Helping people with computers... one answer at a time.

Most spam and phishing attempts are laughably bogus. What if they weren't?

Listen:
Download the mp3

Transcript

This is Leo Notenboom for askleo.info.

Like most of you I'm sure, I get a fair amount of spam including a healthy share of virus-laden messages and attachments as well as phishing scams.

Most of these messages work by trying to trick you into doing something - perhaps buying something, opening up an attachment, visiting a web site, or at its worst, visiting a web site and entering your personal information.

Phishing absolutely amazed me on several levels.

For one thing, so many of them are absolute junk! Broken English, horrible formatting, even broken HTML in many cases - links that are obviously fake.

A good 90% of the spam I get falls into that "so obviously fake, why do they even try?" category.

Hence my second point of amazement: they work. As bad as those emails are, people fall for them every day. Even after all this time. And it's not an issue of stupidity, through I'm sure there's some of that out there, it's more about ignorance and education. What's "obvious" junk to you and me isn't so obvious to many.

But that leads me to my third point, which I find kind of scary: a phisher who would take the time to craft a proper message and write proper English could rule the day. With so many phishing, virus and other spam messages being so horribly, obviously broken, either in form or in language, a message that wasn't would stand out. Or rather, it wouldn't stand out as being so obviously bogus. And that would increase the chances of its success.

They are out there. I almost fell for one a few months ago. The timing was right - I was involved in transaction inquiry with my credit card company, and sure enough I got email that looked like it was from a credit card company and looked fairly legitimate. The phisher had taken the time to craft an appropriate lure. As a result of the coincidence of my expecting email from my credit card company, and the good imitation done by the phisher ... well, I almost clicked through. But I've trained myself. I always look at where the link really goes by hovering over it before I click. Sure enough - it was a total fraud.

And just to be clear, depending on your mail program, that "hovering over" I did can also be spoofed. Really, the only totally safe thing to do is simply never click on links in email unless you're totally certain that you trust the source.

Like I said, right now most spam is laughably bogus. But if more malware and phishing authors ever get a clue, it's going to get a lot more difficult to tell what's real from what's fake.

I'd love to hear what you think. Visit askleo.info and enter 12058 in the go to article number box to access the show notes, the transcript and to leave me a comment. While you're there, browse the hundreds of technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for askleo.info.

Article C3225 - December 2, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
garry blight
December 7, 2007 7:17 PM

to ask leo
just this morning i got quit asupprise i was advised by a solicitor that a person with the same last name as mine.he and his family where killed in a car accident.he was adopted but his parents had passed away in 1976.and the solicitor had no history off his prior life before being addopted saying that there is 6.8 million dollars left in said trust and that by some law in enland if aclose ralative is not found.his attorel has authority to nominate a benefiiary from the family,so finding me there is a lot more legal stuff but i am only a layman.he said that he would send ph,no ext when he my confidence.he has what seems to be a proper letter head ph,no,adress name it does seem to be orriganale but i have had a trojen before and it took weeks to get rid off it.i am temted but not sure if i should open it and reply or not .i could send you the full letter but do not know how.
yours sincerly garry

David
December 8, 2007 1:55 AM

I to try to be very careful and check links, and i too have been duped by a better then average piece of spam. However, But I also tell people that they should have a pretty good idea of what emails they have signed up for, and those emails should have a higher then normal level of trust. People should also be aware of what they sign up for, and a good example is...

Down at the mall I occasionally see a new car with a table and small slips of paper asking for your name and address. The slips also state that they could win this car by entering. People write there info down then forget it about it. Weeks or months later they get a notice from some place that wants them to come hear a lecture (typically 2 hours) and win a prize! Many people fall to realize that the two events are directly related and that people signed them up for that junk mail. So i would add in be careful with what you sign up for a site should not be asking for your address to look around. Even then most providers give multiple email addresses and there are plenty of free ones, so have one email account for family and friends and make sure they know it is just for them. Then use an alternative email for signing up for things and when you start getting to much spam turn it off. Another point...if you suspect it is spam do not open it because then they know that address is legit and will give it/sell it to others...they might do so even if you do not open it, but you wont get as much spam.

Michael Horowitz
December 8, 2007 10:46 AM

I wrote some relevant blog postings on this

Defending against a phishing email message.
http://blogs.cnet.com/8301-13554_1-9805875-33.html

I set up an autoresponder that you can use to test if your email program can be manipulated with JavaScript to show the wrong link destination
Test your e-mail program
http://blogs.cnet.com/8301-13554_1-9806037-33.html

Is that e-mail message legit? How a computer nerd analyzes it
http://blogs.cnet.com/defensive-computing/8301-13554_1-9814781-33.html

Tony O'Connell
December 8, 2007 1:02 PM

Recently my credit card expired and was upgraded but I forgot/neglected to tell my ISP which tried billing me with the old details and they then sent me an email asking me to update my details via the link prrovided in the email. While the email turned out to be genuine, how different was that from the usual phishing emails which are always asking you to update details for your bank accounts or whatever. I contacted the ISP via my usual web link and commented about their look alike phishing email and they said they had always done it that way. So no wonder people keep getting caught by these things.

Marc
December 8, 2007 1:03 PM

two things about this, one is perhaps a phish might look obvious to one machine but not the same to another, the second is that its as atrocious as what a computer attempting literal reasoning in speech...so maybe this is machine generated and unique to each machines display that receieves it...or set of common variables?

Bob Pease Jr
December 8, 2007 5:13 PM

Leo, good buddy, I realize you know this 'work' better than Able himself BUT I am sure the phishers appreciate the information on how to improve their 'work'.BTW,what is "hovering" (as to email).How may one do that.Ole (_E=mc2_) here.

Bill
September 8, 2009 8:54 AM

I find it hard to believe that most spam or phishing works but the social engineering can work well on people who would never open up spam or a money scam.
A friend realized (right after she clicked) that the "package cannot be delivered" message was suspicious. She was waiting for a package that was a little slow.

My bank has a second page that will display a picture that you have chosen and text that you create, that you have to go through before signing in. My mother and siblings probably wouldn't guess the correct picture or the text that I attached with it. They are the only ones who would say "that makes sense".

It's actually scary how many people do purchase from or fall for spam/scam emails. Enough to make spaming a very lucrative, if illegal, business.

The "show me a picture I'll reconize" security measures are somewhat laughable as they can be hijacked, in a sense, by what's called a "man in the middle" attack.
Leo
09-Sep-2009
Paul G. Pousson
September 16, 2009 11:07 AM

I did the same stupid thing just a few days ago, and I know better. Lucky for me my Spysweeper from Webroot caught it in time.

howiem
October 20, 2009 6:31 AM

his is a question.
Let's suppose a user never clicks an email, web or any other link to any web site where financial transactions can be made, and does not respond to popups. He keeps his computer completely patched and all programs updated, has a stealthed firewall and high detection AV/AS programs.
The first time he visits a bank web site, he uses the URL he got from the bank. Then he bookmarks an https page within the web site after logging in.
He visits each bank site in a separate, dedicated sandbox (www.sandboxie.com). After each banking session he deletes the contents of the sandbox. When he does another banking session, he only uses the https bookmark to access the banking site. He opens only one tab in the sandboxed browser.
What I would like to know is how this user could get phished using these procedures and only these procedures?

Ian
October 24, 2009 7:18 AM

My bank has now issued us all with a hardware device - free. But we can also buy more (at equivalent to about US$10 each) as spares and to carry or store in chosen locations. The device is useless in the wrong hands as it will only work if one of the correct, registered, ATM cards is inserted and the PIN entered when instructed by the readout on the device's LCD screen. At the last stage of screen login to online banking, on the final login webpage, the device must be set to generate a use-once numerical code and this must be entered into the on-screen fields, along with the last four digits of the registered ATM card that has been inserted in the device's reader. If it's all pukka, you're in. If you're outside the home and you have a shoulder-surfer or are being key-logged, the code is useless to anyone else as it won't work twice!!! The device is no bigger than a video iPod and has a battery life of several years. As I have more than one, battery failure is not an issue. When due, the bank will change them, or, for the tech savvy with the right screwdrivers, they are just internal button cells and there's no volatile memory to worry about. As an extra precaution, you get the usual three goes on each or your cards to enter the PIN when prompted. If you mess-up, that card - and only that one (so you can use your others in the meantime) - is locked-out until you can insert it in one of the bank's own ATMs, whereupon an unlock procedure will be supplied via the ATM's on-screen prompts. So, to hack one of this bank's accounts, you'd need all the preliminary on-screen login details, one of the devices, one of the registered ATM cards for that account and the correct PIN for that card. In addition to logging-in, different use-once codes will be required from the device to make instant online payments or credit transfers to any recipient who has not been pre-registered as a regular payee from that account. Oh yes, as this is European banking, all cards are, of course, "Smart" (Chip-n-PIN), so there's no way to clone any of them with magnetic readers either.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.