This Phishing test shows how hard it can be to distinguish between legitimate e-mails and those of scammers trying to trick you into giving away sensitive information.
I got a 9/10 on the quiz, marking one a fraud that was legitimate, but I’d rather err on the side of caution.
In fact, if you ever doubt the legitimacy of an e-mail, it’s better to assume it’s a scam and be wrong than to assume it’s official and be scammed. I suggest going directly to the site by typing in the URL (the link from an e-mail could be spoofed or misleading). Once you’re at the site you can log in to your account to verify the e-mail’s claims.
I received a 6/10. Two that I said were frauds were actually legit and the other two I said were legit were indeed frauds. It’s a good thing I follow my policy; if I didn’t request the information, I don’t respond. In fact, when it comes to emails, if it isn’t from someone I know I delete without opening.
Very nice!
I got a 5/10 : \
9/10 I blew it on the Earthlink one. I almost put fraud on there because there was a typo.
Oopps.. Only 6 of 10. I have a very similar policy to Babs, if I don’t know why it came to me, it’s gone.
I don’t get that test. I always look at the link, and those are disabled here, so it’s impossible to tell what’s legit and what isn’t. I’m under the assumption that I’m safe whenever I look where the link is going.
Cameron: That assumption is not always correct.
There was a security hole in Internet Explorer that allowed people to change the visible link to something other than the actual destination.
Javascript can also mask the real URL. For instance, here’s a page with a link to my site that looks like a link to Google in some browsers.
I scored 7/10, but, like Cameron I was thrown off because I was looking at the links. My method for determining which were frauds was to look at the wording. If it seemed “off” then I marked it as fraud. Plus, as I tell my mother, if I’m not comfortable with the information that is being requested, then I assume it’s fraud.
Here is a blog entry about links that don’t go where you may think they’ll go. It also has links to other resources about common tactics of tricking users into thinking they’re going to a legitimate site.
These sites are particularly useful:
How to obscure any URL
How URL obfuscation works
Wikipedia on Phishing
Cameron: If you’re not using IE, take a look at this page with two links to PayPal. They’re using a homograph attack, which makes the URL look identical to the real one.
I must say that I’m a bit surprised. I thought the simplicity of my approach was failsafe, but now I’m worried. It appears I can get around this though by setting “network.enableIDN” to false, if I can find out where to put this.
Firefox rox. To change it, just type about:config in the url bar (I then filtered it with IDN). You can right-click on a setting and then toggle and it’s saved instantly.
Enthusiasm for ease of config aside though, I’m not sure if it helps — I still get sent to the new URL, though looking at the url would be suspicious enough for me to consider it fraud (note the dual http).
Wow. The Firefox developers already released a fix. Metafilter has more about it.
I got 10/10! that last visa one was clever though, using a button that doesn’t show you where it’s taking you.