Home » Industry Watch » The Technological
The Science of StupidityNothing helps the clueless.
Imagine a focus group study performed by acknowledged academics from Harvard and UC Berkeley. Imagine the professors want to see how difficult it is for people to detect fraudulent websites. Imagine further the professors tell everyone up front what the study is about - namely that they will be looking at a number of websites and that some of these will be fraudulent.
Imagine now that the professors actually speak with their group as the test progresses, asking them questions like 'well how about that site - does that look alright to you' and so forth. 'Our study primed participants to look for spoofs', the professors pointed out.
And finally imagine almost nobody picked out the phishers. For that's exactly what happened.
Mac OS X 10.3.9
''We used an Apple G4 Powerbook laptop running Mac OS X (version 10.3.9)', wrote the professors. 'Participants signed a consent form, answered basic demographic questions, and read the study scenario and instructions. We then showed them the list of linked websites. As each website was viewed we asked the participant to say if the site was legitimate or not, state their confidence in their evaluation (on a scale of 1-5) and their reasoning.
Participants were encouraged to talk out loud and vocalise their decision process. We also asked participants if they had used this website in the past or if they had an account at the website's organisation.'
'Imagine that you receive an email message that asks you to click on one of the following links. Imagine that you decide to click on the link to see if it is a legitimate web site or a spoof (a fraudulent copy of that website).'
'This study illustrates that even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate website from a spoofed website', say the professors.
'The best phishing site was able to fool more than 90% of participants.'
- 23% of the study's participants did not look at the address bar, status bar, or the security indicators.
- 68% proceeded without hesitation when presented with popup warnings about fraudulent certificates.
Auburn Montgomery
From: Jeff W. Anderson, Ph.D.
To: Everyone
Priority: High
Subject: Email Phishing Warning
We have noticed an increase in phishing attempts, similar to the message below. AUM will never request that you provide you user name and password in an e-mail. You should not provide any private information, including passwords, through e-mail.
Here is an example of a recent phishing attempt:
-------------------------------------------
Subject: ATTENTION: EDU WEBMAIL SUBSCRIBER:
ATTENTION: EDU WEBMAIL SUBSCRIBER:
This mail is to inform all our {EDU WEBMAIL} users that we will be upgrading our site in a couple of days from now. So you as a Subscriber of our site you are required to send us your Email account details so as to enable us know if you are still making use of your mail box. Further informed that we will be deleting all mail account that is not functioning so as to create more space for new user. so you are to send us your mail account details which are as follows:
*User name:
*Password:
Failure to do this will immediately render your email address deactivated from our database.
Your response should be send to the following e-mail address.
(end of phishing example)
-------------------------------------------
Other phishing attempts include messages that appear to have been sent from financial institutions or companies such as Microsoft. Your financial institution will never ask you to provide your account information through e-mail, and Microsoft does not send out updates through e-mail.
When you receive these types of messages, you should delete them and not respond. It is also a good practice to avoid clicking on any links in suspicious e-mail messages.
If you feel you have been a victim of a phishing scheme regarding your AUM account, please contact the ITS Help Desk at 244-3500 or helpdesk@aum.edu
Thank you,
Jeff W. Anderson, Ph.D.
Chief Information Officer
Auburn University - Montgomery
Several Days Later...
From: Jeff W. Anderson, Ph.D.
To: Everyone
Priority: High
Subject: Phishing Update
I would like to stress, again, that you should NEVER send your user name and password to ANYONE through email. If you receive a request for this information, it is most likely an attempt to use your account for fraudulent purposes.
In my previous alert, I included the text of a phishing email as an example. Some students misunderstood that I was asking for user name and password, and replied with that information. Please be aware that you shouldn't provide this information to anyone.
If you do receive an email requesting your credentials, please call the help desk at 244-3500, or forward the email to helpdesk@aum.edu. Do not reply to the message, even if it states that you account [sic] will be disabled.
I apologize for the confusion.
Thank you,
Jeff W. Anderson, Ph.D.
Chief Information Officer
Auburn University - Montgomery
Phishing goes back through the mediums of telephone, fax, and written letter but there's a single universal truth that's as relevant today as it ever was: you have nothing to fear unless you are a complete and utter moron who is happy to give your personal information to a complete stranger for the simple reason that they ask you nicely for it. Sometimes I find it hard to believe just how many people fall into this category.
- 'JD'
College. Whar u go 2 lern... n stuff. Seriously, they should have kicked anyone that replied to that email out of school. 'Sorry kid, you're too stupid to get a degree. Try going back to fourth grade to learn critical reading skills.'
- 'Captain Obvious'
See Also
The Daily WTF: Go Phish
|