

[Lord_Dweomer]

"Sowbug, I recommend you cancel your CC immediately by calling your provider's phone hotline."

Or, alternatively, you can email me your name as it appears on the credit card, your card number, and expiration date and I will remove your card information from their system.

This is an excellent quiz.

[eaglebtc]

I passed with flying colors! This is an excellent quiz to send to your friends who are less internet-savvy. I found a common thread throughout all of them: "if you don't verify your account information, it will be suspended."

Re:This is an excellent quiz.

[ameoba]

The problem with the test is that they obscure the links. To me, the big test of a scam v. a real email is where the links point to rather than the content and the test uses javascript to obscure where they're going.

Re:This is an excellent quiz.

[Crazy+Man+on+Fire]

They didn't show up in Mozilla. Switched to IE and they worked. They were using IE-specific javascript to put the link text in the status bar.

Re:This is an excellent quiz.

[Grotus]

Do you have Mozilla set up to forbid javascript from modifying the status bar (as you should)? If you do , then whether or not the javascript is IE specific, it still wouldn't show the bogus link. I had to view source to see what they wanted to appear down there (mainly because I forgot about that setting until most of the way through the quiz).

Catching them on the subtleties

[gbulmash]

I scored 90%, incorrectly IDing one legit e-mail as a fraud, meaning I missed one because of being overly cautious.

Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.

But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.

Seems that a plug-in could be written for Outlook, Eudora, etc.

- Greg

Re:Catching them on the subtleties

[daehrednud]

1st email:
This one just tell you to log into the MSN site, it
doesn't provide a bogus link or anything.

2nd email:
This one does provide a link, plus for some reason
the url args flag my personal danger
heuristics. The jagged do this or else tone of
the email also doesn't seem like it originates
from a company that relies on it's customers

3rd email:
It doesn't seem that ebay would hire a third
party to create an ID system that the users
would have to shell out money for. That mixed
with the external link give it away.

4th email:
I personally hope a bank doesn't deal with
security issues by relying on internet
communication, but it doesn't sound right for
a bank to contact a hacked account victim
through email. Plus the 4 appended to the www
part of the url makes it seem that it could
possibly be a false url.

5th email:
This email does not provide an external link
tells you to go to the paypal. It also helps
that the email also says to always type in the
url manually.

6th email:
Again with the threatening tone, but more
clearly does this yell fraud when at the
bottom of the email there is a blurb that
says that "This is a promotional message from
EarthLink". Definate cut and paste job.

7th email:
see 3rd email

8th email:
threatening tone..., external url

9th email:
It helps that I've seem emails like this, but
in this email you are not asked to provide any
data, except for the tracking number in the
url, which they provided.

and lastly, the 10th email:
A button! A button can be used to hide the url
from the casual user, and looking at the html
shows that it goes to www.service-visa.net,
which doesn't seem right for a COMmercial
enterprise to have.

I call BS on that "test"

[mabu]

Let me be among the first to call "Bullshit" on this supposed test.

Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.

Re:I call BS on that "test"

any "nerd" would run his own DNS server and wouldn't need web-based turd like. Poser.

It's scary how many people fall for this stuff.

[bennomatic]

I had a client recently who called me complaining that she was getting hundreds of e-mails bounced to her that she didn't send out. I asked her if she had recently opened any email attachments, and sure enough, she said, "Only the one that Microsoft sent me that was a required security upgrade. Come to think of it, that's about when this problem started"

When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.

Breaking News:

[goldspider]

There are a lot of uninformed and gullable Internet users out there.

Pictures at eleven.

Five minutes to figure it out.

[MacGoldstein]

But haven't fallen.

My parents got an e-mail stating that we were charged $3000 for a new Dell laptop. Nevermind that we all use Macs.

So I check out the site... Looks professional, seems legit, but it asks for a bank account and social number on a non-secure connection... Phishy?

I checked out the root domain of the given address and ran a search to see to whom the site was registered. Definitely not a real company, an individual, and the root domain didn't exist as an accessible webpage. Not the kind of thing that is very professional. I bounced the e-mail back and dismissed it. Our credit bill the next month didn't have a Dell laptop on it. What do you know?

All it takes is some common sense to get out of these things, but perhaps real companies should start adopting S/MIME or PGP to ensure their identities to make it more apparent to a layperson.

Of course, a false company could just as easily hide behind these "foolproof" authentication mechanisms.

Unfair test

[asdfasdfasdfasdf]

Honestly, I got through 3 examples before giving up. The real test for me is, "Is the link back to the official site? Or does it look like a link and take you to some mysterious 3rd party server?"

In this test *ALL* links pop up to a "for the purposes of this test, this link has been suspended" This makes the whole thing useless.

Anybody can copy a legit paypal or eBay email and change a few words and make it "look" real. The key is in the links and the data mining.

Re:Unfair test

[MaelstromX]

I suspect you use Firefox, which, for me, didn't show the URL's of the links when I put the cursor over them for some reason. I opened up IE and it worked fine.

Is this test not Firefox friendly? If not, why didn't the story say so? (don't a lot of people on /. use Firefox?)

hard?

[Bobman1235]

Honestly, it's pretty simple. Just never click on any link in any email. If it's from a company you deal with, type in the URL you know and love to find the information. The only one of the emails in that entire "quiz" I would have trusted was the one without any links, that simply said "go to ebay.com, click on your account." Anything else could be fake.

At the very least, copy and paste the URL rather than click it, and study it for 3 seconds before going to the site to make sure it looks like the site you think you're going to.

Talk to Verizon

[RealityMogul]

I got Verizon DSL service back in February. A month later, I got an e-mail that basically stated there was a problem applying the DSL charges to my phone bill. In the e-mail, which was sent to "Verizon Customer", they suggested I reply to the e-mail with my account name and credit card information.

I thought it was a scam, but left it in my inbox. Two weeks later my service was shutoff. Apparently the message was legit.

After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.

nice link!

[jjeffries]

Linking to a cgi from the front page? Why don't we just find out where the server is and burn down the building instead?

Re:This test is bogus

[PhxBlue]

No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.

Re:pre-emptive grammar-nazi

[Dogtanian]

I know, I know, it's "gullible".

Normally I'd suggest that you should check the spelling in a dictionary first; but did you know that "gullible" isn't in the dictionary?

Re:This test is bogus

[Kazoo+the+Clown]

No, you just have to recognize the proper set of conditions. If an E-mail already contains correct and verifiable information about your account, or if it does not ask for any account information in the first place, it's probably legit. Otherwise, it's probably a fraud. My non-geek wife and I both took the test and scored 10 / 10.

Congratulations. However, by ALLOWING YOUR FINANCIAL INSTITUTION to send you correct and verifiable information over email, and since email is sent unencrypted they have in effect, published your information to the web at large. I would consider this a CONTRIBUTION TO FRAUD, and therefore equivalent to fraud, in my book. If I were to get that kind of information from a bona-fide financial institution I'm associated with, I will immediately contact them and treat it like an actual fraud-- change my account, etc.

This site is bogus because it is giving you a false sense of security...

Re:80% right, 100% ugly colour scheme.

[Scorchio]

Oh, it's a colour scheme, is it? I thought my monitor was running low on ink.

The correct term...

[SatanicPuppy]

...is Social Engineering. Or Con Artistry depending on your tastes.

The average non-techie wouldn't know what a "Phish" scam was if it was sitting on their face, any more than they would know what a phreak was or why hacker, cracker, and coder all mean very different things.

I agree with GGParent. This crap should never have made it into the media. They're only going to be screwing it up.

This is why...

[devphil]

...I won't use an email client that renders HTML. Or at least, won't let me turn that off.

When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.

(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)

Every so often a friend will send me HTML mail, but I can cope. :-)

Re:This is why...

[OneSeven]

but... the work around is so easy, that it's barely worth even trying to protect the images. It's called 'Print Screen'.

Re:This is why...

[Tony-A]

"confirm my information".

There is a meaning to this word confirm.
If they list the information they wish to confirm, it might be legitimate.
If they list no information that is to be confirmed, it's a scam.
There is a problem if several pieces of information with one of them wrong.

"your account has been hacked, verify your account details"
Which account has been hacked?

You know the account has been hacked.
You know the account is mine.
You will not tell me which account, how you know it is hacked, and how you know it is mine.
It's not the misspellings, bad grammar, etc. There's something missing that any legitimate message of that sort would have. Essentially it's insider information pertinent to why this comes from you to me.

Re:80% right, 100% ugly colour scheme.

[silverfuck]

I answered one incorrectly as fraud (the MSN one), and the rest perfect. But I was surprised I actually scored so highly as the test removed all the methods I use to spot fakes:

1) I couldn't see where the links were pointing as they had been removed.
2) I couldn't see the email headers.
3) I had no idea if any personal information (at the most basic level, name) was correct or not. Though I would err slightly on the side of counting any email that has personal details in it as legit, it is obviously fraud if it carries somebody else's name.
4) Am I supposed to be actually subsribed to any of these services or not? If I get something from citibank like that in my inbox, I'm going to mark it as fraud as I have absolutely nothing to do with them. (This is my excuse for the hotmail/MSN one!)

It's very possible most people don't check the first two at all, in which case I have slightly more sympathy with them seeing how confusing it can be now.

Maybe an added layer of security could be to go to the site in question and log in from there manually to check everything?

Re: 100% Bad 'test'

[meta-monkey]

On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."

It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.