People Suck at Spotting Phishing

JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.

Re:if it's done well, and some are

[FireFury03]

How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.

How do these people NOT get busted, and busted hard?

As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.