The Psychology of Phishing

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Wednesday July 23, 2014 @04:29PM from the click-and-release dept.

An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

94 of 128 comments (clear)

Min score:

Reason:

Sort:

well by Osgeld · 2014-07-23 16:32 · Score: 5, Insightful

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough
1. Re:well by s.petry · 2014-07-23 16:54 · Score: 4, Interesting
  
  Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).
  Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
  How are spammers successful so often? Simple, companies don't train people.
  At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.
  We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.
  Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
2. Re:well by dunkindave · 2014-07-23 17:09 · Score: 4, Insightful
  
  The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough
  Except the article is about spear-phishing. In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts, such as an email from their boss or their HR department, and the emails normally include information that the victim assumes isn't public which adds to the email's trust. Such emails may pretend to contain important employee training updates, company newsletters, specific conference information for conferences the target is known to attend, references by project name to projects the victim is working on, etc. This means the spear-phishing email is very different from typical spam which is clearly marketing, or so generic as to be obvious spam. It also means that without confirming the email's legitimacy via out-of-band methods, it may be virtually impossible to verify if it is real or not.
  
  The problem for the defenders is the only real defense against a well crafted spear-phishing email is to instruct people NEVER to open an attachment, to click on a link, to visit a website if so instructed, or even to respond with information that may be requested. But such a world would render most business email useless.
3. Re:well by kajla00007 · 2014-07-23 17:35 · Score: 1
  
  That i well said
4. Re:well by vasanth · 2014-07-23 17:43 · Score: 4, Interesting
  
  We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once
  or 1 out of 5,800 realised that they were being phished and many more never realised it...
5. Re:well by techno-vampire · 2014-07-23 17:57 · Score: 1
  
  In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts...
  
  You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?
  
  --
  Good, inexpensive web hosting
6. Re:well by dunkindave · 2014-07-23 18:08 · Score: 3, Insightful
  
  No, like if they want to gain access to data in company ACME Co, they do some research about that company, find people who belong to it, often in specific groups they are particularly interested in (the missile division of ACME for example), then seak out information on these people, like what conferences they have attended (attendee lists are often published on the web) or what projects at the company they are working on (a newsletter on the web mentions them in a small article about the Ramrod SuperAgile Counterstrike Missile System), then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.
  
  The spam from your bank doesn't normally address you by name, or mention details like your account number or which local branch you use and when. In fact, it is the lack of such details that most people use for clues that it is spam, so when those details are there they typically trust it. That is the gist of the article.
7. Re:well by phantomfive · 2014-07-23 18:35 · Score: 2
  
  We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link.
  
  How did you know that others didn't click on it and then not mention it to anyone?
  
  --
  "First they came for the slanderers and i said nothing."
8. Re:well by techno-vampire · 2014-07-23 18:37 · Score: 1
  
  The spam from your bank doesn't normally address you by name...
  
  Actually, much of the spam/phishing email I get claiming to be from my bank has my name in the subject. I'm rather glad it does because I never get any real email from my bank that does this, so seeing my name there is a dead giveaway.
  
  --
  Good, inexpensive web hosting
9. Re:well by N1AK · 2014-07-23 20:03 · Score: 1
  
  You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?
  What exactly's your point? Obviously emails about accounts with banks you don't use aren't going to catch many people (although if they're threatening consequences like fines or rewards it'll catch some of the more naive), but when it gets to someone who does use that bank/business the effectiveness increases considerably. What you're doing is the equivalent of laughing at advertising billboards, roughly 3/4s of the people who see an add for female deoderant aren't the target market but the company knows that and doesn't care because the cost is worth it to reach the 25% it wants.
10. Re:well by Sique · 2014-07-23 20:14 · Score: 1
  
  Even if I get spam that claims to be from my bank, I can see it being spam because I got similar spam allegedly from other banks I never did business with. The same with the two messages of unclear status, I seem to have with so many sites, that the one that claimed to have sent by a site I actually have an account with was easily spotted.
  
  --
  .sig: Sique *sigh*
11. Re:well by techno-vampire · 2014-07-23 20:17 · Score: 1
  
  My point is that all of those emails I get about accounts I don't have is a counter-example to the claim that spear-phishing is carefully crafted to look real.
  
  --
  Good, inexpensive web hosting
12. Re:well by Anonymous Coward · 2014-07-23 22:14 · Score: 1
  
  You don't grasp the concept of spear-phishing at all, and you've almost certainly never been targeted by it. Generic emails crafted to look like they're from your bank are NOT spear-phishing - they're sent out en masse, along with lots of others crafted to look like different banks, just like any other phishing attempt.
  A hypothetical spear-phishing attack from your bank would address you by your real name, with specific reference to the names of accounts and products you actually hold with them (not just "your account"). A genuine junk email from my bank includes my name, post code (zip code for the Americans), the name of a now-obsolete credit card that I have, and several digits of its number. A spear-phishing attack could include all of that - the last four digits of a credit card are easily available from any store receipt. The phishing emails you talk about include none of it.
13. Re:well by drinkypoo · 2014-07-23 23:00 · Score: 1
  
  How are spammers successful so often? Simple, companies don't train people.
  Also, people are stupid. It's not hard not to get phished if you critically evaluate claims and requests as your SOP.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
14. Re:well by oobayly · 2014-07-23 23:09 · Score: 1
  
  They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
  This is also made harder with the use of CDNs nowadays. A while ago our office started receiving large numbers of "InterFax" notification with a download link. I don't know what a proper InterFax notification looks like, but as you said, they did look professional, and in some cases the URL didn't look too dissimilar to some CDN URLs we've used.
  I tend to visit web pages used in phishing attacks for a couple of reasons. First, I like to input useless data. Second, I like to rate what sort of job the scammers did in cloning he web site - I always feel a little let down when I see dead links, as they didn't make the effort to duplicate all the pages linked to by the cloned login page. Seriously guys, put some effort into your scams - the work ethic of the criminal world is really dropping.
15. Re:well by clickety6 · 2014-07-23 23:56 · Score: 1
  
  They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.
  It doesn't help that legitimate companies that should know better do the same. I recently got a survey from PayPal, but rathet than going through their verified site at www.paypal.com, the links in the email directed only to www.paypal-survey.com. It looked like a classic phishing scam but was apparently a legitimate survey request.
  
  --
  ----------------------------------- My Other Sig Is Hilarious -----------------------------------
16. Re:well by Antique+Geekmeister · 2014-07-24 00:19 · Score: 1
  
  > How did you know that others didn't click on it and then not mention it to anyone?
  Of course they did. Why would anyone normal report this kind of incident to a security department that is bombarding them with warnings, and will fire you if you can't prove you've read their warnings?
17. Re:well by FireFury03 · 2014-07-24 00:20 · Score: 4, Insightful
  
  How are spammers successful so often? Simple, companies don't train people.
  Or they train them with exactly the opposite of good behaviour.
  Case in point: a few years ago my (at the time) bank sent me a marketing email (and yes, I confirmed it was legit). It wasn't from the bank's normal domain name and it contained lots of links to product descriptions that were also on an unusual domain. It said that I could verify it's authenticity because it contained the first half of my post code (i.e. something that's trivial for anyone to find out). I complained to the bank and the regulator - neither of them would do anything. The bank's excuse was that none of the pages linked from the email asked for my bank credentials so it was ok. This kind of thing trains people to expect that their bank will legitimately send them emails with clickable links that don't go to the bank's main website - the distinction between a link that asks for your credentials and one that doesn't is going to be lost on a lot of people.
  Similarly, my Paypal account is currently suspended because they sent me an email telling me I needed to "verify my ID" (by sending them a scan of my driving licence)... this email went into the bin along with all the phishing emails asking me to "verify my paypal account", so when I didn't send them any ID they suspended the account.
  Now, banks _do_ need to communicate with their customers, and I can't discount email as a viable method for them to communicate, but they really really need to start providing a sensible method for people to authenticate the legitimacy of the email - why the hell don't they MIME sign the messages, for example? At the moment they are sending out emails that are indistinguishable from phishing messages and then blaming the customer when they get phished.
  
  --
  http://blog.nexusuk.org
18. Re:well by timrod · 2014-07-24 00:51 · Score: 3, Informative
  
  I think it's more that the criminals tend to structure their phishing emails around things that look like they need to be clicked - I've seen a lot of phishing emails that purport to be from the reader's bank (I've gotten a few of these, all mimicking banks I don't use) telling them that fraud has been detected on their account or that there's some other urgent issue threatening their money. A lot of people will click these things without even giving it a second thought because to them, it looks like their life savings/credit score are at stake.
19. Re:well by GTRacer · 2014-07-24 01:08 · Score: 1
  
  I'm going to give s.petry the benefit of the doubt here and assume their systems are tightly locked down and they have various antivirus / tripwire / ip rules in place. That said:
  
  If someone got phished leading to trojan installation, *BAM* alerts go off in the NOC. If phishing led to credential leakage, eventual usage of the credentials by the outside attackers would set off alarms in the NOC, assuming we aren't dealing with valid external staff. If phishing led to credit card / invoicing info loss, unauthorized purchases would set off alerts in Finance.
  
  This also assumes an environment where credentials are not shared (the norm everywhere I've ever worked and none of those were DoD postings). It also assumes that pretty much anything of power is tied 1:1 to a person so any kind of abuse (use off-hours or in excess of limits, etc.) would be detectable.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
20. Re:well by T.E.D. · 2014-07-24 01:16 · Score: 3, Funny
  
  At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated.
  Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.
  - IT Team
21. Re:well by gstoddart · 2014-07-24 01:25 · Score: 4, Interesting
  
  How did you know that others didn't click on it and then not mention it to anyone?
  The company I work for does periodic in-house phishing/spam tests.
  If you fail and click the link, you get sent for extra security training. They know, because they're the ones who own the machines you went to.
  I gather a surprising amount of people actually fall for them. I find myself looking at "1 in 5800" and thinking "wow, you have some good training".
  When my parents got on the interwebs, in so uncertain terms, I sat them down and had "the talk": The internet is a dark and scary place, and not something you just trust. I explained phishing and spam, as well as how to spot fake telemarketers and scams.
  My parents have learned to be wary and a little skeptical when someone initiates contact with them, and know to ask for proof. On many occasions they've spotted stuff, though I still worry they might miss something.
  But, I still remain amazed at how many people who work in technology fields still blindly click stuff. I expect senior citizens and the like to be less aware of this stuff, but if you've worked in technology for any period of time, you should know better.
  
  --
  Lost at C:>. Found at C.
22. Re:well by gstoddart · 2014-07-24 01:37 · Score: 1
  
  It's not hard not to get phished if you critically evaluate claims and requests as your SOP.
  Of course, the problem with this is, anybody who does that more or less gets called a bit of a paranoid loon now and then. :-P
  Not everybody understands that a certain level of paranoia is actually required to survive the internet and other scams.
  Sometimes people look at you like you're over-reacting, right up until they realize they've given their credit card information to someone who was lying to them.
  
  --
  Lost at C:>. Found at C.
23. Re:well by s.petry · 2014-07-24 02:44 · Score: 1
  
  Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.
  Sadly many people think a proxy is a bad thing and believe direct access is better.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
24. Re:well by s.petry · 2014-07-24 02:46 · Score: 1
  
  As I replied above, it's much simpler than that. Proxy logs are used to determine who clicked a bad link.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
25. Re:well by nabsltd · 2014-07-24 03:06 · Score: 1
  
  How are spammers successful so often? Simple, companies don't train people.
  Companies also don't often have the infrastructure set up to help their people do the right thing.
  As an example, every company should provide users with unlimited e-mail addresses that end up in their real e-mail inbox but can be filtered using rules. Employees should then be instructed that they should never use their "real" e-mail address for anything that gets put into a database. This means that if they sign up at Cisco's support portal, they don't use "realaddress@example.com", but instead something like "cisco-realaddress@example.com". This means that if you get what seems to be an official-looking e-mail about paying an invoice from Cisco addressed to "amazon-realaddress@example.com", you know it's fake.
  If ISPs provided the same feature, phishing success would be reduced dramatically. I get any number of e-mails that pretend to be from a bank (some actually from a bank I do business with), yet all come to the wrong e-mail address, so they are immediately trashed. With a little work, it could even be automated, especially if companies co-operated and documented keywords that would always appear in every e-mail from them. This would allow you to compare the keywords in the body to the recipient and see that they don't match as being from the same company.
26. Re:well by nabsltd · 2014-07-24 03:23 · Score: 1
  
  then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.
  Frank doesn't sign his e-mail that way, so something must be up. Or, I don't know Frank personally, why would he send this to me? Or, Frank always sticks his head in my office right after he sends and e-mail and asks "did you see my e-mail?", so this must be fake. If your investigations that allow you to "spear phish" are good enough to solve these sorts of problems, you don't need to phish for stuff, you've paid off the cleaning crew and they can just take the papers.
  As for technological solutions (after all, this is /. ), we can assume that the e-mail was flagged as arriving at our e-mail server from an external server (i.e., not authenticated against our network), so it has a header added that causes it to be filtered by e-mail rules to not go directly into the inbox, but instead into the "external contacts" folder. Yes, I know most companies don't do this, but they should. My company adds headers, but doesn't automatically filter...that's up to the user.
27. Re:well by gfxguy · 2014-07-24 03:23 · Score: 1
  
  Interesting... I should stop clicking on those links, then. I feel like, since I'm using linux, I likely won't get a virus, so when I get a "you need to change your password" link, I usually just curse them out in it. Email: eat@shit.and.die, password: youfuckingasshole. I know it doesn't solve any problems, but it feels good.
  Hey, if enough people did it, they'd have to wade through tons of insults before finding one where the person actually fell for it.
  
  --
  Stupid sexy Flanders.
28. Re:well by gfxguy · 2014-07-24 03:27 · Score: 1
  
  Yes! My wife is terrible, and when I say "just don't click on anything," she asks "what about the legitimate ads?" So I repeat "just don't click on anything... there's no SPAM that is legitimate." Sadly, she does it anyway. I missed a whole day of world cup group games "fixing" her computer... and it wasn't the first time. I should just cut her off.
  
  --
  Stupid sexy Flanders.
29. Re:well by gfxguy · 2014-07-24 03:32 · Score: 1
  
  I pretty much do the same thing, but instead of useless data I put insulting data. Sometimes I'm impressed with the effort... sometimes it links to a google form, and that's pretty sad. Some of them are so good, though, if they just put that much effort into honest work, they'd be pretty well off.
  
  --
  Stupid sexy Flanders.
30. Re:well by gfxguy · 2014-07-24 03:43 · Score: 1
  
  Which I (and a lot of other people) would then not have participated in, so PayPal should learn from it.
  
  --
  Stupid sexy Flanders.
31. Re:well by gfxguy · 2014-07-24 03:46 · Score: 1
  
  The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.
  
  --
  Stupid sexy Flanders.
32. Re:well by gfxguy · 2014-07-24 03:48 · Score: 1
  
  Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.
  - IT Team
  
  ... and don't forget to sign in with your username and password so that you get credit for having read the memo!
  
  --
  Stupid sexy Flanders.
33. Re:well by phantomfive · 2014-07-24 04:00 · Score: 1
  
  Sadly many people think a proxy is a bad thing and believe direct access is better.
  Well yeah, because often their either used for censorship, or are cheap and end up slowing the internet down.
  
  --
  "First they came for the slanderers and i said nothing."
34. Re:well by FireFury03 · 2014-07-24 04:54 · Score: 1
  
  The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.
  It is some kind of a hardship because you still have to figure out which emails are legit - I'm not going to go log in to my bank every time I get a phishing email. When the vast majority of emails claiming to come from my bank are phishing mails, I'm pretty much guaranteed to miss legitimate ones unless the bank give me a trivial way to know that they're legit - MIME signed emails would allow that, but no banks seem to be interested.
  
  --
  http://blog.nexusuk.org
35. Re:well by s.petry · 2014-07-24 04:56 · Score: 1
  
  People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
36. Re:well by s.petry · 2014-07-24 04:57 · Score: 1
  
  Or install ad-block and no-script and don't show her how to disable them
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
37. Re:well by gfxguy · 2014-07-24 05:04 · Score: 1
  
  That makes no sense to me, though... how does a phisher succeed when they don't send you a link? Since they can't blindly lead you somewhere else, you wouldn't receive a phishing scam email without links.
  
  --
  Stupid sexy Flanders.
38. Re:well by phantomfive · 2014-07-24 05:08 · Score: 1
  
  you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.
  Yes, well, not every IT person is as competent as you
  
  --
  "First they came for the slanderers and i said nothing."
39. Re:well by s.petry · 2014-07-24 05:16 · Score: 2
  
  Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
40. Re:well by s.petry · 2014-07-24 05:18 · Score: 1
  
  I would surely hope that is not true. Perhaps there is a segment that doesn't care
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
41. Re:well by gfxguy · 2014-07-24 05:55 · Score: 1
  
  That'd be a fair warning if phishers weren't pussy ass scaredy cat losers who wouldn't actually be able to inflict harm in any way except with a keyboard.
  
  --
  Stupid sexy Flanders.
42. Re:well by s.petry · 2014-07-24 06:11 · Score: 1
  
  Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.
  I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
43. Re:well by Tom · 2014-07-24 08:52 · Score: 1
  
  Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average").
  
  Security awareness training in companies is largely nonsense. Your scenario is different not because of your memo, but because your people realize that something more important than shareholder value is at stake. And I dare to say that your weekly reminders are the secret, not any awareness training. Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up. It doesn't matter if people read it at all, what matters is that they consider it long enough to activate the desired memory of adequate behaviour, which means 2-3 seconds.
  And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
44. Re:well by s.petry · 2014-07-24 09:21 · Score: 1
  
  Security awareness training in companies is largely nonsense.
  Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.
  
  Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.
  
  That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.
  
  And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.
  It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.
  Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
45. Re:well by Tom · 2014-07-24 10:55 · Score: 1
  
  Rubbish! If you are starting from scratch you have to lay the foundation.
  Which foundation? Boring people for half an hour with stuff they couldn't care less about? I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.
  
  therefor the amount of people with genuine concern will never increase.
  For all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?
  
  It's hard to tell if you were attempting to be condescending with that first sentence.
  Not at all. If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with. The problem is that culture is pervasive, so if the culture is different, you cannot change it just for this one thing, you need to tackle the entire corporate culture, and as soon as you start you have enemies, namely everyone currently profiting from the existing culture.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
46. Re:well by GTRacer · 2014-07-25 02:44 · Score: 1
  
  I may have missed it but I never saw you proffer specific technology in place for detecting phished users ^^
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
47. Re:well by q4Fry · 2014-07-25 04:11 · Score: 1
  
  Clearly, you didn't read the security email and will be fired. ;^)
48. Re:well by s.petry · 2014-07-25 07:34 · Score: 1
  
  Actually it's a post ordering thing. It shows _below_ your post after reloading the page, but when I added comments it was showing above your post.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
49. Re:well by s.petry · 2014-07-25 07:58 · Score: 1
  
  I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.
  Ahh, so you work at one of those places with horrible culture.
  
  or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?
  Got it, you are a lively participant in the horrible culture and happy to propagate the culture.
  
  If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.
  In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).
  As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
50. Re:well by Tom · 2014-07-25 11:11 · Score: 1
  
  Ahh, so you work at one of those places with horrible culture.
  I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.
  It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.
  
  Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.
  I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.
  I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.
  I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
51. Re:well by s.petry · 2014-07-25 11:51 · Score: 1
  
  I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.
  As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.
  
  I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.
  
  Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.
  Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.
  
  Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.
  Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.
  There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.
  
  I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.
  Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.
  I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.
  
  I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.
  Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
52. Re:well by Tom · 2014-07-25 23:06 · Score: 1
  
  I gave an example of ensuring it's not.
  
  And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.
  
  There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.
  That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.
  
  Writing policy is not the same as educating people.
  That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.
  Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.
  
  Because everyone is exposed to and knows as much about security as you do right?
  No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).
  What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.
  
  Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.
  Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
  I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
53. Re:well by s.petry · 2014-07-28 10:55 · Score: 1
  
  And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.
  This does not match what you state later, which is in essence claims that all 3,000 people in your company need in depth knowledge of your security policy. That is, plainly, nonsense.
  Corporate "Security Awareness Training" has to address the needs of _many_, and not everyone needs that level of detail. In fact very few do, and a small percentage could even understand them. Which could explain your repeated claims of bad experiences.
  Jane and John, the new accountants, need to know what Phishing is, not what your encryption policy for tape back up is. You previously complained that for you it was redundant so "stupid" (your words). Stop moving the goal post.
  
  What I mean is that we replace actual security with trainings and think it's a solution.
  
  Security awareness training is not a replacement for security. If a Company believes it does, this matches what I stated repeatedly about a broken culture. Not a Security or Training deficiency.
  
  Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
  I know plenty that underscore how bad corporate cultures are and can be. Any Corporate level trainer will tell you the same thing. You have to train everyone in the basics. After they have a grasp of basics, reminders and nudges from audits work. A reminder about phishing attacks will be ignored by people that don't know what phishing is or how it works. Reminders to follow the password policy will be ignored by people that don't know the policy.
  Finally, as stated previously, there are plenty of people that contribute to poor culture. The guys that talk smack about the training because they know it all are a huge issue. You have to build a culture of security if you want to be secure. That will never happen with a crew of sexual intellects (F'king know it all's) discouraging knowledge sharing and personal growth.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Remember by djupedal · 2014-07-23 16:42 · Score: 3, Interesting

It's the singer....not the song.

School smarts lose to street smarts.
Fake emails are so convincing.... by tquasar · 2014-07-23 16:45 · Score: 2

No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?
1. Re:Fake emails are so convincing.... by Cryacin · 2014-07-23 17:37 · Score: 3, Funny
  
  Do you have some kind of confusion that prevents you from distinguishing phone calls from e-mails?
  He has trouble relating to Phemails
  
  --
  Science advances one funeral at a time- Max Planck
Stopped using LinkedIn by Animats · 2014-07-23 16:48 · Score: 4, Interesting

I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?
1. Re:Stopped using LinkedIn by Bigbutt · 2014-07-24 02:50 · Score: 1
  
  Yea, I closed my account with linked in. Far too much noise and very very little signal.
  [John]
  
  --
  Shit better not happen!
2. Re:Stopped using LinkedIn by Tom · 2014-07-24 08:44 · Score: 1
  
  Frankly speaking, the reason I never used LinkedIn at all is that even their legitimate mails are indistinguishable from spam. Including the fact that if you ask them to stop, they won't.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
Like everything else.. by Anonymous Coward · 2014-07-23 16:54 · Score: 1

Trying harder counts. The fact that these people only have to think about how make people read and click, and not any legalities also helps considerably.
If your English sucketh, your link prolly doeth 2 by xxxJonBoyxxx · 2014-07-23 16:57 · Score: 4, Funny

>> can tell-apart
You can't fool me...I'm not going to click any links on this craptacular "story."
Irony.. by super_scalt · 2014-07-23 16:59 · Score: 1

.. would be if the link in this article was in itself a phishing scam
Trained to be clickers by dilvish_the_damned · 2014-07-23 17:23 · Score: 1

Trained to click on shit by bad interface design. It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

--
I think you underestimate just how much I just dont care.
1. Re:Trained to be clickers by bondsbw · 2014-07-23 17:43 · Score: 1
  
  It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.
  In my experience: 's/UI designers/the customer/'
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
"Sophisticated"? Not from what I see... by gweihir · 2014-07-23 17:56 · Score: 1

The phishing emails I get (and I get a few...) are targeted at semi-literal morons that have no clue how the world works. But it may be that there are a lot of these people around, judging from other observations.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Not everyone is train-able by Taco+Cowboy · 2014-07-23 18:04 · Score: 5, Insightful

How are spammers successful so often? Simple, companies don't train people

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Not everyone is train-able by s.petry · 2014-07-24 02:38 · Score: 2
  
  As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
  I agree, but those are not people you want working for you if you are concerned about security.
  
  Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
  I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.
  Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.
  
  It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
  If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.
  Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.
  
  No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached
  I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.
  I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
2. Re:Not everyone is train-able by Tom · 2014-07-24 08:54 · Score: 1
  
  As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
  Not everyone can train people. Almost nobody can train all kinds of people, because they need to be trained differently.
  More importantly, not everyone is acceptable as a trainer. Many, especially smart people, don't like being trained by someone they consider to be their inferior.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
Phishing? by PPH · 2014-07-23 18:05 · Score: 1

From TFA:

people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds
That's not really phishing. More like a drive-by download. Phishing is where the e-mail or web site attempt to truck the luser into entering an ID/password for the legitimate site being masqueraded.
Phishing attempts to exploit a weakness in the user, downloads exploit the o/s or client software.

--
Have gnu, will travel.
too good to be true by pr100 · 2014-07-23 20:04 · Score: 1

Criminals can promise things that legit marketing emails can't.
Because cybercriminals cheat by curty · 2014-07-23 20:09 · Score: 1

If the marketing experts used the same tactics (disguising their emails as linked-in requests) they could compete with the cybercriminals.
Some things about this article smell. The author is a director of the company whose research the article cites. And what about the claim that "a dating website was hacked and approximately 10% of the passwords were âoelove1234â"
That seems like a lot! (Unless there were only 10 accounts....)
1. Re:Because cybercriminals cheat by ArcadeMan · 2014-07-24 00:38 · Score: 1
  
  I'd be interested to know, with a total from all those password surveys, how many are "luggage12345". A search on Google gives "About 10,600 results", so that's already a possible hint about how popular it could be as a password.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
utf-8 copy/paste bug by curty · 2014-07-23 20:11 · Score: 1

"love1234"
oops
always use pgp by pereric · 2014-07-23 21:45 · Score: 1

What about making it as wide-spread as possible organization policy to alway *sign* your e-mail with pgp / gpg?
That would at least increase the effort needed (ie, actual access to someones computer) to send "genuine" e-mail from a coworker ...
People should look where they are going by blackest_k · 2014-07-23 21:47 · Score: 4, Interesting

The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.
Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org
Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.
Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.
People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.
It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.

--
Blarney Quality Restaurant, Plants
If you tried fixing that you did it wrong by Anonymous Coward · 2014-07-23 21:51 · Score: 4, Insightful

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
Doesn't help if you start out with not even trying.
You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.
This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.
Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.
Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.
Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.
At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.
Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.
This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.
1. Re:If you tried fixing that you did it wrong by GTRacer · 2014-07-24 01:14 · Score: 1
  
  Why would you slap a single line atop someone's letter and send the entire thing back?
  Because we can and bytes are cheap? Hiya! I promise I'm not trying to start a religious war over top-versus-bottom posting or the like, but I'm genuinely curious:
  
  I save all emails. Always have. I can usually find a thread easily enough, but there are times when multiple people are in a thread and the subject gets manually mangled, so Outlook won't incorporate those in its "conversation" search. So having the whole thread, TOP-POSTED, makes it simple to quickly review what was said about whatever we were discussing. As long as the email client clearly marks each message's beginning, how hard is it to read the top one and only scan down if needed?
  
  That said, I'm all for stripping out inline images on reply, and if the topic shifts I have no problem [snip] -ping out the completed thread to make room for the new one. Or if an email thread goes marathon and bounces more than like 10 times...
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
2. Re:If you tried fixing that you did it wrong by tsqr · 2014-07-24 01:52 · Score: 1
  
  Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works.
  Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.
3. Re:If you tried fixing that you did it wrong by tlhIngan · 2014-07-24 03:08 · Score: 2
  
  Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.
  Well, given the default to most company emails requires reply-all, it's not a surprise, really. I mean, if you're on a project and you need to send information to others, you probably will put in several people. And the recipient probably uses reply-all so everyone can be aware of the followup as well. Because things get awfully stilted if everyone merely replied to the original sender and they get flooded with dozens of the same question and notes.
  So it's natural in a business setting to use reply-all since you expect to share with everyone else. Hitting reply just feels unnatural.
  And yes, that's what the BCC field is for, if you really need to break the reply-all chain.
Security issues of emails .. by lippydude · 2014-07-23 22:53 · Score: 3, Insightful

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD
1. Re:Security issues of emails .. by sociocapitalist · 2014-07-24 01:46 · Score: 2
  
  "Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."
  Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD
  
  A live CD isn't going to help against a redirect attack and subsequent harvest of your login credentials.
  The only real protection for this type of attack is if your banks, credit card companies, etc. and you use one time passwords (i.e. one or more tokens of some sort)
  
  --
  blindly antisocialist = antisocial
2. Re:Security issues of emails .. by GuB-42 · 2014-07-24 05:59 · Score: 1
  
  Mainly because Windows doesn't know the difference between OPEN and RUN.
  And what is the difference between "open" and "run" ?
  If you are at a system level, of course windows makes a difference between open (as in "give me a handle to a resource") or run (execute code).
  If you are at a GUI level, and it's probably what you are thinking about, it's not about windows or linux or whatever, it's about the program you are using to do the "open". When you are clicking on an URL or an email attachment, the browser or mail program decides what to do with it.
  On windows, many apps use the "ShellExecute" action with the default action which is the same as double-clinking a file on the desktop but it is not the only way to do it. On linux, there isn't a standard way of opening files so it's really app dependent.
How are they outmarketing the experts? by mark_reh · 2014-07-23 23:13 · Score: 1

That's easy. They don't care about laws that are intended to protect people from "legitimate" marketers. When you don't worry about the law you can literally do and say whatever you want.
New news:
Bank robbers withdraw more money from banks than they have in their accounts!
Re:If your English sucketh, your link prolly doeth by StormReaver · 2014-07-23 23:26 · Score: 1

I'm not going to click any links on this craptacular "story."
I did, and it really is a craptacular article. I can sum it up thusly: "Phishers do illegal things, therefore getting more clicks. If legitimate marketers did the same thing, their click rate would skyrocket."
And, "Don't use Windows XP on the Internet." This, by the way, was always good advice. And it still applies to all versions of Windows.
I know! by sabbede · 2014-07-24 00:35 · Score: 1

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.
"tell-apart" by Arancaytar · 2014-07-24 01:02 · Score: 1

What?
Re:Advertisers and marketee aren't allowed to lie. by DocSavage64109 · 2014-07-24 02:19 · Score: 1

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.
I'm not so sure about the advertisers not being allowed to lie thing. I worked as a minion at an ad agency for a brief time and pictures comparing the results of various products and such were from completely unrelated stock photos. I'm not sure I'd trust the text (copy) that much either, though it's a lot easier to catch them in it.
You're thinking of phishing, not spear phishing by raymorris · 2014-07-24 02:37 · Score: 2

You're talking about regular phishing. Phishing is not spear-phishing. Phishing, like fishing, involves casting out a bait and hoping that someone (anyone) takes the bait.
Spear-phishing, like spear-fishing, is DEFINED as identifying a specific target and launching your weapon against that target specifically.
Some phishing campaigns are quite elaborate by ruir · 2014-07-24 04:06 · Score: 1

I have received a couple of years ago a dozen emails with messages of account terminations-or-you-have-to-click here to review from "Apple" that looked like the real deal, and only at looking to the headers you would notice they were coming from someplace else, and where using strange URLs. If you were looking at the emails, they looked like the real deal.
There could be a solution in the browser by iMadeGhostzilla · 2014-07-24 04:21 · Score: 1

And it would be simple: the browser would know that it's reading email (from URL -- gmail, yahoo, custom) and *would not open any links* the user may click on unless the link URL is on the click-to-open whitelist (initially empty). It would still let you copy the link to the clipboard (possibly with a warning) that you could paste yourself in a new tab (possibly with another warning), but this speed bump of having to take the destination URL in your hands, so to speak, would -- I'm assuming -- be good enough to let you pause and think if "support-raytheon.com" is really where you want to go.
tell-apart by oldmac31310 · 2014-07-24 04:38 · Score: 1

just what the f*** is that?

--
http://www.acetonestudio.com
Re:Advertisers and marketee aren't allowed to lie. by Stan92057 · 2014-07-24 08:26 · Score: 1

Sure you can lie but if you get caught the penalties will be high. Its called false advertising and there are laws against it.

--
Jack of all trades,master of none
Re:Advertisers and marketee aren't allowed to lie. by sabbede · 2014-07-27 23:45 · Score: 1

Oh, I'm not saying that marketers aren't bad people whose job it is to deceive and mislead consumers, but there are rules and agencies that enforce those rules. Spammers and scammers don't have to worry about their company being punished so there is nothing holding them back.