Thursday, June 18, 2015

To Click or Not to Click

Late last year, CBS News offered a ‘’test” to determine its readers’ ability to spot emails that were used in phishing scams.  The object of the online quiz, conducted through Intel Security, was for readers to correctly identify the legitimate and phony emails from among 10 samples.  In May, CBS published its results.  Of the 19,458 persons participating from throughout the world, 80% missed at least one of the fake emails.  Only 3% of the participants got a perfect score.   

“Phishing” is the use of emails to obtain personal information (such as user names, passwords, account numbers or credit card details) for illegal or improper purposes.  While some of these will actually ask for information, most simply want the user to click on a link that activates malware allowing the phishing party to access information without the user’s knowledge.  

Early phishing scams involved massive distributions with the knowledge that even a small percentage of responses would be worthwhile.  Relatively quickly (and after broad public warnings), most recipients learned to look for things such as poor spelling, bad grammar and unknown/unusual URLs as tip-offs to nefarious activity.

While some of these scatter-gun approaches are still used (such as purported requests from the IRS to update information in order to facilitate online filing of a tax return or the payment of a refund), they are generally of a much higher quality due to the sophistication of both phishers and users.   The widespread use of social media/networking sites has enabled phishing to target particular individuals, groups or entities through the use of personal information available at such sites.  It should come as no surprise that such “spear phishing” has a much higher rate of return than the mass-distribution method.  Who isn’t more likely to respond to, or at least look at, an email from one’s own bank, credit card account or the resort where you recently stayed for a weekend?

What the CBS News study tells us is that it is more than likely that everyone has fallen for a phishing email at some time without knowledge.  Given the entrepreneurial bent of the phishers, it is also likely that the opportunities for being hooked will continue.

But there are things that everyone can do to reduce this possibility.  Install and maintain up-to-date security software.  Look closely at email addresses and text for anything out of the ordinary.  Even with spam/phishing editors – seriously, this is a currently available service– you may still note misspellings, poor grammar or funny sentence structure.  Do not EVER respond to an email requesting personal or financial information, and resist the urge to click on any link unless you are confident about the source of the email.  If you know that you have been scammed, you should forward the subject email to and to the company or institution that was impersonated in the email.  You can also file a complaint with FTC at

Unfortunately, the high level of phishing traffic negatively affects the success of well-intentioned persons wanting to market via cold-call emailing.  How legitimate promotions may be perceived must be considered in light of the various ploys used for illegitimate purposes.  Case in point: the most frequently mistaken email in the CBS News/Intel test was actually from a legitimate source, but was perceived as likely fraudulent because it included free “click on” ads.

In deference to the subject matter of this article, I planned to insert no links, but relented and added links for the government complaint references.  I cannot speak to the other links that may appear, but am reasonably certain that the editor(s) of Entreview are not inclined to implement or use any method of misdirection or inappropriate information capture (assuming they were technically capable), so you should be safe to click away. 

No comments :

Post a Comment