Slashdot Mirror
People Suck at Spotting Phishing
JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.
At what point in history was this not a problem? Can't say I'm surprised...
- For every action, there is an equal and opposite criticism.
While it would be nice if there was a test or three that a person was required to take in order to do anything online... the fact that anyone is able to buy a PC and plug it into the internet means that there are a lot of... uninformed people out there.
It's the same group that replies to spam messages asking to be removed, purchase from spammers and leaves their PC's connected 24/7 without spending anytime to patch it.
So long as these people exist, nothing should be a surprise as to the effectiveness of phishing and other such areas.
Help Brendan pay off his student loans
I've seen more sophisticated phishing examples by far, and some are indistinguishable from what might be the real thing. The distinguishing factor from a genuine missive is the best phishes have links to bogus addresses (sometimes denoted with only an IP address), and the destination site asks for information company's won't ask for from an e-mail.
One of the best phishes I've seen was sent to me -- it was ostensibly from my phone company, and it described a problem with my on-line bill pay (I don't). The letter was nicely formatted with the colors and icons of my phone company. The link was a giveaway, when I rolled over it, I could see the IP address, not a phone company web-site.
I researched this a bit more, went to my phone company's web site, and downloaded their graphics. A bit-for-bit comparison of their icons, etc., and the phishers showed them to be identical. (Interestingly, this puts phishers also in the position of being guilty of more crime: copyright violations.)
Had my suspicions not been raised by the fact I wasn't participating in on-line bill pay and the phish indicated that problem, and had I not seen the IP address by rolling over the link (which I only did because of above suspicion), I easily could have been convinced I was dealing with a real e-mail (NOTE: this was two years ago, before phishing had become real big, and it was my first incident.)
I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)
do *NOT* manage business through e-mail! And if I have to, I'll make sure to add the involved people to my "safe list" or "address book".
:P )
(Actually, it also helps when 90% of your mails are in spanish
...there is no patch for human stupidity.
Most users just don't know better, despite best efforts to educate them otherwise, or make the scams obviously fradulent. Ever seen that 'MSN will never ask you for your password!' type banner on things? Know how many people retain it? Very few.
Informatus Technologicus
He finds it strange that people called that message from "Keith" to be spam... but the thing is, if you have no idea who "Keith" is, it probably IS spam... and if you do know him, you probably would not mark it as such.
The same goes for the US Airways thing. Yeah, it's an example of "not spam", but if you haven't recently bought a US Airways ticket, then the save bet would be that it is.
Oh... and the nun joke is fucking hilarious. That alone made TFA worth reading.
Information wants to be anthropomorphized.
TFA seems to be using a funny definition of spam.
Most would say it's unsolicited commercial junk mail, but he seems to think it means "phony" email. Apparently he doesn't mind receiving weekly airfare specials containing choice bits like "BID FOR TICKETS TO THE BIG GAME IN THE BIG EASY!"
Also re phishing: I'd say paypal is largely at fault for this. They do (did?) send an awful lot of useless mail full of clickable links - they were just begging to get phished because people were so used to receiving authentic but useless clickable mail from them. None of my other banks have done this (although one sends a fair amount of crap not specific to my account - rates and such).
So what if someone thinks a legitimate email from a bank is a phishing scam? Banks shouldn't be using email for anything serious because it makes their customers more susceptible to fraud. If people expect to receive legitimate and sensitive communications from their bank via email, it's that much easier to fall for it.
For example, I got one this morning talking about my home loan account with a large bank I don't have an account with. I know it's a phishing scam just from the From and Subject lines. However, if my own bank sent an email talking about my actual mortgage, I'd treat it in exactly the same way. There's no benefit to giving an email the benefit of the doubt. If there is something my bank needs from me, they can send a letter and I'll go to my local branch to take care of it in person.
Some people should only bank at brink-and-mortar stores.
The blog article wasnt very interesting but I noticed for May 11th he reported on Google Trends. First time I've heard of it. Try it out http://www.google.com/trends
Let's say I handed you an entire crate of auto parts, and told you that some of them may be genuine parts, while others might be knockoffs. I give you a whole binder, filled with instructions on how to differentiate between all the different "good" and "bad" parts. Some of these knockoffs are obvious fakes; others are quite cleverly done, requiring you to check for minute details such as whether or not inner surfaces are well-polished, or subtle discrepancies in serial number schemes and product logos.
At what point do you just start winging it? After one day of studious sifting? After a week? A month? When you see a part that you're pretty sure is genuine, but would need to haul out the manual for ten minutes' worth of cross-checking part and serial number ranges to confirm this--at what point do you simply go with your gut?
When somebody who knows what they're doing goes about trying to hoodwink your typical individual, it can be very hard for the individual to know when they're being hoodwinked, even if they know they might be being hoodwinked. It's part of human nature--there's a point at which you just throw your hands in the air and grant your trust to an unknown entity, because it's too tedious or time-consuming to check everything out. Given the average person--heck, even a person who knows a fair amount about the subject--there'll be a point where they just take the damn part and have it installed in their car, because they just want to be done with it and get on with their life. It's the same thing with phishing--unless you're one of those few individuals who has fairly advanced knowledge on the subject, you're eventually going to give up and make a gut-reaction decision to whether or not you "trust" the email you just got, simply because it's more trouble than it's worth to actually dig through it.
Obliteracy: Words with explosions
As someone said, think of how stupid the average person is, and remember half the people are even stupid than that. People suck at spotting when they're being cheated or lied to, which is why phishing, advertisers, and politicians merrily thrive.
For pete's sake people, if you have to show genuine emails, try at leat to sanitize them a little. Some of the 'ham' emails shown still have the full contact information, including the original email address. That's what I call dangerous!
If you don't believe me, go to the web site, and try classifying some emails... You'll see what I mean...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
We have reached a stage where people don't think twice about the path taken to make a quick buck. And the increase in phishing attacks only goes on to prove it. And people (especially those who have just taken their first few steps in getting online) fall for the ploys of these criminal activities more frequently.
Linux Help
for all things on Linux
Does this look like a phishing link:7 830
http://email.chase.com/B5RH02E0D85AC794D46693C9BD
It's from a Chase email, but I don't know if it's really from Chase or not. They should at least use legit-looking URLs.
Mind you, I think that that type of phish is the most sophisticated type of phish, being both elegant and simple. I "fell" for one of those back in the day, in that I got an email from my bank, and it notified me of some account change, so I immediately and without checking the validity of the link on the email...called my bank on the phone and said, "What the hell is up with this?"
They of course, didn't know anything about it, I checked the link and realized it was false. That was just long term ingrained habit that puleld me out of that one, because it was an excellent phish. But how do you teach those habits of suspicion to a layman?
It's just a security issue. I deal with passwords all day every day, and people are awful with their password security. It just doesn't make any sense to them, and they all think that the consequences for this or that little security breach are harmless, and so when something like this comes along, they fall for it, hook, line, and sinker.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I treat all of those emails as a phishing attempt. If I think it has the possibility of being legit, I type in the appropriate web address (no, I don't cut-n-paste, I type in the previous login site), login and verify the contents.
Duuuuuuuuuuuhhhhhhhhhhhhhhhhhhhhhhhhh!!
Look, your average Joe is not sophisticated; they're not going to know to look at the links in a phishing email and note they don't point to their bank's valid web address nor be able to do a DNS lookup to figure out that Joe Whathisface is not the owner of the bank's valid domain name. They don't care about this. It's the same thing that happens when people get those fake sweepstakes things in the mail saying they're won something and, oh by the way, could you sedn us $500 to ship it to you?
Put a Ford Escort engine in a Porsche 911 Turbo body and I bet 70% of the people you pull off the street would drive it and not know any better. For them, if it looks like a duck, walks like a duck, and quacks like a duck, it's a duck.
Solution: raises everyone's IQ 50 points. Plausible: not likely.
GetOuttaMySpace - The Anti-Social Network
Evil will always triumph, because good is dumb.
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
I still don't understand how someone with a modicum of common sense would EVER reply to an email or populate a Web site with information from someone or an organization they do not know.
If I were the banks, which are the biggest targets for phisphing, I would run commercials duting primetime TV stating that "we never send out emails asking for your personal inforation". While this would not reach everyone, it would be a start. Security, however, is not a money maker, it's an expenditure. Banks will continue to only run commercials extolling their wonderful features.
Ever notice the commercials that sell drugs? What the hell is wrong with American medicine? Ever notice that none of these commercials or medical professionals ever talks about fixing the root cause? They only talk about the symptoms. Security is the same thing. Let's fix the root cause instead of treating the symptoms. Education of the populace would go a long way towards cutting down on phishing.
I think that there are more indirect behaviors that go into determining if a message is spam or not (given a filter misses it and it gets to your inbox). First and foremost, do I know the sender? That's a big variable that that quiz cannot reproduce or take into account - so of course people will have a tough time determining if a message is spam or ham. Second is the presence of attachments. If I know the sender, and the message isn't something like "check out this great video!", I'll be pretty sure it's ham.
That quiz is great for the basics and the practice of looking at headers, but I feel it misses the most fundamental aspect of knowing the sender and letting your brain do the work that filters miss.
Email clients and servers need to start automatically looking at the chain of IP addresses or domains in the headers, and rating them accordingly.
If any header lies, e.g. IP address mismatches with domain name, or two successive Received-by headers don't have consistent information, then RED ALERT.
If the From domain doesn't appear in top-most received line, YELLOW ALERT. If it doesn't appear in any line, RED ALERT.
If the top-most received line's address is from a known spamming domain or open relay, RED ALERT.
If any previous mail-server, such as your ISP's, tagged the message with YELLOW or RED alerts, your alert should be at least this high.
Note that red and yellow alerts don't necessarily indicate spam. They are simply one of many indicators of spam, and should be used as input to the spam/ham decision-making process.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Stop using HTML or convert it plain text and it's hard not to spot a phish.
UNIX/Linux Consulting
It is not required that they need to differentiate between scams and genuine mails.
If you see a mail warning you about some dire occurences with your account, don't click the link on the page. Use the browser bookmark or something to go to the account. The reason these scams succeed are because people are _also_ _lazy_.
If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.
I only know a bit about mopeds (50cc limited bikes) because there as a huge industry for cheap parts but they really sucked donkey balls. Very poor quality and it showed.
Easily.
Perhaps alternators are different but I can tell the difference between a shoddy muffler and a good one in a second. Mostly because the good one does not have pieces falling off.
But it is made even easier. If cars were the internet it would be very easy to spot the fake spare parts from the real ones because the real ones DO NOT EXIST!
That is how you tell a fake request for your account details email for a real request for your account details. Because the real ones DO NOT EXIST!
This is a not about cheap alternators. This is not even about people buying 10 dollar rolexes from a guy on a street corner. This is about people paying 1000 dollars for the Mona Lisa.
EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.
WTF?
As for regular spam, how hard would it be to spot a car part if it said r3n@ul1 instead of renault. If you would fall for the badly spelled one do you mind if I kick you? In the nuts so you cannot spread those defective genes?
Scams and spams work because people don't stop and think for a second. It is not asking people to spot gold plated from solid gold. Or even glass from diamonds. It is asking people for a second to think if this deal makes sense.
You can't cheat a honest man and you can't phis a person who thinks.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
If I were a spam filter, I would forward all "sell-me-something-e-newsletter"s to the spam folder. No one's telling the user not to check the spam folder once in a while...
.. That's what I do. There's no reason a bank or CC company is sending me mail that isn't paper that I care about.
Until there's some sort of crypto trust built into email (I'd prefer some form of added/retasked fields to provide domain public keys within trusted DNS) the safest thing to do is ignore such mails until you get phone or paper spam.
Seriously if a bank wants to do business with me it should send me a letter written by a Human not some email composed by a machine.
My spam filter catches a lot of this junk and even if I had no spam filter I'd just delete them anyways as I don't trust them.
There have been many times when dealing with people that I wished I could kiss my own butt goodbye
Yes there is.
How useful would it be if a system similar to say Blue Frog would fill out bogus data to a phishing website to obscure any real victims?
I often used to wonder just why I got so many spams which seemed identical to ones I've been getting for months. Surely by now everyone who would fall for it had done?
Then one day, I bought something off ebay, and used paypal. About 4 minutes later, I got the ping of something arriving in my mail box. It was from paypal. It said my credit card payment had been refused. I realised I might have changed credit cards since I last used paypal, so off I went to log in and check my details were up to date.
I got about half way through typing in my password before suddenly I had a sinking feeling. Yes, it had been a spam. I'd just clicked on a link in the e-mail while half-asleep.
Combination - fun iPhone puzzling
In other news, 50% of people have below-average intelligence.
Jokes about statistics aside, people falling for phishing is our fault. Our fault as in our industry's fault.
We've spent so long training our parents, help-desk clients, and other tech-stupid creatures that the way to respond to mysterious dialog boxes is to "Just click OK!" that at this stage the damage is essentially permanent.
Their natural instinct was to treat computers with suspicion, and we beat it out of them.
Yay for us.
I was reading a Dilbert strip there recently where the PHB was interviewing candidates by showing them his junk mail and asking them what they would do with it.
Another couple of candidates and he would get through his inbox.
There's an intense feeling of Deja-Vu here.
Genesis 1:32 And God typed
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
I wonder if it's more a lack of training or if it's a personality trait to believe phishing?
I would suggest it's mostly training, or a lack thereof, that leads people to thinking they have to validate their account. If they knew to check the URL, and beyond that knew their bank isn't going to email them, then this would hardly be a problem except for the most "simple" users who happen to be "simple" people too.
Oh You POS
Gmail routes everything phishy to my spam box and puts a red bar over it. They are batting nearly 100% at spam blocking too. I get about 20 per day, and 1 or 2 slip through every other day on the average.
- run
The Phishes they catch are faily subtle, they are burying their evil link in HMTL which renders OK, and only the phony grammar of the message gives it away:
"Once you have updated your account records, your
PayPal=AE session will not be interrupted and will continue as normal. Go to the link below.
http://www.paypal.com/cgi-bin/webscr?cmd=3D_login
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Without knowing the context of some of the messages, some of the messages labelled legitimate can easily be spam.
They read every bit like other messages which are spam. Remember, spam is:
Unsolicited Bulk Email.
Reading those messages without knowing the user's history with the senders, they may or may not be legitimate.
Many have softened and gone with the FTC's definition where it must be business-oriented, but as far as many in the anti in the community can be, it can be political[1], religious, charitable, or any other form of message. Just because the headers look legitimate doesn't mean it's not spam. It just means it's closer to U-CAN-SPAM compliant than 99.9% of what we receive (and those who have the ability to enforce it).
If it's not COI (Confirmed Opt-In), it's spam. (and anyone who says Double Opt-In is using SpammerSpeak to sucker you in)
The problem with Opt-In is you can sit down and enter any number of email addresses and they begin receiving crap without confirming their intent to do so.
_____________________________
[1] Pick a party, any party, Democrat, Republican, Naked Tree Frog Humpers, you name it. Send email asking why their representative on the news stated a particular viewpoint when it seemed to conflict with their current platform. Try adding an appended statement your message doesn't grant being added to a list. It won't matter. Any incoming email message will have the headers stripped and automagically [sic] added to their spam list. Once you find the right person to harrass, let them know you're going to start with the local media and work your way up from there to let them know they are spamming innocent parties. It might take awhile, but if you're lucky, they'll remove you.
mail blasts (not spam - spam is what everyone else sends) went out and there were a lot of unhappy people around the world. After the vote count was over, what do you suppose his take was? 11%. His campaign chief said they were stepping onto the cutting edge and leading the way where others will follow in the future. Peabrain candidate. For hiring that chief. Peabrain campaign chief.
He's the kind of guy you'd like to teach to play fetch, then throw the ball into the street.
(if you steal that, just remember, I'm a huckleberry)
One of the things you have to understand is the way that they are measuring spam vs. non-spam. I decided to try out this project today, and some messages that I would consider to be SPAM (i.e. UCE) are not identified by the spam filter as such, and looking at the raw message doesn't appear to contain any attempt to deceive. So, it is unclear from the project what exactly they consider to be spam, and it's impossible for me to tell if they had an EBR (uh, that's existing business relationship) with the emailer, which reduces me to reviewing the message and trying to determine if it's UCE or if any of the crap inside of it is forged or not, and from that perspective determining if it is SPAM.
This is hardly ideal. I understand that what they're asking is for me to not mimic the spam filter but to be the spam filter for this mailbox, but now that I've done it for a dozen or so messages I understand how hard it is for spam filters to implement a hard-and-fast set of rules for determining what is and what is not spam. Who knows? Maybe that p3n15 enlargement email was legit, you pr0n-sicko
Friends help you move. Real friends help you move bodies.
Never forget: 2 + 2 = 5 for extremely large values of 2.
Lucky for them I have a training course on how to prevent this. Anyone interested please send me your name, phone number, mailing address and credit card number and I will get you signed up RIGHT AWAY!!!
Remember, you never spend enough to protect yourself!!!
For the humor impaired, this was a joke...
A lot of the spam that's been sent my way by persons unknown have many random snippets of legitimate text in them, presumably to fool spam filters. I have had whole pages of The Hobbit quoted to me recently. I occassionally open one up to look at it (no attachments or images, just the plain text) and get entertained with very ethereal poetry. For example:
In a trice without warning the face of nature
grew sullen Black angry mouths, the clouds
swallowed up the sun The air was dense with
suppressed excitement For him there was a
little mattress of straw and woollen blankets
The wind howled through the long corridors
and sobbed and whispered in the secret recesses
Shakespeare himself never wrote a finer sonnet!
[the literary purists out there will be quick to point out that there are specific, technical definitions of what constitute a haiku or sonnet. I know these spams don't qualify as either; it's just a useful name to give them]
Anyone spotted red text "TRIAL COPY" across the titlebars in the screenshots?
Looks like a "feature" of some screenshot capture shareware.
Nevertheless, I think (having in mind the topic of TFA) this doesn't add them much credibility.
Rediculous is ridiculous!
If it's in English, it's scam/spam/phishing, if it's in Dutch, it's genuine. Nice!
Most phishing entails taking a user to non-SSL protected site, and if they do not look for https in the address bar or lock on the bottom status bar its their own fault for not doing a little research before entering in the ID and password.
Question - if you opt in, is it still spam? In my (snail-mail) case, I get a catalog monthly from a certain firm. It's third-class bulk mail; to anybody but me I'm quite sure it looks like junk mail (the snail-mail equivalent of spam).
So . . . if I've done business with MexiDrugsForLess.com and opted in for "notification" e-mails ('cuz I want the best price on Cialis, doesn't everyone?), their e-mails are not necessarily spam, even though almost any reasonable person would immediately conclude otherwise. Now PHISHING is a more black-and-white kind of decision; either the e-mail actually originated from the apparent point-of-origin, or it's a phishing attack. I can concieve of exceptions to this, but by and large that's true.
In the end, junk/spam is largely in the eye of the beholder. One man's spam is another man's pork shoulder, er, I mean "ham".
I completed about four tests before I started to get the feeling that I was actually working on training their filter. I felt like I should be charging a fee. Most of the tests are bogus. One email asked me to add some addresses to the "TW mailing list". I don't have context - in this scenario, do I work for an employer who has a "TW mailing list"? Do I manage it? The answer has everything to do with the way I'd rank it. In fact, most of the emails referred to specific people, and knowing or not knowing them would control the rating on the email.
I wonder where they're getting the emails from, originally. I noticed a lot of them are @enron.com email addresses, which makes me wonder if they weren't pulled from some sort of public records somewhere. I assume during an investigation if emails were subpoenaed as part of discovery, and subsequently became part of the court's records, they'd be public domain just like other Government documents. That would at least explain the Enron emails, I'm still wondering about all the other ones.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Rule 1: It's almost certainly not legit, before you even look.
Rule 2: If it seems legit, then go to your browser and manually go to the institution's website and log in normally, do not use hotlinks provided in any email.
My rule 1 used to be just "it's not legit" - none of my financial institutions EVER contacted me via email up until about 6 months ago. Now they do, so I've modified it a bit.
You'd think people would get a BIT of a clue from the fact that, like me, they must be getting very valid-looking emails from places that they don't even have accounts with. You'd think that would tell them something.
unfortunately, there are problems with that as well - there are some legit sites that will redirect you off of their main domain, sometimes even to an IP address. Insane? Yes. But it happens. So for people who actually DO know what the hell they're doing, the problem isn't phishes that look like real sites, it's real sites that look like phishes.
John Graham-Cumming says that the Travelocity email at the bottom of the his blog essay "really is a genuine message from Travelocity and not a spam."
I beg to differ. I have no problem believing that it "really is a genuine message from Travelocity."
But spam doesn't mean "phony," it means "unsolicited commercial email." (And in my own opinion that includes "unknowingly 'solicited' commercial email.")
In order for Graham-Cumming or anyone else to say that Travelocity email is not spam, they would need to know whether it was solicited. You can't tell by any examination of the message itself.
If it was actively solicited by someone specifically checking a box requesting to be notified of offers, then, sure, it's not spam. If it was opt-out spam with the opt-out option hidden... or implicit... then it darn well is spam.
Mostly likely this particular email is in a grey area... quite likely an opt-out was plainly visible, but needed to be actively chosen, at some point in the travel booking process where a customers thoughts are likely to be elsewhere (where IS that security code on the back of my credit card?).
But it is absolutely wrong to stay that the Travelocity message is "not spam," just because it is really from Travelocity
Spam is spam, even if it is a genuine email from a reliable company informing me of some truly valuable opportunity... _if I didn't ask the company to send me those emails._
"How to Do Nothing," kids activities, back in print!
Wizards first rule: People are stupid.
What? I don't get it.
Its really quite nice here.
"Do your part! Screw with a scammer."
But, wouldn't that breed more scammers?
Maybe we should castrate scammers, instead?
Three words too long.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
... got a case of the muundays.
A new feature in IE 7 will be a thingy that flags possible phishing sites, so that if a user is using IE, and clicks on a link that looks like a bank site, but isn't, IE 7 should be able to help out with that. I haven't seen it myself... just read the reviews.
Instead of bunghole or other obscenities, try a username of "kill george bush" and a password of "allah akbar". That may generate some unwanted attention.
/. is monitored already, if for no other reason than amusement.
And, no, I'm not worried about using those words here and now. I assume that
'You know how dumb the average person is? Half of 'em are dumber than that.' Remember, just using computers does not mean someone's got a brain. You only have to work in tech support read some of the many internet message boards to realize that.
I recently received a third-party customer-satisfaction survey from somename@somecompanyididbusinesswith.somesurveyout fit.com. The survey appeared legit, it had info that matched a recent purchase. If I recall, I gave the company permission to send emails of this nature.
What's the problem?
I had no way to authenticate it. If the mail had as much as a link to the original company's web site with a one-time identifier I could copy-and-paste in to verify the email's legitimacy, the problem would be solved.
The more of these types of email the General Public gets, the harder it is to train people to only do business with your company's web site not through email.
BTW, it's important that customer-satisfaction surveys be done by third parties and that they not use the original company's web site, email domain, or other equipment. Doing so gives the appearance that the survey results are subject to insider manipulation.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Sorry but the idea that phishing got big in the last two years put a smile on my face. What you probably mean is that You started noticing it in the last two years...
Every one of those emails would be spam if they arrived in my mailbox, since I don't know any of those people and have no contact with those companies.
Yes, I know web- and IMAP-based servers and local-to-the-end-user mail-servers have filters that do this, and POP3 servers use this in their toss-it-in-/dev/null decision-making, but this isn't quite what I had in mind for POP3 users.
....
/dev/null likely porn or mail that lies in the headers.
POP3 users (i.e. most Outlook Express users) should get all of their mail meta-tagged with flags like:
X-SPAM-RATING: IP-spam-factor=Yellow; content-spam-factor=RED; content-adult-factor=RED;
The end user's email client should take this information, along with its own logic, to do things like sort mail into "inbox/possible spam/likely spam" or
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
For example, I tried taking the test, and the first email seemed to be encrypted in something like ROT13, but I tried rotating it and it didn't work. Was there another way to decode it to reveal the true and maybe genuine message? I don't know, the reason for that is that I'm not the person it was destinated to, therefore I'm not supposed to know, as if I was, I would know what it's about or not, in this case I would consider it spam or so.
That's how people took an email showing a financial discussion between two persons for spam, it's because they weren't part of the discussion, it's like getting someone else's mail.
Instead of claiming that people suck at spotting fishing/spam, it would be more accurate to say they suck at sorting out other people's mail.
You just got troll'd!
Some of us get plenty of unsolicited phone calls and there is very little you can do to stop that. Normally, unless you are using your cell phone or similar system that displays the name of the caller, you have two alternatives: answer the call or not. You don't get any indication who's calling and why (s)he needs to talk to you, and you can't put people on your "junk phone call" list. Wouldn't it be a neat feature if you could block phone spammers too? It's perhaps not possible now, with our antiquated phone systems, but it will be with the advent of IP telephony.
Beauty is in the beholder of the eye.
What don't people understand about not following the links in the emauls? It is a basic rule and will safeguard you from any type of email phishing scam (please provide other examples). No receipts, nothing of that nature is needed. Any respectable financial institution will not ask for your secure information by means of open emaul message. Any type of informtaion update is done once the user in the secure environment or by the phone (another issue).
I think we need to concentrate on educating users who may not posses good experience with the internet use (my 'rents). I am more worried about fat-fingering the URL, then receiving spam/phish message - block it with filter or hit delete button repeatedly.
There was another suggestion on this thread to try use phish link and flood phish servers with bogus information. Personally, I think the "delete the emaul" approach will be more effective.
I find new services that banks provide for their customers very convenient, but let's face it no system can be perfect. If it was built by humans it can be certainly compromised by them too.
... I'm not saying there should be a capital punishment for stupidity, but why don't we just take the safety labels off of everything and let the problem solve itself?
I still can't believe it's not butter.
I think the reason that phishing attacks work so well is because we are taught from kindergarten to obey authority figures and jump through any bureaucratic hoops they present.
In the real world, there are affects of authority that act as a sign of validity -- the expensive building that the bank is housed in, the clothing of the person who is asking you to fill out a form.
In the online world, it is inexpensive to replicate any sign of authority, such as logo images, official colors, names, etc. It's all electronic so it's practically cost-free to duplicate, which isn't the same in the case of a branch office.
What we need is secure authentication and verification technology, like wide-spread PGP keys, and most importantly user education on how to use it.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Oh oh oh - also, set up 2 emaul addresses, one for personal use, this address you can use for filling out kiddie porn site forms, dodgy loan applications and Best Buy rewards programs. Second address for your more important ventures. But I am sure many of us already do it.
Get the picture? Jack of all trade, master of none. Or so goes the old saying. Most of us are good at something. Some could even be called brilliant. I've even met a few people who are very good a most things. I've not yet met one who is good at everything. Not one. I've heard what some of them call some very smart IT people behind their back as well. They call some of *us* idiots because of how well we understand *their* fields.
Seems to me the ones who make it biggest in the IT sector, will be the ones who understand this and can help the people who don't understand computers the best. But then again, those are usually the ones who understand what ROI is and how it affects their jobs, and can actually tell the boss/client why the proposed project should *not* be done. The ones who understand that the person who fell victim to phishing speaks a whole new language that most computer geeks don't understand, just like we speak one they don't.
I expect that this is not a recent phenomenon, nor is it going away anytime soon. Con artists have been around for a very long time. I make the humble sugestion that you vent in here, but for your own sake, please please please don't take it into the work place. It's extremely dangerous to yourself. When perceived as having a negative attitude, most people don't make it far.
funarcadeonline.com
When in doubt, look at the headers. The spam relays are obvious. If the provider allows one of it's genuine servers to get corrupted, then they should bear the phishing losses.
Those three letters contain the solution to all phishing scams. If Thunderbird doesn't say "Valid Signature", I automatically assume an email is a scam.
Too complex for normal people? Fine, then normal people can get scammed. We, as a society, need to stop designing security systems to the lowest common denominator.
Don't thank God, thank a doctor!
What's not taken into consideration is that the majority of people using the internet do not know much about computers. More so, I think it's funny that people can't spot phishing based on the URL that is displayed before clicking in the status bar. It doesn't take much common sense to know that the a URL from www.blah.com/html is not the same as the bank they visit on a daily basis of www.mybank.com.
[%] Cingular Ringtones
My parents recently received an email to fill out an survey. This email, not listing anything like name of receiver nor having the receiver name in it's to field asked to click a link and fill in a survey. The link was an IP adres followed by a large amount of digits. The message had no information on why the email was send, what it was about, it was signed with a person's name and a company name I didn't recognise.
While I directly marked the email as spam before my parents saw this my mother asked later if she received an email for a survey she agreed to take. This survey asked a very large amount of questions going as far as asking what kind of salery you earn, how you live, etc. etc.
Some companies are just asking to get there email deleted.
My freeware games
Some folks just shouldn't have a computer and others shouldn't be allowed to operate it without supervision by someone with a clue. I've been an advocate for computer licensing since Workgroups 3.11/IIc. Meaning, you can't operate a computer without passing a test and getting a license to do so. Yes, I know I live in a dream world, but think of what the computer/online world would be like if AOL didn't exist and everyone online was a power user. Man, we'd be having some fun (yes, I know we already are) instead of constantly worrying about the latest and greatest virus/scam/phish. When's the last time anyone reading these pages got burned by a script kiddie/Nigerian Dr.? I'd almost bet never. Almost. Yes, I'm an computer elitist who can't program. Go ahead and sue me.
Terrible karma and aiming lower, which in this environment of one-sided reason, is higher.
I have found a couple of things helpful in filtering these:
Look at the headers. Without knowing these people involved you can tell a lot by whether the headers are legitimate or not. As an example if you have a message between 2 Enron employees with no false headers you can probably safely say it's ham. It may be unwanted but it's not something I would typically filter.
All of these e-mails seem to come from the Enron e-mail exposed by the court case which sometimes gives context clues to what would be normal.
If Thunderbird doesn't say "Valid Signature", I automatically assume an email is a scam.
Which web-based e-mail service do you recommend for sending e-mail messages with OpenPGP format signatures?
You do 100+ if you see fit - I'll consider 10/10 enough, myself.
After all - this isn't a rigorously-applied, double-blind t-tailed test.
I got a phishing email, and was surprised how good it was, and made a comment about it to my wife. She didn't believe it was a fake email.
So I proceeded to show her. I clicked the link that the email provided, opened a second browser and clicked on the real site. There were several differences. But mostly cosemetic. Things the average user would not notice. The most obvious of which was the copyright date. They had obviously scraped it the year before. She was not convinced.
Clicking on the tool bar links, like Customer Support, and Help took the user to the real web site. This didn't help to convince her.
So, the best way to convince her was to click on the login link. First on the correct web site, then on the phishing site. They looked similar again. I generated a fake name and email address to login with. On the correct site, the login failed. On the phishing site it allowed me in. She was starting to believe it now.
When the phishing site started asking for credit card numbers, pin numbers, passwords, driver license numbers, addresses and phone numbers she was then convinced. Entry of fake data in all of the areas, and the phishing site took you back to the real site, trying to log you in with the fake name and password. Which failed.
People like to believe the world is good.
You can lose something that is loose, so tighten the loose item so you don't lose it.
If there's anything attached to a molecule besides 2 atoms of hydrogen and one atom of oxygen, it's not a water molecule.
The water molecule is polar. Salts will dissolve and attach themselves to the + or - side of a water molecule, forming an ion complex.
OK, new question with what I assume is the original intent: I have 10 glasses of either safe water or polluted water. All contents are colorless to the naked eye. How do you tell which ones contain safe water and which contain polluted water?
Some suggestions to make spotting phishing
e .html"
w 1.royalbank.com/cgi-bin/rbaccess/rbannxcgi"
e-mail easier:
1) When an e-mail includes a web link, the e-mail software should display the actual link address in the e-mail (as part of the display).
For instance, I got a fake Royal Bank e-mail, that displayed visually the text: "https://www1.royalbank.com/english/netaction/sgn
But when you view the message source, you see the link is actually: "http://www.mppagog-barlin.de/updating/w/https/ww
One look at the link, and I knew it was bogus!
I'm amazed that e-mail software doesn't do such an obvious step. You could go further and display a warning when the anchor text is a web address, but doesn't match the actual link address.
2) Keep a list of common businesses that are likely to be spoofed (ie finacial organizations), and whenever the e-mail mentions one, add to the message at top a warning banner like: "financial organizations never ask for personal info by e-mail. If this message does, it is likely fake. Contact your organization by phone to check." etc.
Ryan
The problem is that while con men target idiots directly like snipers, phishers and spammers pull out a machine gun and mow down everyone on the street.
You might be smart enough not to lose your shirt to a con artist, but if a new one knocks on your door every five minutes, you're going to be pretty damn annoyed.
If I'm in the grocery business, all those alternators are fakes!
If you're in the grocery business, you get undersold by Wal-Mart, which sells both groceries and auto parts.
I've almost been fooled a couple of times by phishing scams. Why? Multitasking and not fully paying attention. You see, getting my email is a little like checking my mailbox or getting messages off my answering machine: it's a bit of a mindless chore. And with children vying for my attention and music in the background (or in my ear), I've been close to clicking the 'submit' button on that bogus PayPal form in the email a couple of times (it's when it asks for my ATM # do I wake up and look at the url).
It definetely can happen. I'd even bet it happens to savvy users as much or more than neophytes because of the very reason I described.
As for the nun joke? I guess you gotta be an afficianado of wine...
SEO Copywriter. Just Say ON
I've never been scammed once. Why is that? 'cause I've never clicked a phishing link. That's the key.
"eBay" sends me a message telling me my account's been cut off? I go to ebay.com. Manually. In a new window. Same thing for Paypal.
You can kill just about any phishing email in its tracks with this method. =3
Consider this site: Thank You Network
Citibank's been pushing it heavily. They ask me to sign up for it, put in my account information, and give them information about any and all citibank-related stuff I have which might allow me to earn ThankYou Points.
Is it a citibank thing, or a third party? It seems to be just citibank. However, the site isn't anywhere in "citi.com".
When some phisher comes along and registers "gratefulrewards.com" and tells people to please "reenter your data from ThankYou Network on our new site", it'll be citi's fault that people fall for it. Citi's phone staff can't tell you what is or isn't a legitimate citibank site. I've heard people reporting advice like "Make sure it has a citibank logo on it" or "just click on the site that's in the email".
Phishing works because vendors are aggressively dumb about preventing it. They are trying so hard to train users to fall for phishes...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
If email encryption and certificates were a *STANDARD* feature by the major email clients (desktop and web based), then institutions could set a blanket policy that any email communication from them to their clients/customers must be encrypted and/or contain a digital certificate. Even better, these certificates could contain usage policies so that email clients could automatically filter/delete messages w/o the proper certificate or that don't follow stated policies.
The trick is that the user needs to be abstracted away from the encryption/signing process so that they understand the basics of what encryption/certificates are but can use them with with just a click or two.
A good example of taking security technologies and providing them to the user in a well abstracted form is TLS under HTTPS. IMHO, phishing would be drastically reduced if email encryption/certificates, along with usage policies, were as common and supported as TLS under HTTPS is today.
[Pre-rebuttle]I am not saying that this will solve ALL phishing scams. I'm just saying that there are technologies out there that, if commonly supported and intergreted into email clients/services, would greatly increase the difficulty of pulling off a phising scam.[/Pre-rebuttle]
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
I just don't eat no Ham nor Spam - all commercial looking mails go down the drain, or in the bitbucket if you like. Call me a cybervegetarian. :)
No, the phish ends when they empty your bank account. If it doesn't look like the real account site or redirect to the real account, that tips off the user that there's fraud going on. Then you're likely to login to the real site and change your passwords. The better (worse?) phishing scams will redirect you so as not to arouse your suspicion.
The other day I got an email purportedly from Bank of America (and I am a customer), that had a "click her to login" link on it. Reading it in html, the link looked legit. I couldn't see how it may have been obfuscated to a clone site. On the other hand, I consider any email that contains a "click here to login" to be either a phish or created by complete morons, and in this case either possibility seems about equally likely. Either the phishers are getting smarter or the banks are getting dumber, but the net result is about the same.
But B of A have instituted a new means of protection at login, which may have given them the bravado to try this kind of email-- they have a picture and a keyword that they use in addition to the password and ID-- you enter your ID and if you don't get the picture you expect or the keyword you expect you shouldn't use your password to login. It's some attempt to protect against phishing, but it's not at all clear to me that the technique is foolproof. Perhaps B of A thinks it is so there's no risk at using a 'click here' but I ain't clickin' on it nohow...
When are people going to wake up and learn to always manually type in a website rather than click links? The idiots who fall for this stuff are owed our gratitude. They're the magnates for these scams. Of course, it would help tremendously if banks and such stopped pushing third-party sites. https://www.thankyounetwork.com/ is a legit site (just ran it through my company's software), but plently just like this aren't. If people know this one is legit, what is there to make them weary of the fakes?
It's a girl!
I tried doing my part on the site, went through a dozen emails or so...but they were all from 2001/2002. I dunno about the spam filters everyone else has, but the sort of spam I used to get back then wouldn't stand a chance of showing up in my inbox today. Spammers are always trying to innovate and find loopholes around the latest and greatest filter technology, so I don't see how my analyzing 4 year old email from Enron is going to help improve filters for the future....
I notice every image on spamorham and the guy's blog says "TRIAL COPY" on it. Why?
I take exception with one of your comments. If I run a mailing list and you ask to receive said mailing list it is not spam regardless of content. The exception I will make for this is if the signup is misleading. But if you know that you are signing up for X merchant's mailing list (Travelocity is a good example) then you want to receive that advertising. That's not spam.
One final complaint, and that's about outlook/exchange: why the hell doesn't it treat "internally" sourced messages differently than "external"?
If you are talking about this specific example it is because of the way this was acquired. The e-mail appears to be the messages taken when enron went to court so this is not exactly as it would appear on the server. This is great since one of the huge problems with creating a corpus of ham and spam is getting good ham since it is inherently private e-mail. Since this was already in the public domain why not use it. The other method for distributable corpuses that I am aware of is to use mailing list traffic but that has an obvious skew.
Most spam filtering software that I have seen does treat internal mail differently than external e-mail.
Just because something comes in with a from of an internal address does not automatically make it spam. A number of web sites have options of sending a message to a friend. While I admit this is a horrible idea it does create some e-mail coming win with a from address that is local to the receiving server. This is one of those numerous examples of why spam filtering with low false positives is difficult. It's hard to know all of the possible legitimate actions that can look suspicious.
Don't believe it? Take our sample test.
View THIS IMAGE. Is it your mother?
Amazingly 99.9999995% of the population don't identify the above image as Mom. Therefore people suck at identifying their mom.
***Claimer: No I did NOT throw in the goatse guy. It's safe.
Oh, I know it doesn't. For example, I know our Exchange server doesn't put any headers on my email differentiating mail originating on an inside SMTP port vs what comes from the outside (unless you look closely at the Received chain.) It's just that in "most" cases, it really is spam.
John
I don't care if I BEGGED them to send me an advertisement. After the first email, every subsequent email is spam.
I personally consider ANY email trying to get me to BUY SHIT that I wasn't specifically seeking out to be spam.
In my past life as a full-time eBayer, I got used to the phishing attempts.
I got on with my life in a new business. One day I was in the Philippines as i had been for a month when my paypal card got gobbled up at the local ATM. When I got home, there was an email in my inbox, asking me to please verify my paypal account because of possible fraudulent activity.
It made total sense to me, Paypal thought my card was stolen and was being used in the Philippines.
Well, long story short, because of random circumstances, some guy in Romania is $5000 richer. I verified my first born and more.
Apparently, they made an ATM card and withdrew all my funds at an atm in Romania.
Boy did I feel stupid. Live and Learn.
Learn About Outsourcing. http://www.pioutsource.com
Recent phishing sites are hard to spot, besides it would be impossible to tell once the DNS server you use is under someoneelse's control than the operator that's supposed to maintain it. Also some no one will remember every secure site's obscure domain name that they visit as well, making it hard to tell. My bank's internet domain is www.mufj.jp... I'm supposed to differetiate that from www.mufj.co.jp (co.jp usually comes for a business company's domain) if there's such a thing on a phisher's mail that comes in to me, or hell I won't realize if I'm on www.mfuj.jp, if there's such a thing.
Its amazing how people take this problem and turn it into this major scientific discussion on what OS to use, what html tags to trust, blah blah...it is just common sense that needs to be used here, nothing else. Oh wait was that not a nerdy enough comment for the moderators?
The US Airways message COULD well be spam, if you didnt specifically authorize or request US Airways to send you email.
Also, unless you work in the Internet/email field, are intensely aware of phishes and get six dozen of them a day, you CANNOT determine if a message is a phish or real just by looking at its rendered appearance in a typical end-user email program.
If the message is advertising something, you didnt specifically authorize or request the sender to send it to you, and you didnt want it, then it is spam.
Anyway, here are some simple rules for the average consumer regarding phishes. Please feel free to copy/print/reproduce as desired.
If you get a message requesting any personal info that you were not specifically expecting to receive, it is MOST likely fraudulent. Do NOT reply to or fill out any forms, click on any links, or call any phone numbers contained in any unsolicited message claiming to be from your bank, credit card company, the government, or any other business that is at all related to your financial matters, credit, identity, or other information you want to keep private and secure.
If you get an email claiming to be from a bank/business/other entity which you DO have an account with, and it suggests that there is any problem with your account(s), *CALL* them (using the number on your paper statement or that you previously obtained directly from them - NOT any number in the email), describe the email, be clear that you suspect it may be fraudulent, and ask for help. If you deal exclusively with them via a website, then go to that website in the manner that you have always normally done so (by hand-entering their direct address in your browser) and log in and check your account(s) there, and if anything suggests any problem communicate with them in whatever manner you usually would to request help - if nothing suggests a problem, then the email was probably fraudulent)
If you get an email claiming to be from a bank/business which you do NOT have an account with, absolutely ignore it, or if you feel compelled, report it to some appropriate authority.
PayPal and eBay are popular fraud targets.
IGNORE any email that claims to be from either of these that does not address you by your full name. Real emails from them will ALWAYS include your full name.
It IS ok to follow the instructions in an email if you were specifically expecting to receive that email message from that entity at that email address (for instance the account signup procedure for both of them utilizes an email confirmation process)
If you do get an email that you do think might be real but that you were NOT expecting, do NOT follow its instructions - instead log in to your PayPal/eBay account in the normal way (by directly hand-entering their address into your browser.) If the email is legitimate then the same information should be presented to you from within their website - use the instructions (including any links) contained there, NOT any from the email.
Knucklehead.
But on the other hand, ENRON seems to have run a severly misconfigured e-mail server, which sprinkles tell-tales signs of spam liberally, even into legitimate mails. Around here, we usually bin any mails that have the string SMTPSVC anywhere in their headers (99.99% of these are spam at our place... but apparently not at Enron!).
In addition to that, Enron's users do not seem to be very computer litterate (weird quoting, and occasionnally, they accidentally fire off entirely empty mails -- with neither text nor attachments!), and not very litterate period (some "ham" mails are so full of grammatical errors that it is hard to tell whether they're spammy gobblygook, or "ham" that is very poorly spelt and formulated.)