Phishing Scams Amazingly Effective
from the no-wonder-you-get-so-many... dept
An anti-spam company showed a bunch of emails to people to see if they could spot the phishing scam emails from the legitimate emails and discovered that an awful lot of people are easily fooled. 28% of the time, people thought scam emails were legit. No wonder they’re so popular these days. The study also turned up that there are problems with false negatives as well. A large number of perfectly legitimate emails are now being dismissed as fraudulent by users who are too weary of phishing scams. This, obviously, can be quite troublesome for companies who need a legitimate way to contact their customers. The answer seems pretty simple: don’t put URLs in emails any more. If you need someone to check their account, tell them to go to your webpage and login, and have a clear splash page that details the issue. Then, convince people not to click on emails in these messages.
Comments on “Phishing Scams Amazingly Effective”
All the more confusing...
I’ve received email claiming to be from my credit card company, and called them to verify that the message was legit. Their customer service reps couldn’t tell me one way or the other. If the company can’t themselves offer any guidance, how can the customers do better?
Re: All the more confusing...
If the customer service rep couldn’t tell you about the e-mail, it would have to be spam. There is no way you could communicate to all cust service reps each time spam in your companies name goes out. I’m sure most credit card companies would tell their CSR’s when a legitimate e-mail is going out so that the CSR’s can clarify any questions that customers may have about it.
Re: Re: All the more confusing...
Bob,
ASSUME NOTHING !
My employer, a MAJOR banking institution COMPLETELY rearranged their website & neglected to tell anyone, & I mean ANYONE in the Customer Service Department. Just rolled it out untested.
I’ll spare you the ensuing nightmares this has caused for our customers.
Furthermore, CSR’s are not told when mailings or emails go out. We often have no clue about what people are reading to us and we are forced to learn AFTER the fact what these poor customers are trying to tell us. Hell, the office that shoots out the mailings isn’t even located in the same state as those of us that handle the calls !
I feel very sorry for the people that invest with my employer & would never myself allow this company to handle a dime of my retirement.
On a side note, treat the CSR’s kindly & I can assure you that you have a much better chance of getting assistance because we ARE trained to get you off the phone asap. Most of us will gladly ” go the extra mile ” to help you if you treat us with a shred of decency.
I TRULEY wish our upper management would get their shit together so we could give our customers the BEST service possible when they call us. Sadly, some over paid head honcho who doesn’t deal with the investors on a one to one basis makes these decisions without even considering the consequences.
Need to promote digital signatures and SSL/TLS
Much of the problem, in my opinion, is the lack of any real push for authentication and digital signatures. Browsers assume that most all web browsing is going to be non-secured, and thus streamline their interfaces to make non-secured web browsing as plain and comfortable as possible. Thus, users think that non-secured web browsing is OK and perfectly trustworthy. When they visit an SSL site, the only thing that changes for them is a tiny little yellow padlock in the status bar of their browser (if they have their status bar turned on).
This is not the way to handle things.
Browsers need to be a little more forthcoming with cues indicating that a web response is unauthenticated and unencrypted, and more importantly, when SSL or TLS *is* used, it should be VERY CLEAR to the user who exactly they’re communicating with, based on real-world identity in the certificate, not just some vague, fuzzy relationship implied by a DNS domain name.
Similarly, every official piece of correspondence sent by a company should be digitally signed. E-mail clients should place more importance on pointing out messages that LACK a digital signature, not on those that HAVE one.
We often blame users for not paying attention to Internet transactions that are unauthenticated and unencrypted, but I place some fault on the part of the application developers for not pushing to make these concepts defaults instead of exceptions, as well as the certificate authorities for charging exorbitant fees for something so trivial to create.
Re: Need to promote digital signatures and SSL/TLS
Well, I’d like it to be known that since setting up my G-Mail account last year I’ve received four ‘phishing’ e-mails claiming to be from various services, most recently Bank of America. In all four incidents, the G-mail webclient has pointed out in bright red letters that “This e-mail may not be from a legitimate sender” and automatically categorized them as spam.