How good are you at identifying phishing scams? Interesting quiz at siteadvisor.com showing screenshots of 10 real sites and their phished counterparts side by side. I consider myself pretty well versed at picking out the tell-tale signs, but only got 8/10. What’s really scary is the fact that the quiz called me a “guru” for getting that score – which means that 20% of phishing sites are good enough to fool pretty much everyone (although the screenshots from the two I missed didn’t show the URLs, which is probably the most critical clue, though even those can be made to look convincing, or wholly spoofed in various ways).
How’d you score, and what threw you off?
Music: The Meters :: Chug Chug Chug-A-Lug-(Push N’ Shove)-Part II-(w Meters)
9 of 10.
That at $3 will get me….
8 out of 10 also. I’m pretty sure I’d have got all 10 if the urls were visible. But it was a good exercise to force you to really look closely at the content for clues.
SPOILER:
The two that threw me were:
1) Chase Bank asking for your SS#. That threw up red flags for me, when it shouldn’t have. It may not be the best idea for banks to do this, but it’s actually quite common. Wells Fargo defaults to using your SS# as a login.
2) Amazon offering to let you log in with their non-secure server “if the secure one doesn’t work for you.” Turns out that was legit, which seems kind of crazy.
9/10.
I got the paypal email wrong. I assume any email from paypal is a phishing scam!
I assumed the first one was the scam because it was asking for your password to reactivate your account.
The second one was a notification to check a new message. Most banks do that so I assumed it was ok without reading/seeing the scary warning.
All of the examples without the URL are tough because you have to rely on language alone.
Well, if your credit card on file at PayPal expires, they have to send you email to ask you to enter an updated one, right? So they do send legit emails. The lack of global rules you can apply makes this so much more complicated.
I agree on the examples without URLs – it’s not a real-world test, since you would always have access to that.
I just wish I could train my parents to View Source in their emails, and to study/understand the URLs in them.
I got a 10/10. The sites without URLs took a minute longer, but I’m wary of any site that would ask an established customer for enough information to open or use a credit card account, like asking for the full Social Security number as opposed to the last 4 digits or the signature code on the back of the card. The signature code was what threw a big red flag on the Capital One site. The only time I’ve ever been asked for that is when I’m buying something, not banking.
I’ve finally gotten my parents and grandparents in the habit of going directly to the site if they get an email informing them of a “problem”, instead of clicking on the link in the email.
True. The background on my commentary is that I have NEVER received a legit. email from Paypal, unless I was confirming my email address on opening an account, and I get a LOT of email claiming to be from Paypal…
I would like to see a bank take a well known policy of “no links in email.” How difficult would it to be to send a notification of a “message” waiting in your secure banking inbox without any links? Would consumers who already use online banking find it that difficult to fireup their own browser and type in http://www.citibank.com? It seems to me that this would largely (but not completely) solve the phishing problem.
Ah – My example about the expired credit card was from just last week, when I did receive a legit email from them. I didn’t save it, but if I recall, it did not include a clickable link, exactly as you suggest.
Paypal is the worst when it comes to their emails. Their legit emails look shady, so I’m never quite sure. I missed that one on the quiz, and I’m a prolific paypal user. When I get an email from Paypal, I always log in by pulling up the site manually (https://www.paypal.com) and then checking to see if there are any outstanding issues.
My other miss was Rupert Murdock’s Myspace (TM). It’s a rare day I go there and usually then only to get a quick sample of a band, or get a reminder of what the internet was like circa 1997. Bugmenot is my rule for login’s there, so I’m personally not too worried about getting scammed. Of course those who spend their life not having one might be more vigilant.
PayPal phishing is simple to detect.
PayPal e-mail will *always* address you by First/Last name (which you provide when you sign up). Not username, not e-mail address. Any e-mail claiming to be from PayPal that does not include your real First/Last names as a salutation is fraudulent.