back to article A little phishing knowledge may be a dangerous thing

Phishing works more frequently on those who understand what social engineering is than on those who live in blissful ignorance, or so a study of students at University of Maryland, Baltimore County suggests. Citing IBM data suggesting human error is a factor in 95 per cent of security incidents, researchers from the school's …

  1. Jamie Jones Silver badge

    I'll often open an obvious phishing email to see what kind of rediculous scam they're pulling, I'll even sometimes follow links if I'm bored, and the link is generic.

    1. AMBxx Silver badge
      Trollface

      Could you help us all out by providing your email address?

      1. Kane
        Trollface

        "Could you help us all out by providing your email address?"

        Also the 12 digits from the front of your credit card, the expiry date and the three digits on the back of your card would do nicely also.

        Sorry, forgot to mention, You Have Been Selected As A Winner For The ULTIMATE PRIZE DRAW!! We Just Need Your Personal Details In Order To Process Your Payment! Please Provide Swiftly!!

      2. Jamie Jones Silver badge
        Trollface

        "Could you help us all out by providing your email address?"

        I've posted it here before. It's also easily googleable.

        For some strange reason, some people here assume that I use a mail system that launches external programs on command from an email message. Why on earth would anyone do that?

        Apologies to the downvoters (yeah, yeah, bring it on!) for assuming you were at least mildly technical, and didn't live is an MS bubble.

      3. Arthur the cat Silver badge

        Could you help us all out by providing your email address?

        When bored I've given phishers one of my email address. Usually it's the fuck.off@just.fuck.off.right.now.com one, sometimes it's the kill.the.president@whitehouse.gov one. They're quite welcome to send email to those, especially the latter one.

      4. WolfFan Silver badge

        Could you help us all out by providing your email address?

        TheDonald@whitehouse.gov

    2. Anonymous Coward
      Anonymous Coward

      We had someone like you at a company where I worked a year or two ago ... he got a phishing email - decided to investigte a bit and then did a "forward to all" on the message along with a comment "if you get an email like this delete it as I've checked and the attachment contains <list of viruses>".

      Needless to say, this was followed up shortly by an reply-to-all from IT department which gave an item by item list of the corporate IT security rules that he had broken (not reporting suspisious emails to IT, opening suspisious attachements, emailing viruses, etc, etc)

      1. Jamie Jones Silver badge
        Facepalm

        "We had someone like you at a company where I worked a year or two ago ... he got a phishing email - decided to investigte a bit and then did a "forward to all" on the message along with a comment "if you get an email like this delete it as I've checked and the attachment contains <list of viruses>"."

        In other words, nothing like me at all.

        1. Robert Carnegie Silver badge

          "nothing like me at all"

          It's exactly like you. You want to play with phishers. Don't. They do this for a living, they are better at it than you are, they will win.

          1. WolfFan Silver badge

            Re: "nothing like me at all"

            It's exactly like you. You want to play with phishers. Don't. They do this for a living, they are better at it than you are, they will win.

            No it isn't. And phishers are useless skiddies and will lose. And you're absolutely no fun at all.

            1. Michael Wojcik Silver badge

              Re: "nothing like me at all"

              phishers are useless skiddies

              It's likely a majority of phishers are botnets, and don't care one way or the other whether you "play" with them. In many cases they're zombie botnets that have lost access to a C&C server and aren't accomplishing anything beyond generating email traffic.

              Of course with more complex campaigns (419 and other transfer scams, for example), there often is a human reading replies, possibly after some initial automated screening, and there are people who make a hobby of baiting them. But as you say, they're generally just following scripts - which is not the sort of script in the traditional definition of "script kiddie", but the term works just as well here.

              Anyone with any real expertise who's working in this area is doing spearphishing, "business email compromise" (aka "CEO fraud", etc), or the like. They might have some automated mass campaigns running for the hell of it, but they're not paying any attention to recipients trying to bait them.

          2. Jamie Jones Silver badge
            Flame

            Re: "nothing like me at all"

            "It's exactly like you. You want to play with phishers. Don't. They do this for a living, they are better at it than you are, they will win."

            You know nothing about me. You know nothing about what I know.

            You seem to think that reading an email in "mailx" (unix, command line) somehow opens me up to all sorts of hassle.

            You seem to think that me fetching a page url with fetch/curl or opening it in w3m will pwn me.

            You don't know about the work I did with rfc822 back in 1991, or the "reverse engineering" of session-based (cookie/GET token/POST token/other http headers) web sites I did professionally (BT regretted that I did) a number of years ago.

            You presumably think that because someone posts crappy jokes, and comments with terrible spelling, they are somehow inferior.

            So shut-up. You don't know me. You don't know what I know.

            And please inform me next time I've stumbled from the "El Reg" forums into a high-level professional techinal meeting. I promise to wear a suit. It will probably impress you.

      2. Tigra 07
        Coat

        RE: AC

        Suspisious spelling of suspicious is definitely suspicious...Is this i scam?

    3. Anonymous Coward
      Anonymous Coward

      I'll often open an obvious phishing email to see what kind of rediculous scam they're pulling,

      Me too, but never on a Windows box. Usually on Solaris, or some other *nix where I'm not running with admin rights.

      1. Jamie Jones Silver badge
        Trollface

        "Me too, but never on a Windows box. Usually on Solaris, or some other *nix where I'm not running with admin rights."

        I thought that went without saying, but you rightly pointed that out for the downvoters here! (yes, yes, "ths first rule about.... etc.". bring it on slimeballs! :-) )

    4. GnuTzu
      Boffin

      Attachments

      Um, there are business procedures for these things. And, when forwarding a suspected infected email to an infosec analyst, you do it as an attachment, right?

      Maybe someday, I'll share my Vim syntax highlighting for email headers, because it's just fascinating to see how far a serious phishing campaign will go to make an email look as if it's coming from inside your own business, which can involve a pair of malicious MTA's and a malicious DNS server to spoof your company's domain name in the email headers. I've seen just this sort of thing singled out by Proofpoint mail filtering.

      But, if you're afraid of opening an email in your mail program, then get a new mail program. Just don't click any damn links, and make sure your email program doesn't display remote images. And, if you're in an enterprise environment, I would hope the relevant mail settings are already correctly set by GPO. Here, we even have a report phishing button in the Outlook ribbon, and it just makes everything so much nicer.

  2. Mark 85

    This could just be more along the like of "curiosity killed the cat" where a little knowledge leads to overconfidence.

    1. Anonymous Coward
      Anonymous Coward

      Arthur the cat will be hoping not.

      1. Arthur the cat Silver badge

        Arthur the cat will be hoping not.

        Fortunately it's over on Mars and I'm here on Earth.

  3. deadlockvictim

    E-mail Client

    That 80% opened an phishing e-mail is not a surprise.

    Most e-mail clients open the e-mail in a side-pane or in the whole pane on a small form factor device. I avoid reading e-mails on tablets, smartphones and the like because it can be difficult to tell well-laid out phishing e-mails from what the real thing.

    Mouse-over the link to see where you wil be re-directed to.

    1. AMBxx Silver badge
      Boffin

      Re: E-mail Client

      Mouseover can also be dangerous. With the daft idea of allowing unicode in urls, we now have the problem of multiple characters appearing directly. There are some scarily good paypal fake emails where the p is actually a russian character.

      1. Anonymous Coward
        Anonymous Coward

        Re: E-mail Client

        That's why I never click a link but access any site I use directly... it also protect from those using layers and layers of tracking to reach the real destination - so you'll never sure if it's a real link or not....

      2. MiguelC Silver badge

        Re: E-mail Client

        Like this Apple site?

        (now then, I know it's not malicious, but do you?

        1. Jamie Jones Silver badge

          Re: E-mail Client

          Web page not available

          The web page at https://xn--80ak6aa92e.com/ could not be loaded because:

          net::ERR_NAME_NOT_RESOLVED

          1. Alumoi Silver badge

            Re: E-mail Client

            @Jamie Jones

            If you're using Firefox change network.IDN_show_punycode to true and you won't get pwned next time.

            1. Jamie Jones Silver badge

              Re: E-mail Client

              "If you're using Firefox change network.IDN_show_punycode to true and you won't get pwned next time."

              Thanks. I do sometimes use firefox, but not regularly. However, that's how I have it already: The error message I posted shows the URL just as I see it. I pasted it to show I don't get tricked by punycode!

      3. GnuTzu
        Megaphone

        Re: E-mail Client -- New Characters

        Someone needs to come up with a special font that guarantees that all characters appear distinct, and mail programs and browsers need to guarantee that only this font can be used to display URL's (or at least not be altered by the email formatting.)

    2. Pascal Monett Silver badge

      @ deadlockvictim

      I completely agree with you. I do not use a common email client, so I sometimes do open scam mails to see what new scheme they're trying to pull. But follow a link ? Not on your life. My important sites are bookmarked, thank you, I don't need your stinkin' links.

    3. ivan5

      Re: E-mail Client

      Mouse-over the link to see where you wil be re-directed to.

      Or use a text only e-mail client then you can just read all the hidden junk.

  4. the Jim bloke
    Boffin

    Context matters

    Did they click the phishies on their own devices, or university machines?

    people will quite happily wade through the sewers of the internet on a machine someone else is responsible for looking after, but exercise a little bit more care with their own property...

  5. Anonymous Coward
    Anonymous Coward

    Beware of the sample....

    For most students, thinking to have won $100 in any form could be a big driver to ignore cautiousness. For other people, is far less motivating. Ditto far a weekend festival with a name that looks to include stupid and noisy little vehicles. They're young, so automatically more gullible. Really, no much different from the old "free ringtones!" scam. Some group were evidently far easier targets.

    Having to increase the value for other groups, in turn make the scam less credible, with less people falling for it (still, there will be some gullible ones).

    Maybe is more an evidence that if your phisihing activities target the right group with the right motivations, the success rate increases.

  6. EricM
    Boffin

    C'mon .. it's 2018 - where do you find students with "no knowledge of phishing" today?

    Underdefined, non-precise self-assessment maybe?

    "How would you rate your knowledge of phishing? [1-5]" can be interpreted as "Have you heard about the topic" or "Do you know how exactly it works and could you pull off a scam using phishing?"

    In this case the more aware students might tend to the latter understanding and deliver better results while identifying themselves as having no knowledge.

    Dunning-Kruger on the other hand might motivate, other persons who have just heard the term to assess themselves as knowledgeable.

    If study results are counter-intuitive, the study itself might be a contributing factor.

    1. Keith Langmead

      Knowing what you know vs knowing what you don’t know

      There’s a difference between knowing enough about a subject to think you know all about it, and knowing enough to know how little you actually know. I suspect many of us in the industry would admit to thinking we knew it all earlier in our careers based on the limited knowledge we possessed at that time, then as knowledge of subjects increases so does awareness of how much we still have to learn. In several areas of IT where I know a reasonable amount, if you’d asked me to rate my knowledge out of 10 back in the first few years of my career I’d have easily rated myself far higher than I would today. That doesn’t mean I knew more about it back then, rather that while I know more about it I also have a much better idea of the scope of that area and therefore how much more there is for me to learn.

    2. A-nonCoward
      Coat

      Re: C'mon .. it's 2018 - where do you find students with "no knowledge of phishing" today?

      A multiple answer for "what is DNS spoofing" or such terms might help winnow the "I know everything" kiddies away from those who actually have some idea. Alas, expecting good methodology in phrasing research is like expecting Uni students are safe in networks (or anywhere else, really)

      Good form in contemporary academic publication would share the content of the actual survey, right?

      like, for replicability?

      Science, do you know anything about how to do it, [1-5]

    3. doublelayer Silver badge

      Re: C'mon .. it's 2018 - where do you find students with "no knowledge of phishing" today?

      I wouldn't be at all surprised if most of those who bothered to take the survey were people who knew less about the topic. Among other things, I'd typically be wary of filling out a survey for people that just sent me phishing messages, researchers though they may be.

  7. Mage Silver badge
    Coffee/keyboard

    awareness of phishing was found to increase vulnerability

    Obviously the people studied only knew phishing existed and didn't have any sensible knowledge.

    What does "awareness" mean?

  8. suburbazine

    But were they phished? Clicking an email does not count as being phished or even being susceptible to phishing. What if they simply wanted to fill out the phish field with phish food like I do...random insulting information to hurt the phisherman's feelings.

    1. Jamie Jones Silver badge
      Thumb Up

      Exactly the point I was making! The downvoters are out in force today (I'm glad to be of service to them!)

  9. Pim

    "The researchers say they're at a loss to explain this, allowing it's possible that survey responses about phishing experience may have been skewed by the experience of being phished. They also speculate that users who fell for the phishing scheme might overestimate their knowledge of phishing."

    Mr. Dunning and Kruger might have an explanation for this mystery.

  10. suburbazine

    I've submitted a question to the authors of the study regarding how it was conducted and the way they published the results. If anyone is interested, this is the question I submitted:

    Hello all,

    Your paper is beginning to spread around the world, with tech websites and security moguls alike seeing it. I have a question about the way you've defined a successful "phishing" though- it seems like you based a success on simply clicking the link, not the actual act of being phished which is submitting valid user information. I'm not sure if the scope or authorization of the phishing would have permitted the actual collection of information. However, the study as published doesn't indicate any restrictions on the methodology (Either preface the study with this, or include it in Limitations).

    In corporate phishing tests, companies generally opt to capture their employees' data as it pertains to the company (no outside/unaffiliated data). In Experiments 1 and 2, this restriction would have denied collection of data, but in 3 it may have been permissible to capture credentials if overseen by your university's administration.

    The reason I raise this question is because you're redefining phishing as the world knows it- not as the loss of user data, but as the act of clicking a link in a poorly constructed email. Your experiment as operated does not take into account the "outliers" as I will categorize them: the phishing-aware demographic that

    Clicked the link in order to collect relevant information to report the phish to others in the affected groups (this happened apparently?)

    Clicked the link to troll the phishermen by submitting falsified information

    Clicked the link to otherwise hamper the phishing campaign (track down abuse teams of registrars or hosts)

    The only way to sanitize these possibilities is to actually collect some information, qualify it, then sort it into legitimate and illegitimate results. Your after-action report could have been plied to better educate the ones that actually did fall for the phish and possibly commend the ones that didn't. But right now, you've got everyone lumped into the "you failed" group.

    1. Pascal Monett Silver badge
      Stop

      Don't click the link !

      If you click the link, you are at risk of being hacked because you have no idea what server you're being directed to or what code the miscreants have prepared for your visit.

      If you click the link, you've failed to protect yourself and others on your network.

      If you just open the mail, you should be good if your client does not auto-execute code willy-nilly (meaning if you use Outlook you're likely screwed), but if you go and click the link, your machine is good for a reinstall.

      1. find users who cut cat tail

        Re: Don't click the link !

        > If you click the link, you've failed to protect yourself and others on your network.

        I assume -- at least for all people commenting here -- ‘clicking the link’ means copying the linked URL and opening it in a sandbox which exists for this purpose, not actually just clicking on the thing.

        1. Jamie Jones Silver badge

          Re: Don't click the link !

          .....and also making sure the link is not one spscific to your received email.

          Even http://potato.example.com/ could be dodgy - if I wanted to hide a unique id, i'd probably stick a random word on as a subdomain..

      2. Updraft102

        Re: Don't click the link !

        If you just open the mail, you should be good if your client does not auto-execute code willy-nilly (meaning if you use Outlook you're likely screwed), but if you go and click the link, your machine is good for a reinstall.

        Isn't that just a bit overdramatic?

        Do you reinstall your OS every time you go to a link you've never visited before from the search engine of your choice? In either case, you're taking a leap of faith. There's always a first time visiting a site before you've established that it is reputable and really what it claims to be (and even then it could have been hacked to serve malware), and you have to hope that the site isn't compromised and your browser does not contain a zero-day that will allow a drive-by execution of arbitrary code (that happens to be meant for your OS, which is less likely for those of us using one that has 2% of the desktop market).

  11. Anonymous Coward
    Anonymous Coward

    How Can You Tell Without Opening it?

    How can you tell that it's a phishing email without first opening it?

    Surely you open the email, you read it, you determine that it's a phishing attempt, and you delete it (without clicking on any link). Are they saying that I should know that it's a phishing email just from the subject line?

    1. John Lilburne

      Re: How Can You Tell Without Opening it?

      Is the email from someone/someorg you know? Does the addressee correspond with the email address that you gave that person/org? For example if I get an email from this site it should be sent to xxxx@my.email.account.com if it is from the bank then it should be sent to yyyy@my.email.account.com, if from amazon then it should be addressed to zzzz@my.subsidary.account.com etc, etc.emails get filtered based on who they are from and addressed too. The remainder are random spam or scam.

      1. Michael H.F. Wilkinson Silver badge

        Re: How Can You Tell Without Opening it?

        Sometimes opening the mail (in a mail client that doesn't open or run anything that I don't personally tell it to) is the only way of determining that it is phishing (or any other form of spam). Once I have classified it as phishing or spam, I report it as such before deleting it.

      2. EricM

        Re: xxxx@my.email.account.com suggestion (How Can You Tell Without Opening it?)

        I start to understand why peaple start to no longer bother with email at all...

      3. Updraft102

        Re: How Can You Tell Without Opening it?

        Is the email from someone/someorg you know?

        You mean does the sender field claim that it is from someone I happen to know, right? I can't actually tell if it is actually from that individual until I get a look at the headers, and that means I have to open it. I've gotten spam "from" people I know before... it's really easy to spoof the sender field.

        1. doublelayer Silver badge

          Re: How Can You Tell Without Opening it?

          When the subjects are students, they only have one mail account, that being whatever account their university gave them. When at least one of the messages says it came from the university's IT department, that is a logical address for it to be sent to. Until you open it and inspect the headers and/or the content, you do not have a reason to know it's phishing from the subject line and the text in the sender column.

        2. antman

          Re: How Can You Tell Without Opening it?

          "...until I get a look at the headers, and that means I have to open it".

          Actually, you don't. Even Outlook Express allows you to examine the raw email (headers and body) as plain text without first opening or previewing it.

        3. John Lilburne

          Re: How Can You Tell Without Opening it?

          "it's really easy to spoof the sender field."

          Indeed back in Uni someone had written a bunch of utils one of which would send a logout command to a terminal. Each year groups of students learnt of the script and would spend an afternoon logging out there buddies, etc and then move on to random users. Whilst they knew of the script they didn't know that it also logged the miscreant, the terminal that they were sat at, and the terminal they were logging off. Another script located the room and location of the terminal. So having been subjected to a bout of logging off an email was constructed using telnet from the 'Head of Computer Services" threatening to report them to their course supervisor etc.

  12. Anonymous Coward
    Anonymous Coward

    Bloody students. Get a job.

    Click here to view the latest job opportunities!

  13. John Brown (no body) Silver badge

    19 per cent submitted their credentials

    And this why spammers are still in business.

    (yes, I know phishing is a bit more upmarket than spamming, but when sales people tell you that they are lucky to get a 2% success rate from cold calling, you can see why spammer and phishers keep at it.)

  14. Anonymous Coward
    Windows

    Good old MSFT!

    Pretty happy with Exchange ATP Safe Links and Safe Attachments in my shoppe as one of the defences against email malware.

  15. A-nonCoward

    "Self-reported"

    OF COURSE we know that is the standard way, "We made no attempt to measure how accurately and honestly subjects filled out their demographic surveys."

    Which is sad... Social numbers

    It would not have been that hard to have people go directly to a survey, right from the phishing link :-)

    Also, more details on the response? how long did it take those who reported to do so?

    obligatory XKCD https://www.xkcd.com/435/

  16. Terry 6 Silver badge

    Someone should tell Tesco Bank

    Their marketing tossers still send out emails with full screen pages showing offers and a "click here to apply" link. Most recently, this very week, it was for special edition gift cards. Not free, as it goes, just special edition. but it's a short link from one to the other.

    It's like a training camp for victims.

    1. Jamie Jones Silver badge

      Re: Someone should tell Tesco Bank

      I deal with one company (can't remember which one off hand) that sends out mails as HTML and plain text.. However, instead of the plain text being a version of the HTMLardised message, it just contains "We've attempted to contact you with this email message, but you are using an out of date email client that cannot display modern email messages. Please update it"

      Great customer PR there!

  17. Obesrver1
    Megaphone

    I'll say it again and again

    Countries need a {SEM} Secure Email, provided by Gov (enables managed monitoring, with suitable legislation) {SEM} would use *one* set of servers that only allow mail to be sent within them

    use for all Gov & Business incl eTax, eFinance, eLegal etc & possibly even eVoting (prepol mail)

    Gov could provide 3 levels of encryption for use in {SEM} >> {UKSEM} {AUSEM} {USSEM}...

    tried & tested SEMs could then exchange mail between them.

    (more management principles here.....)

    Crims would go elsewhere...

    also need eClouds in your OWN Country not someone elses !!! (see ASD's warning on China's Cloud)

    1. doublelayer Silver badge

      Re: I'll say it again and again

      I'll vote no. One unified email system, controlled by not me, where I can't decide how it runs but my government can (they never do anything I dislike)? Such a system designed specifically to not work in the situations where normal email works? Cryptography that provides security against not much unless the government's planning on releasing it? Bad idea all around, methinks.

    2. Jamie Jones Silver badge

      Re: I'll say it again and again

      "Countries need a {SEM} Secure Email, provided by Gov..."

      LOL. Careful, people may think you are serious!

  18. a_yank_lurker

    Study?

    Most are aware of phishing and while virtually all will at sometime or another open a phish even if unintentionally I think this "study" is basically garbage. There are few simple rules to go by: if the email context makes no sense; trash it immediately, if the context makes some sense (an email from Amazon e.g.) but it is unexpected; open the website from your browser to verify the information not the link; if you have been to the country (I get a bunch from India); immediately trash.

    Or the summary rule, if the email context is at all dubious it is guaranteed to be illegitimate. That is a simple rule that even the most technically dense but otherwise intelligent can live with.

  19. Paul Hovnanian Silver badge

    Post-attack survey

    "And among the subset of students who responded to the post-attack survey (482), 70 per cent had clicked on a phishing link."

    So it's already a biased sample. What about the people who didn't respond because they thought the survey was a phishing attack?

  20. Jin

    How informed?

    Well-informed > Un-informed > Ill-informed > Misinformed > Disinformed

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like