Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Phishers Pose as Phishers to Make Point

Posted by CmdrTaco on from the now-that's-just-plain-silly dept.

Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"

2 of 337 comments (clear)

  1. Re:Common Sense by bigman2003 · · Score: 5, Insightful

    Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.

    Average users feel that since mail was sent to them, it should be safe to open in.

    Common sense means that it is the job of the technical industry to make sure that this can happen. That the average user can open mail without worrying about being 'infected.'

    Common sense means that when an e-mail is sent, and it says that Grandma Jones sent it, it really was from Grandma Jones.

    Common sense means that WE (technical industry) have a lot of work to do. Not the average user. Thier only job is to use the infrastructure we create.

    --
    No reason to lie.
  2. Re:Common Sense by bcattwoo · · Score: 5, Insightful
    I think that some slashdotters must be fortunate enough to have never seen a really good phishing email. We aren't talking about just some crappy, far-fetched Nigerian-type scams. The more apt analogy would be:

    You get a letter in the mail on your banks letterhead in an envelope exactly like every other letter you have received from the bank (with the exception that the postmark is from a different zipcode than usual, but who checks those?). The letter states you need to sign some paperwork, could you please come to the nearest branch to take care of it. It provides some directions to your branch that isn't your usual route but their way does seem more direct. You arrive at the branch and everything looks just like you remember it, even the tellers look familiar. They ask you to fill in some account information on a form, sign it, and you are on your way.

    The good phishes don't ask for your password or account information through email outright. In an official looking email they direct you to visit your financial companies website to update or confirm something. For your convenience they even provide a link to the "website" for you, which directs you to an exact duplicate of that companies login page. I have even seen ones where clicking on the "help" or "contact us" links will actually take you to the corresponding pages on the real sites. A lot of these phishers are far from amateurs!