Can You Spot The Phish Attack?

Knowing the difference between a legitimate e-mail and scammed phishing e-mail is not always as easy as one would think.

According to data from e-mail security firm MailFrontier, only four percent of users can spot phished e-mail 100 percent of the time. That’s a very sobering thought as the holiday season is upon us and Americans flock online for their shopping needs.

MailFrontier’s data comes from its Phishing IQ Test, which is comprised of 10 examples of e-mails and users must choose whether they think the mail is legitimate, a fraud or if they have no answer.

The example e-mails are from Chase, PayPal, Bank of America, Washington Mutual, MSN, EarthLink and Amazon.

The average score in 2005, according to MailFrontier, is 75 percent, which is up from 61 percent in 2004.

Andrew Klein, manager with the MailFrontier Threat Center, noted that improvement in test takers’ ability to spot a phishing attempt occurred over time.

“We believe this is the result of people becoming more aware of phishing in general,” Klein said. “They got more suspicious.”

One of the surprising results of the survey, according to Klein, is that younger people (18-24) are more likely than older people (55+) to be fooled by a phishing attack.

MailFrontier said there are five main myths surrounding phishing.

The first myth is that people can actually detect a phishing attack. Though people are getting better at identifying phishing attacks, Klein argues that there is still a good chance someone will consider a phishing e-mail to actually be legitimate.

The second myth is that spam filters can detect and stop phishing attacks.

“By now most people agree that spam and phishing e-mail are different, with phishing e-mail designed to look like legitimate transactional e-mail a user would expect to receive,” Klein noted. “To catch a phish, a different set of evaluation criteria is required to help distinguish the legitimate from the phishing e-mail.”

Domain authentication as a vehicle to stop phishing e-mail is the third phishing myth. Klein argues that spammers, as well as phishers, have already shown they can publish authentication records for the domains they obtain.

The fourth myth is that detecting URL exploits can stop phishing attacks.

“URL exploits are a good indicator that something is amiss, but by itself they cannot be proof positive,” Klein explained. “Legitimate companies use techniques like URL redirection, long URLs (that run beyond the end of the status bar) and even raw IP addresses in their legitimate e-mail.”

“Phishers understand the legitimate uses and take advantage of them.”

Lastly and perhaps most importantly is the myth that people don’t need to do anything to protect themselves and their companies from phishing e-mail.

Doing nothing can lead to the loss of personal, financial and even corporate
information. MailFrontier forecasts that phishing e-mail will be up by 25 percent from 750 million last year to one billion this year.

Will this criminal deluge continue unabated, or is there a way to beat phishing? Klein asserts that it can’t be beaten but it can be made economically unattractive.

“Spam has not quite disappeared yet. Neither have viruses. So I don’t think
phishing will, either,” Klein said. “The idea is to raise the technological, awareness, and economic hurdles so high that the phishers move on to the next exploitation.”

Adapted from

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.