Quiz shows four out of five believed phishing email was genuine: Internet Scambusters #669
Results are in for a phishing test -- and they don't make good reading!
Only a tiny proportion of quiz participants managed to identify which messages were genuine and which were scams, according to a study by security firm McAfee.
How about you? Find out where to take the test in this week's issue.
Now, here we go...
Can You Pass the Phishing Test?
How good would you be at spotting a phishing attempt to steal your confidential information?
Most of us would probably feel fairly confident that we wouldn't be tricked into giving away our passwords to scammers. But apparently that's not the way it is.
Phishing, as all Scambusters readers hopefully know, is a trick, normally initiated by email or text, in which victims are usually directed to a fake replica of a well-known website.
There, they may be asked for sign-on details, credit card numbers, Social Security numbers, or other confidential information.
It turns out that the vast majority of people, even those who know all about phishing and identity theft, can be fooled.
Proof? According to Internet security firm McAfee, only 3% of the public got everything right in an online test of phishing vulnerability.
This wasn't a small test either -- 19,000 people took part.
The quiz presented 10 emails that participants were asked to review and say whether they were genuine or phishing attempts.
Four out of five participants mistook one phishing email as genuine.
Put another way, that suggests that if scammers send out enough phony emails to the same person, they'll eventually trick them into giving away their info.
The test was originally devised for McAfee's parent company, Intel Security, which subsequently presented it to 100 participants at a security conference.
Remarkably, even the experts could only identify about two-thirds of the fakes and only 6% of them got everything right.
Gary Davis, vice president of global consumer marketing for McAfee, was quoted as saying: "Even if you're a security professional, it's hard to just look at these emails and say whether they're phishing or not. Every single one looks like a good email."
Even though the study is finished, you can take the test, presented in conjunction with CBS.
Usually, phishing emails, disguised as being from a particular bank or other company, are sent out at random in hopes that some of them will land in the inbox of genuine customers.
But a particularly nasty form known as spear phishing is more precisely targeted at particular individuals.
As we wrote in an earlier issue, Whaling? These Scammers Target Big Phish, these are often more effective because they contain information about the recipient that seems to confirm they're genuine.
In another recent report, security research consultancy InfoSec Institute said that spear phishing enabled hackers to gain access to confidential information in two recent high-profile incidents -- involving retailers Target and entertainment company Sony.
Precise details of these specific incidents haven't been disclosed but typically a spear phishing email would be targeted at either a highly-placed executive or an IT professional within a company, tricking them into providing their sign-on details, thereby giving the hackers access to entire corporate systems.
"Spear phishing represents a serious threat for every industry, and the possibility that a group of terrorists will use this technique is concrete," said Infotec.
Five Key Steps
Given the high-failure rate of even the experts, what can you do to try to reduce your risk of being conned into giving away your confidential information?
Here are five key steps:
* The first, and by far most important, tactic is to abandon your over-confidence, your belief that you wouldn't be fooled. You could be. Start from that position with every email you receive.
* Second, avoid distractions when reviewing your email. It's easy to thoughtlessly click on a link if you're not concentrating on the message.
* Third, be skeptical. Never assume an email message is exactly what it purports to be, even if it seems to come from companies you do business with or from friends.
* Fourth, if you can, avoid clicking on any links or attachments in unsolicited messages without confirming their origin with the sender. Instead of clicking links, independently visit websites via your browser.
* Finally, check for poor grammar, spelling and language usage -- often a giveaway for a scam.
The bottom line is that any email that either directly or via a website asks you to sign on to your account by clicking should be regarded as potentially suspect.
Phishing has been around since the earliest days of the Internet and is always in the Number 1 slot in our Annual Top 10.
That should be sufficient evidence that, from the crooks' point of view, it's a crime that pays. Don't let your guard down.
Alert of the Week
Fancy getting your home carpets cleaned for free? Got a coupon?
Hold on! Why would anyone want to do that job for nothing?
Perhaps they just want to get inside your house -- supposedly to inspect the carpets -- either to steal stuff or scope it out for a burglary.
You could be cleaned out. But not in the way you expected.
Be wary of such offers and don't let people inside to inspect your home until you've confirmed their identity.
That's all for today -- we'll see you next week.