Fake e-mails fool users 28 percent of the time

[the mul]

Consumers still falling for phish
Fake e-mails fool users 28 percent of the time, study finds

July 28, 2004

Confused by what's arriving in your inbox? You're not alone. Nearly one out of three Internet users was unable to tell the difference between fraudulent e-mails designed to steal their identities and legitimate corporate e-mail, a new study finds.

advertisement

Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of so-called "phishing" e-mail as well as legitimate e-mail from companies such as eBay and PayPal. About 28 percent of the time, the consumers incorrectly identified the phishing messages as legitimate.

What's more, the legitimate e-mails were often dismissed as potential fraud. An e-mail message from the Federal Trade Commission was dismissed as a fraud by 50 percent of the consumers.

"We knew we'd fool a few people, but we're pretty surprised by 28 percent," said Anne Bonaparte, CEO of MailFrontier. "A number of (the phishing e-mails used in the study) have been around for a while."

'We are losing on both ends'
One reason the look-alike e-mails continue to fool consumers: the people behind them are getting much better at their craft.

"We've definitely seen quite an improvement in grammar, for example," Bonaparte said. "Early versions wouldn't have fooled too many people. Now, they fool a number of us. We did the test here at work and some people had embarrassing results."

One very well-distributed PayPal look-alike e-mail, which claimed credit card information needed to be updated, fooled 31 percent of users surveyed, she said.

"That one was written widely about. You would not have thought that would have fooled people," she said.

Meanwhile, a simple note from PayPal indicating that a payment had been made, which asked for no personal information, was described as a fraud by 20 percent of those studied.

"We are losing on both ends right now," said Dave Jevens, chairman of the Anti-Phishing Working Group, a consortium of companies fighting the problem. He said he wasn't particularly surprised by the results of the study.

"I've seen professionals who work in the industry fall for these. As we can see from this report, it's hard to tell bad mail from good mail. ... It's undermining the ability of people to communicate."

(Think you'd do better at sniffing out the real McCoy? MailFrontier has published a "fair or phish" test similar to the one it used in its study on.

http://www.mailfrontier.com/


The mul

[snowbound]

hmm....6 out of 10.

A little disturbing.


snowbound

[GlobalForce]

hmmm, seventy percent. A bit more than a little, disturbing.

[MikeBCda]

Hmm, 70 percent here too.

The PayPal ones were easy in one way -- totally aside from the links, PayPal has emphasized that any legit email from them will always address you by full name, never as "Dear customer" or the like.

I mis-guessed one or two of the legit ones -- and my reaction in those cases was that, given what we (should, anyway) know about phishing, those operations are operating very sloppily. More and more legit operations will no longer under any circumstances use email to ask for an acount verification, relying instead on snailmail or even phone calls.

[GlobalForce]

Quote:

Posted by MikeBCda: PayPal has emphasized that any legit email from them will always address you by full name, never as "Dear customer" or the like.

Thanks for pointing that out Mike, makes sense. I suppose if you know who you're dealing with, just be thorough when checking, hmmm?