by Mike Masnick

Phishing Scams Amazingly Effective

from the no-wonder-you-get-so-many... dept

An anti-spam company showed a bunch of emails to people to see if they could spot the phishing scam emails from the legitimate emails and discovered that an awful lot of people are easily fooled. 28% of the time, people thought scam emails were legit. No wonder they're so popular these days. The study also turned up that there are problems with false negatives as well. A large number of perfectly legitimate emails are now being dismissed as fraudulent by users who are too weary of phishing scams. This, obviously, can be quite troublesome for companies who need a legitimate way to contact their customers. The answer seems pretty simple: don't put URLs in emails any more. If you need someone to check their account, tell them to go to your webpage and login, and have a clear splash page that details the issue. Then, convince people not to click on emails in these messages.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Chris Wuestefeld, 28 Jul 2004 @ 3:26pm

    All the more confusing...

    I've received email claiming to be from my credit card company, and called them to verify that the message was legit. Their customer service reps couldn't tell me one way or the other. If the company can't themselves offer any guidance, how can the customers do better?

    reply to this | link to this | view in chronology ]

    • identicon
      Bob, 29 Jul 2004 @ 1:35pm

      Re: All the more confusing...

      If the customer service rep couldn't tell you about the e-mail, it would have to be spam. There is no way you could communicate to all cust service reps each time spam in your companies name goes out. I'm sure most credit card companies would tell their CSR's when a legitimate e-mail is going out so that the CSR's can clarify any questions that customers may have about it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Jul 2004 @ 8:39am

        Re: All the more confusing...



        My employer, a MAJOR banking institution COMPLETELY rearranged their website & neglected to tell anyone, & I mean ANYONE in the Customer Service Department. Just rolled it out untested.
        I'll spare you the ensuing nightmares this has caused for our customers.

        Furthermore, CSR's are not told when mailings or emails go out. We often have no clue about what people are reading to us and we are forced to learn AFTER the fact what these poor customers are trying to tell us. Hell, the office that shoots out the mailings isn't even located in the same state as those of us that handle the calls !

        I feel very sorry for the people that invest with my employer & would never myself allow this company to handle a dime of my retirement.

        On a side note, treat the CSR's kindly & I can assure you that you have a much better chance of getting assistance because we ARE trained to get you off the phone asap. Most of us will gladly " go the extra mile " to help you if you treat us with a shred of decency.

        I TRULEY wish our upper management would get their shit together so we could give our customers the BEST service possible when they call us. Sadly, some over paid head honcho who doesn't deal with the investors on a one to one basis makes these decisions without even considering the consequences.

        reply to this | link to this | view in chronology ]

  • identicon
    David Nesting, 29 Jul 2004 @ 8:06am

    Need to promote digital signatures and SSL/TLS

    Much of the problem, in my opinion, is the lack of any real push for authentication and digital signatures. Browsers assume that most all web browsing is going to be non-secured, and thus streamline their interfaces to make non-secured web browsing as plain and comfortable as possible. Thus, users think that non-secured web browsing is OK and perfectly trustworthy. When they visit an SSL site, the only thing that changes for them is a tiny little yellow padlock in the status bar of their browser (if they have their status bar turned on).
    This is not the way to handle things.
    Browsers need to be a little more forthcoming with cues indicating that a web response is unauthenticated and unencrypted, and more importantly, when SSL or TLS *is* used, it should be VERY CLEAR to the user who exactly they're communicating with, based on real-world identity in the certificate, not just some vague, fuzzy relationship implied by a DNS domain name.
    Similarly, every official piece of correspondence sent by a company should be digitally signed. E-mail clients should place more importance on pointing out messages that LACK a digital signature, not on those that HAVE one.
    We often blame users for not paying attention to Internet transactions that are unauthenticated and unencrypted, but I place some fault on the part of the application developers for not pushing to make these concepts defaults instead of exceptions, as well as the certificate authorities for charging exorbitant fees for something so trivial to create.

    reply to this | link to this | view in chronology ]

    • identicon
      Guy, 13 Oct 2006 @ 9:54am

      Re: Need to promote digital signatures and SSL/TLS

      Well, I'd like it to be known that since setting up my G-Mail account last year I've received four 'phishing' e-mails claiming to be from various services, most recently Bank of America. In all four incidents, the G-mail webclient has pointed out in bright red letters that "This e-mail may not be from a legitimate sender" and automatically categorized them as spam.

      reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.