People Suck at Spotting Phishing

JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.

So... idiots get taken for their money?

[KIFulgore]

At what point in history was this not a problem? Can't say I'm surprised...

Re:So... idiots get taken for their money?

[SupremeTaco]

Problem is, people often mistake unwanted email for unsolicited email. I don't want to hear from Travelocity every week, with their weekly specials. It's unwanted, but I can cancel their letter if it gets irritating enough. The V14Gr4 ads, are not easily (or at all) cancellable. When you blend the two types of emails, people do tend to misclassify them.

This really shouldn't be a surprise

[DaHat]

While it would be nice if there was a test or three that a person was required to take in order to do anything online... the fact that anyone is able to buy a PC and plug it into the internet means that there are a lot of... uninformed people out there.

It's the same group that replies to spam messages asking to be removed, purchase from spammers and leaves their PC's connected 24/7 without spending anytime to patch it.

So long as these people exist, nothing should be a surprise as to the effectiveness of phishing and other such areas.

Re:This really shouldn't be a surprise

[maxwell+demon]

Ah, and by the way, there are many people falling for fraud on the front door. We really shouldn't allow people to open the front door if they have not passed a test or three. The fact that anyone is able to open his front door means that there are a lot of ... uninformed people out there.

Re:This really shouldn't be a surprise

[NoTheory]

I think a lot of people are being unfair. With instructions like this on SpamOrHam:

Please read the message below, enter the verification code in the box (if asked) and then click one of the three buttons. If you think the message is a spam click This is Spam, if you think it's a genuine message click This is Ham, and if you are not sure click I'm not sure. You are seeing the message as displayed in Microsoft Outlook and the raw message as it is seen by your email program. In the raw message, first the headers are shown (with From, To and Subject highlighted in bold) and then the body of the message follows colored blue.

I don't see how you could possibly think that the results of such a website could be meaningful. Spam filtering is a contextual process. This site cripples the critical component that allows humans to behave differently from naive filters, i.e. judgement based on memory. The claim being made here is that humans can't identify other people's spam (and this makes sense, how can you tell if you're shown a random email whether it's unsolicited or not? the only way you can is by knowing whether the recipient had been signed up for a mailing list or not!). You should NOT conclude, based on that fact, that humans are bad at identifying their own spam.

Re:This really shouldn't be a surprise

[StormReaver]

"That might be a little harsh. We're seeing increasingly sophisticated phishing stuff -- right down to building a look-alike site of the bank which they are pretending to be."

There is absolutely nothing sophisticated about phishing. It is rudimentary at best, and 100% avoidable.

1) If you get business-looking email from someone you don't have an existing business relationship with, it's not legitimate.

2) If you get email with a link to a site you have a business relation with, then type in the URL from the paperwork you got when that business relationship originated; or create a bookmark with the URL manually entered, and use that bookmark to go to the site (all bets are off, though, if you're using Microsoft Internet Explorer). This is especially crucial for banking.

3) If in doubt, use the contact information on the original business paperwork to discuss business.

That's it. You are now phishing free. The sharp-eyed among you may have recognized that these steps are no different than those used for postal mail. These types of scams have been in operation since the dawn of commerce. The only thing that has changed is the delivery mechanism.

I am astonished that people abandon their common sense at the modem (this isn't aimed at the poster. It's just a general observation made at a convenient moment).

Re:This really shouldn't be a surprise

[gstoddart]

I am astonished that people abandon their common sense at the modem (this isn't aimed at the poster. It's just a general observation made at a convenient moment).

I don't think its people abandoning their common sense as you say.

I think that if someone forged a letter which appeared to be from the actual bank you deal with, sent it to you in what appears to be their stationary and envelopes, and used a large amount of legitimate information to indicate that a new department needs to contact you and gave you a corresponding 800 number to call --- you could well fall for it. That's not far from the sophistication being shown nowadays by phishers.

Since its not uncommon for a single entity to use a bunch of annoying domains and email addresses (my ISP/cable company has sent me their marketing crap from a completely innumerable number of e-mail addresses and marketing-driven domains), it's completely possible to get swindled by these.

Yes, for the highly paranoid and tech savvy, we're probably pretty unlikely to fall for this. But, in general, I see a lot of evidence that the level of sophistication behind this is growing -- to the point that even those of s who are tech savvy and paranoid might be hard-pressed to be really sure.

In case you haven't noticed, businesses seem to create new domains for promotional purposes/customer contact all of the time. I know because I keep updating the spam filters for the shite my cable company/ISP sends to me that I don't want to see. The e-mail and or domain is always a permutation of the company name and why they're bugging me. But, it's purely the marketing weenies doing this on behalf of legitimate companies that make this more difficult.

I figure if I can't possibly write enough spam filters to always block them out, lots of people might take slight variances in stride -- because companies make these sorts of changes all the bloody time, thereby conditioning users to expect it to happen. Thereby invalidating much of the advice for avoiding phishing.

if it's done well, and some are

[yagu]

I've seen more sophisticated phishing examples by far, and some are indistinguishable from what might be the real thing. The distinguishing factor from a genuine missive is the best phishes have links to bogus addresses (sometimes denoted with only an IP address), and the destination site asks for information company's won't ask for from an e-mail.

One of the best phishes I've seen was sent to me -- it was ostensibly from my phone company, and it described a problem with my on-line bill pay (I don't). The letter was nicely formatted with the colors and icons of my phone company. The link was a giveaway, when I rolled over it, I could see the IP address, not a phone company web-site.

I researched this a bit more, went to my phone company's web site, and downloaded their graphics. A bit-for-bit comparison of their icons, etc., and the phishers showed them to be identical. (Interestingly, this puts phishers also in the position of being guilty of more crime: copyright violations.)

Had my suspicions not been raised by the fact I wasn't participating in on-line bill pay and the phish indicated that problem, and had I not seen the IP address by rolling over the link (which I only did because of above suspicion), I easily could have been convinced I was dealing with a real e-mail (NOTE: this was two years ago, before phishing had become real big, and it was my first incident.)

I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)

Re:if it's done well, and some are

[Asphalt]

I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)

I agree with you. Some are sophisticated, but the link is ALWAYS a give away. It is either some kind of redirect, an IP address, or a Bogus URL altogether.

Then again, how many people that use AOL know what an IP address is? 10 ... 20%?

Fine, they obviously do work.

But, this is what I don't understand ...

How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

I mean, Sony/BMG can track down the exact studio apartment in Chicago of someone who downloaded "Ooops, I Did It Again", but we have people conducting massive financial and wire fraud with blatantly displayed IP addresses, and we can't just go an snatch them by the by the head and give them a solid flogging?

Okay, so many are in another countries. But how many countries DON'T have laws against this?

Post a threat against the President, and the Secret Service would be at your door with K-Y and rubber gloves in 3 minutes and 21 seconds. Attempt global financial fraud, broadcast your IP, and everything is cool?

How do these people NOT get busted, and busted hard?

I don't get it.

Re:if it's done well, and some are

[Asphalt]

Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.

Agreed. But wouldn't the ISP of the innocent user have some kind of record of where the fraud messages are being sent?

Earthlink (or whatever the ISP was) was able to tell the DC Police the exact locations that Chandra Levy pulled up on Mapquest.

Most likely the home user is plugged into a mainstream ISP ... and almost all do some kind of logging. I have a hard to believe that they couldn't figure it out to some degree. Or maybe the just sends email through 5 chained mixmaster remailers. I don't know.

These phishers have to be pretty darn good to get away without leaving any trace whatsoever.

Given their technical prowess, you'd think they could spell better.

At least 3/4ths of my phishing messages contain blatant typos or grammatical errors.

"Please to update your accont with Citibank". I mean ... come on.

Re:if it's done well, and some are

[FireFury03]

Oh yes, it will. It would make people start securing their machines,

No matter how many people you smack with a clue-by-four there are always more who need smacking. Unless over 99% of people start securing their machines we'll still get phishing - your argument is akin to "if we lock up burglars then noone will get burgled"... read the newspaper to see how well that one worked out. :)

and seizing the machine might actually provide clues to the real phisher.

It seems fairly unlikely - the machine will have been compromised from another cracked machine and all the data being returned to the fraudster are probably being bounced across a load of compromised machines and through public communication channels such as IRC. Many of these machines will be spread across the world. Good luck trying to pick up enough of the compromised boxes and get cooperation from the other jurisdictions to get any useful data.

Re:if it's done well, and some are

[FireFury03]

If someone steals your car and you don't notice and it's used for a bank robbery, guess where the police will turn up?

Yes, they'll turn up, ask some questions and then leave you alone - you're not gonna get thrown in jail, even if you left your car unlocked with the keys in the ignition (although the insurance company ain't gonna pay out).

In the same way if your machine is used for a phishing scam expect to have your account terminated with prejudice, until you prove that you weren't involved.

You clearly haven't tried reporting abuse to many ISPs - most of them couldn't care less about one of their users running a cracked machine.

Because...

[HaloZero]

...there is no patch for human stupidity.

Most users just don't know better, despite best efforts to educate them otherwise, or make the scams obviously fradulent. Ever seen that 'MSN will never ask you for your password!' type banner on things? Know how many people retain it? Very few.

A little off

[Golias]

He finds it strange that people called that message from "Keith" to be spam... but the thing is, if you have no idea who "Keith" is, it probably IS spam... and if you do know him, you probably would not mark it as such.

The same goes for the US Airways thing. Yeah, it's an example of "not spam", but if you haven't recently bought a US Airways ticket, then the save bet would be that it is.

Oh... and the nun joke is fucking hilarious. That alone made TFA worth reading.

Re:A little off

[French+Mailman]

I find it strange that a web site would tell the reader what spam or ham is, based solely on the appearance or the content of the message. As someone said at last year's spam conference, "one man's spam is another man's ham". Each person has a different definition of what spam is, and filters should be able to sort messages based on your criteria. I know that if I receive a message claiming from Travelocity, I will classify it as spam, even if it is a genuine Travelocity message. I have never done business with that company, so any mail that I receive from them would be unsolicited.

On a more technical point of view, however, I agree that there are definitely suspicious signs of an email being spam, or phish. Fake headers, bogus URLs, or any trick described in JGC's Spammer's compendium are definitely signs of spam.

spam is not the same as phishing!

[seanadams.com]

TFA seems to be using a funny definition of spam.

Most would say it's unsolicited commercial junk mail, but he seems to think it means "phony" email. Apparently he doesn't mind receiving weekly airfare specials containing choice bits like "BID FOR TICKETS TO THE BIG GAME IN THE BIG EASY!"

Also re phishing: I'd say paypal is largely at fault for this. They do (did?) send an awful lot of useless mail full of clickable links - they were just begging to get phished because people were so used to receiving authentic but useless clickable mail from them. None of my other banks have done this (although one sends a fair amount of crap not specific to my account - rates and such).

What's wrong with false positives for phishing?

[qwijibo]

So what if someone thinks a legitimate email from a bank is a phishing scam? Banks shouldn't be using email for anything serious because it makes their customers more susceptible to fraud. If people expect to receive legitimate and sensitive communications from their bank via email, it's that much easier to fall for it.

For example, I got one this morning talking about my home loan account with a large bank I don't have an account with. I know it's a phishing scam just from the From and Subject lines. However, if my own bank sent an email talking about my actual mortgage, I'd treat it in exactly the same way. There's no benefit to giving an email the benefit of the doubt. If there is something my bank needs from me, they can send a letter and I'll go to my local branch to take care of it in person.

The Power Of Attrition

[American+AC+in+Paris]

Let's say I handed you an alternator. Could you tell me whether or not it was a genuine, durable, manufacturer-approved alternator or a cheap, flimsy, fly-by-night knock-off? To be fair, I'll give you a sheet of paper with some advice on how to differentiate between genuine and knockoff alternators.

Let's say I handed you an entire crate of auto parts, and told you that some of them may be genuine parts, while others might be knockoffs. I give you a whole binder, filled with instructions on how to differentiate between all the different "good" and "bad" parts. Some of these knockoffs are obvious fakes; others are quite cleverly done, requiring you to check for minute details such as whether or not inner surfaces are well-polished, or subtle discrepancies in serial number schemes and product logos.

At what point do you just start winging it? After one day of studious sifting? After a week? A month? When you see a part that you're pretty sure is genuine, but would need to haul out the manual for ten minutes' worth of cross-checking part and serial number ranges to confirm this--at what point do you simply go with your gut?

When somebody who knows what they're doing goes about trying to hoodwink your typical individual, it can be very hard for the individual to know when they're being hoodwinked, even if they know they might be being hoodwinked. It's part of human nature--there's a point at which you just throw your hands in the air and grant your trust to an unknown entity, because it's too tedious or time-consuming to check everything out. Given the average person--heck, even a person who knows a fair amount about the subject--there'll be a point where they just take the damn part and have it installed in their car, because they just want to be done with it and get on with their life. It's the same thing with phishing--unless you're one of those few individuals who has fairly advanced knowledge on the subject, you're eventually going to give up and make a gut-reaction decision to whether or not you "trust" the email you just got, simply because it's more trouble than it's worth to actually dig through it.

Re:The Power Of Attrition

[XorNand]

That's not an entirely accurate analogy; you're making things more complex than they are. A better one is that you get a few car parts in the mail every week. Included in each package is an admonishment that you need to get it installed, lest your car stops running tomorrow.

Does this sound a bit absurd because car manufacturers don't actually mail parts directly customers during a recall? Agreed. And my bank doesn't email me when there's a problem with my account. "Do not click any links in emails that solicit personal information. Either make a phone call or type in the URL manually." It's that easy. You don't have to sift through a bin of good/part car parts (or emails).

*Groan*

[Noryungi]

For pete's sake people, if you have to show genuine emails, try at leat to sanitize them a little. Some of the 'ham' emails shown still have the full contact information, including the original email address. That's what I call dangerous!

If you don't believe me, go to the web site, and try classifying some emails... You'll see what I mean...

its all a scam

[Geekboy(Wizard)]

I treat all of those emails as a phishing attempt. If I think it has the possibility of being legit, I type in the appropriate web address (no, I don't cut-n-paste, I type in the previous login site), login and verify the contents.

I work in IT security, but...

I still don't understand how someone with a modicum of common sense would EVER reply to an email or populate a Web site with information from someone or an organization they do not know.
If I were the banks, which are the biggest targets for phisphing, I would run commercials duting primetime TV stating that "we never send out emails asking for your personal inforation". While this would not reach everyone, it would be a start. Security, however, is not a money maker, it's an expenditure. Banks will continue to only run commercials extolling their wonderful features.
Ever notice the commercials that sell drugs? What the hell is wrong with American medicine? Ever notice that none of these commercials or medical professionals ever talks about fixing the root cause? They only talk about the symptoms. Security is the same thing. Let's fix the root cause instead of treating the symptoms. Education of the populace would go a long way towards cutting down on phishing.

No HTML mail

[Neil+Watson]

Stop using HTML or convert it plain text and it's hard not to spot a phish.

Re:No HTML mail

[Cracked+Pottery]

Yes, I believe that HTML email is, in fact, a sin. It is stupid to render it, and a breach of etiquette to send it.

Re:There's One rule I always Follow.

[Asphalt]

(a) Avoiding the use of email for business is surrending to the s[pc]ammers.

I conduct almost all of my business online and I don't think this is necessary.

I am never, ever asked for a password or identifying information via email. At least never by the legitimate company.

And I never click a link in an email. If my bank/company wants me to update my information, I type their website URL by hand into Firefox, log into my account section, and do what I need to do.

It basically comes down to this: Don't click links in email.

This one basic rule really does solve 99.999% of all scam problems, while allowing you to conduct business online safely.

In other news -- this is our fault!

[Howzer]

In other news, 50% of people have below-average intelligence.

Jokes about statistics aside, people falling for phishing is our fault. Our fault as in our industry's fault.

We've spent so long training our parents, help-desk clients, and other tech-stupid creatures that the way to respond to mysterious dialog boxes is to "Just click OK!" that at this stage the damage is essentially permanent.

Their natural instinct was to treat computers with suspicion, and we beat it out of them.

Yay for us.

Re:How many times do I have to say it?

[Billosaur]

The weight of getting the word out about these things to the average user is going to need to lay on someone, probably ISPs. It should be one of their responsibilities to attempt to keep their users safe. We can educate people about some of the basics, watching out for links that are just IPs and etc (and thunderbird already has some features regarding this), but some of the higher level checks need to be done automatically by software.

But no matter how sophisticated filtering technology gets, the numer of ways that data can be manipulated and the sheer volume of traffic means that some of these things are going to get through. And while extra IQ points don't automatically confer amazing powers, they might allow people to become more suspicious of something that doesn't "look quite right."

We've been educating people from the mid-60s on that smoking is deleterious to their health. Has smoking ceased? No. In that case, it's the addicition to nicotine and the idea that smoking someone cool (ever kiss a smoker? Yuck!). In the case of email, I'd be willing to bet the vast majority of folks who click on these links in phishing emails are: 1) paranoid types, who have so bought into the identity theft idea they can't stand the thought that someone may be stealing their identity, 2) people who have little sophistication in general and virtually none in the world of PCs and the Internet, 3) greedy people, who thin that they'll just fire off a few hundred dollars of their hard-earned money and some friendly guy in Nigeria will make them rich, or 4) lonely folks who just want to talk to someone or feel a part of something.

Re:Oh okay, I will bite.

[American+AC+in+Paris]

You got a proper alternator and a shoddy one. Right. Okay. How about this test. LOOK AT THE BOX! If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.

...yes, because a skilled counterfeiter wouldn't have the sense to duplicate a manufacturer's packaging, just as a skilled phisher doesn't have the sense to use anything other than "Gimm3 ur info ha ha lollerbate sux0r!" as bait.

EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.

In the early days, yes. Now, many phishers have wised up. They'll send you a phish that, save for one or two links, looks absolutely legitimate. You click the link, it sends you to a page at ebay.verification-department.com that mimics an actual eBay login page. You'll "log in", then they'll welcome you and very professionally gather your information--all, of course, after you've "logged in" to their system.

You can't cheat a honest man

Oh, you most certainly can. Just 'cause something rolls off the tongue nicely doesn't mean it's true.

and you can't phis a person who thinks.

Again, we're talking about attrition and trust. Unless you have a quite solid understanding of what phishing is, how to identify it, and how to go about avoiding it, you're going to eventually just trust something that looks legitimate enough. It's simply not feasible to expect that every single user of email will have enough technical know-how to identify and avoid getting phished.

You've got telephone slamming, you've got phishing, you've got insurance fraud, you've got pyramid schemes, you've got con artists--if we were all simply smart enough to know a rat when we saw one, none of these would be a problem. The problem is that many, many people have ductile minds and want to trust other people. If you're somebody who is willing to cheat another person out of their money, odds are that you'll eventually nail somebody. It's attrition, plain and simple--eventually, people simply let their guard down, even if only for a moment.

I have a simple ruleset

[jridley]

Rule 1: It's almost certainly not legit, before you even look.
Rule 2: If it seems legit, then go to your browser and manually go to the institution's website and log in normally, do not use hotlinks provided in any email.

My rule 1 used to be just "it's not legit" - none of my financial institutions EVER contacted me via email up until about 6 months ago. Now they do, so I've modified it a bit.

You'd think people would get a BIT of a clue from the fact that, like me, they must be getting very valid-looking emails from places that they don't even have accounts with. You'd think that would tell them something.

Legit sites that don't look it.

[Mr.+Underbridge]

unfortunately, there are problems with that as well - there are some legit sites that will redirect you off of their main domain, sometimes even to an IP address. Insane? Yes. But it happens. So for people who actually DO know what the hell they're doing, the problem isn't phishes that look like real sites, it's real sites that look like phishes.

That Travelocity email... the hell it's "not spam"

[dpbsmith]

John Graham-Cumming says that the Travelocity email at the bottom of the his blog essay "really is a genuine message from Travelocity and not a spam."

I beg to differ. I have no problem believing that it "really is a genuine message from Travelocity."

But spam doesn't mean "phony," it means "unsolicited commercial email." (And in my own opinion that includes "unknowingly 'solicited' commercial email.")

In order for Graham-Cumming or anyone else to say that Travelocity email is not spam, they would need to know whether it was solicited. You can't tell by any examination of the message itself.

If it was actively solicited by someone specifically checking a box requesting to be notified of offers, then, sure, it's not spam. If it was opt-out spam with the opt-out option hidden... or implicit... then it darn well is spam.

Mostly likely this particular email is in a grey area... quite likely an opt-out was plainly visible, but needed to be actively chosen, at some point in the travel booking process where a customers thoughts are likely to be elsewhere (where IS that security code on the back of my credit card?).

But it is absolutely wrong to stay that the Travelocity message is "not spam," just because it is really from Travelocity

Spam is spam, even if it is a genuine email from a reliable company informing me of some truly valuable opportunity... _if I didn't ask the company to send me those emails._

As J.R. 'Bob' Dobbs put it..

[Channard]

'You know how dumb the average person is? Half of 'em are dumber than that.' Remember, just using computers does not mean someone's got a brain. You only have to work in tech support read some of the many internet message boards to realize that.

re

[brendgard]

Well, the accountant who you look down on for falling for a phishing expedition probably cringes at the way you handle bills. The Doctor thinks you're an idiot when it comes to taking care of yourself. The contractor thinks you don't know a hammer from....

Get the picture? Jack of all trade, master of none. Or so goes the old saying. Most of us are good at something. Some could even be called brilliant. I've even met a few people who are very good a most things. I've not yet met one who is good at everything. Not one. I've heard what some of them call some very smart IT people behind their back as well. They call some of *us* idiots because of how well we understand *their* fields.

Seems to me the ones who make it biggest in the IT sector, will be the ones who understand this and can help the people who don't understand computers the best. But then again, those are usually the ones who understand what ROI is and how it affects their jobs, and can actually tell the boss/client why the proposed project should *not* be done. The ones who understand that the person who fell victim to phishing speaks a whole new language that most computer geeks don't understand, just like we speak one they don't.

I expect that this is not a recent phenomenon, nor is it going away anytime soon. Con artists have been around for a very long time. I make the humble sugestion that you vent in here, but for your own sake, please please please don't take it into the work place. It's extremely dangerous to yourself. When perceived as having a negative attitude, most people don't make it far.

And the rest of us get bombarded

[Kelson]

The problem is that while con men target idiots directly like snipers, phishers and spammers pull out a machine gun and mow down everyone on the street.

You might be smart enough not to lose your shirt to a con artist, but if a new one knocks on your door every five minutes, you're going to be pretty damn annoyed.

Re:Most Phishing Is Simple To Stop

[epee1221]

Based on your numbers, that would mean that 95% of the people on the internet should not be on the internet to begin with. There should really be some training required before you can run an internet connection to your computer.
Similarly, nobody should be allowed to drive unless they can name every part of the car and explain what its function is. Then, they shouldn't be allowed to take a car out onto any roads until they've studied civil engineering.
Really, the idea that everyone who uses a service should know what's going on inside the black box is just stupid.