How To Lose $12 Billion On A Hot Property >>
<< Old Folks Get A Mobile Phone (Finally)
 tdicon 

Scams

by Mike Masnick

Wed, Jul 28th 2004 2:09pm





Phishing Scams Amazingly Effective

from the no-wonder-you-get-so-many... dept

An anti-spam company showed a bunch of emails to people to see if they could spot the phishing scam emails from the legitimate emails and discovered that an awful lot of people are easily fooled. 28% of the time, people thought scam emails were legit. No wonder they're so popular these days. The study also turned up that there are problems with false negatives as well. A large number of perfectly legitimate emails are now being dismissed as fraudulent by users who are too weary of phishing scams. This, obviously, can be quite troublesome for companies who need a legitimate way to contact their customers. The answer seems pretty simple: don't put URLs in emails any more. If you need someone to check their account, tell them to go to your webpage and login, and have a clear splash page that details the issue. Then, convince people not to click on emails in these messages.

5 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Chris Wuestefeld, Jul 28th, 2004 @ 3:26pm

    All the more confusing...

    I've received email claiming to be from my credit card company, and called them to verify that the message was legit. Their customer service reps couldn't tell me one way or the other. If the company can't themselves offer any guidance, how can the customers do better?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    David Nesting, Jul 29th, 2004 @ 8:06am

    Need to promote digital signatures and SSL/TLS

    Much of the problem, in my opinion, is the lack of any real push for authentication and digital signatures. Browsers assume that most all web browsing is going to be non-secured, and thus streamline their interfaces to make non-secured web browsing as plain and comfortable as possible. Thus, users think that non-secured web browsing is OK and perfectly trustworthy. When they visit an SSL site, the only thing that changes for them is a tiny little yellow padlock in the status bar of their browser (if they have their status bar turned on).
    This is not the way to handle things.
    Browsers need to be a little more forthcoming with cues indicating that a web response is unauthenticated and unencrypted, and more importantly, when SSL or TLS *is* used, it should be VERY CLEAR to the user who exactly they're communicating with, based on real-world identity in the certificate, not just some vague, fuzzy relationship implied by a DNS domain name.
    Similarly, every official piece of correspondence sent by a company should be digitally signed. E-mail clients should place more importance on pointing out messages that LACK a digital signature, not on those that HAVE one.
    We often blame users for not paying attention to Internet transactions that are unauthenticated and unencrypted, but I place some fault on the part of the application developers for not pushing to make these concepts defaults instead of exceptions, as well as the certificate authorities for charging exorbitant fees for something so trivial to create.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Bob, Jul 29th, 2004 @ 1:35pm

    Re: All the more confusing...

    If the customer service rep couldn't tell you about the e-mail, it would have to be spam. There is no way you could communicate to all cust service reps each time spam in your companies name goes out. I'm sure most credit card companies would tell their CSR's when a legitimate e-mail is going out so that the CSR's can clarify any questions that customers may have about it.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jul 30th, 2004 @ 8:39am

    Re: All the more confusing...

    Bob,

    ASSUME NOTHING !

    My employer, a MAJOR banking institution COMPLETELY rearranged their website & neglected to tell anyone, & I mean ANYONE in the Customer Service Department. Just rolled it out untested.
    I'll spare you the ensuing nightmares this has caused for our customers.

    Furthermore, CSR's are not told when mailings or emails go out. We often have no clue about what people are reading to us and we are forced to learn AFTER the fact what these poor customers are trying to tell us. Hell, the office that shoots out the mailings isn't even located in the same state as those of us that handle the calls !

    I feel very sorry for the people that invest with my employer & would never myself allow this company to handle a dime of my retirement.

    On a side note, treat the CSR's kindly & I can assure you that you have a much better chance of getting assistance because we ARE trained to get you off the phone asap. Most of us will gladly " go the extra mile " to help you if you treat us with a shred of decency.

    I TRULEY wish our upper management would get their shit together so we could give our customers the BEST service possible when they call us. Sadly, some over paid head honcho who doesn't deal with the investors on a one to one basis makes these decisions without even considering the consequences.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Guy, Oct 13th, 2006 @ 9:54am

    Re: Need to promote digital signatures and SSL/TLS

    Well, I'd like it to be known that since setting up my G-Mail account last year I've received four 'phishing' e-mails claiming to be from various services, most recently Bank of America. In all four incidents, the G-mail webclient has pointed out in bright red letters that "This e-mail may not be from a legitimate sender" and automatically categorized them as spam.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
How To Lose $12 Billion On A Hot Property >>
<< Old Folks Get A Mobile Phone (Finally)
 tdicon 
Follow Techdirt
Flattr rss rss
A word from our Sponsors...
Sponsored Resource
Essential Reading
Techdirt Reading List
Techdirt Insider Chat

A word from our Sponsors...
Recent Stories

Tuesday

8:02pm: WIPO: Informal Economy Innovates In The Absence Of Intellectual Monopolies (0)
5:00pm: DailyDirt: Augmented Vision (2)
3:50pm: States Attorneys General Want Special Exception To Blame Sites For Actions Of Users (37)
3:02pm: Google, Without Admitting It Gets FISA Orders, Files Lawsuit To Challenge FISA Gag Orders (21)
2:29pm: NYPD Commissioner Blasts NSA Secret Monitoring For Being Secret (19)
1:43pm: It's Come To This: Commentators Arguing That The Press Commits A Crime In Exposing NSA Surveillance (44)
1:00pm: US Chamber Of Commerce: Bollywood Is So Successful Without Strong Copyrights That It Will Fail Unless India Strengthens Its Copyrights (43)
11:58am: Senator Lindsey Graham Defends NSA Surveillance By Arguing About Something Entirely Different (51)
11:15am: NSA Claims Surveillance Programs Aided The Stopping Of 50 Attacks; Details Lacking (70)
10:31am: The NSA's Lockbox Has No Lock (45)
More arrow
A word from our Sponsors...

Close

Email This