Fooling Some of the Peole Some of the Time
MSNBC reports on
results of spam credibility research conducted by (obviously interested party) MailFrontier, Inc. showing a large number of users are fooled by fake email requesting personal information--including credit card numbers.
Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of so-called "phishing" e-mail as well as legitimate e-mail from companies such as eBay and PayPal. About 28 percent of the time, the consumers incorrectly identified the phishing messages as legitimate.
MailFrontier has published an
interactive example test on their Website. Although MailFrontier obviously has an interest in portraying phishing messages as a large risk, their findings tend to be backed up by numerous other studies and surveys (from sources such as Gartner Research and The National Consumers League) are described in
the MSBC article).
Here's something to consider, though: The MailFrontier test provides users with the text (including graphics) of the email messages, but fails to provide users with one of the best tools for tracking the source of a message: the raw headers of the email. Any smart scammer can design a message that appears to be credible, based on rhetorical smarts coupled with some sample real messages from the firms falsely being represented. So, for example, there are enough
real PayPal messages floating around the net to allow a good writer to compose a false message that appears credible. But because the phishing test doesn't allow users to do things like examine raw headers, it's extremely difficult to sort out reliable from unreliable messages.
In addition, some very simple practices can protect users who aren't sure of the real origin of a message--like never simply clicking the link in an email asking you to respond with personal information, but instead manually entering a corporation's URL into a browser window; sophisticated URL redirects and masking can display one URL in an email message while directing users to a fake scammer's website or, even, masking a destination URL in a browser window so that the clicked link appears legit even after its opened in a browser after clicking.
For example, a few moments ago I received an email from PayPal (apparently) that provides information about a class-action lawsuit. I know from recent press that the lawsuit itself is legit. And the email from PayPal conforms to the format and language that I've come to expect from them. But I would never simply click the link in the article that purports to offer more details; instead, I'll later go to PayPal's website in a browser and hunt for the info on their site to see if it's actually there.
So the MailFrontier quiz is a useful exercise in understanding rhetoric, but if nothing else, it serves merely to enforce what are already considered to be prudent practices; if nothing else, the publicity should be good at showing users that you can't judge a book by its cover.
[via
/.]
Posted by johndan at July 29, 2004 07:51 AM
| TrackBack