Slashdot Mirror
People Suck at Spotting Phishing
JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.
I've seen more sophisticated phishing examples by far, and some are indistinguishable from what might be the real thing. The distinguishing factor from a genuine missive is the best phishes have links to bogus addresses (sometimes denoted with only an IP address), and the destination site asks for information company's won't ask for from an e-mail.
One of the best phishes I've seen was sent to me -- it was ostensibly from my phone company, and it described a problem with my on-line bill pay (I don't). The letter was nicely formatted with the colors and icons of my phone company. The link was a giveaway, when I rolled over it, I could see the IP address, not a phone company web-site.
I researched this a bit more, went to my phone company's web site, and downloaded their graphics. A bit-for-bit comparison of their icons, etc., and the phishers showed them to be identical. (Interestingly, this puts phishers also in the position of being guilty of more crime: copyright violations.)
Had my suspicions not been raised by the fact I wasn't participating in on-line bill pay and the phish indicated that problem, and had I not seen the IP address by rolling over the link (which I only did because of above suspicion), I easily could have been convinced I was dealing with a real e-mail (NOTE: this was two years ago, before phishing had become real big, and it was my first incident.)
I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)
He finds it strange that people called that message from "Keith" to be spam... but the thing is, if you have no idea who "Keith" is, it probably IS spam... and if you do know him, you probably would not mark it as such.
The same goes for the US Airways thing. Yeah, it's an example of "not spam", but if you haven't recently bought a US Airways ticket, then the save bet would be that it is.
Oh... and the nun joke is fucking hilarious. That alone made TFA worth reading.
Information wants to be anthropomorphized.
Let's say I handed you an entire crate of auto parts, and told you that some of them may be genuine parts, while others might be knockoffs. I give you a whole binder, filled with instructions on how to differentiate between all the different "good" and "bad" parts. Some of these knockoffs are obvious fakes; others are quite cleverly done, requiring you to check for minute details such as whether or not inner surfaces are well-polished, or subtle discrepancies in serial number schemes and product logos.
At what point do you just start winging it? After one day of studious sifting? After a week? A month? When you see a part that you're pretty sure is genuine, but would need to haul out the manual for ten minutes' worth of cross-checking part and serial number ranges to confirm this--at what point do you simply go with your gut?
When somebody who knows what they're doing goes about trying to hoodwink your typical individual, it can be very hard for the individual to know when they're being hoodwinked, even if they know they might be being hoodwinked. It's part of human nature--there's a point at which you just throw your hands in the air and grant your trust to an unknown entity, because it's too tedious or time-consuming to check everything out. Given the average person--heck, even a person who knows a fair amount about the subject--there'll be a point where they just take the damn part and have it installed in their car, because they just want to be done with it and get on with their life. It's the same thing with phishing--unless you're one of those few individuals who has fairly advanced knowledge on the subject, you're eventually going to give up and make a gut-reaction decision to whether or not you "trust" the email you just got, simply because it's more trouble than it's worth to actually dig through it.
Obliteracy: Words with explosions
Evil will always triumph, because good is dumb.
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
Problem is, people often mistake unwanted email for unsolicited email. I don't want to hear from Travelocity every week, with their weekly specials. It's unwanted, but I can cancel their letter if it gets irritating enough. The V14Gr4 ads, are not easily (or at all) cancellable. When you blend the two types of emails, people do tend to misclassify them.
You have a constitutionally protected right to be wrong, and I the right to ignore you.
I don't see how you could possibly think that the results of such a website could be meaningful. Spam filtering is a contextual process. This site cripples the critical component that allows humans to behave differently from naive filters, i.e. judgement based on memory. The claim being made here is that humans can't identify other people's spam (and this makes sense, how can you tell if you're shown a random email whether it's unsolicited or not? the only way you can is by knowing whether the recipient had been signed up for a mailing list or not!). You should NOT conclude, based on that fact, that humans are bad at identifying their own spam.
There are lives at stake here!