Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security Crime

The Psychology of Phishing 128

Posted by samzenpus
from the click-and-release dept.
An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?
This discussion has been archived. No new comments can be posted.

The Psychology of Phishing

Comments Filter:
  • well (Score:5, Insightful)

    by Osgeld (1900440) on Wednesday July 23, 2014 @11:32PM (#47520585)

    The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

    • Re:well (Score:5, Interesting)

      by s.petry (762400) on Wednesday July 23, 2014 @11:54PM (#47520627)

      Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).

      Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

      How are spammers successful so often? Simple, companies don't train people.

      At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.

      We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.

      Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).

      • Re:well (Score:5, Interesting)

        by vasanth (908280) on Thursday July 24, 2014 @12:43AM (#47520773)

        We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once

        or 1 out of 5,800 realised that they were being phished and many more never realised it...

      • by Taco Cowboy (5327) on Thursday July 24, 2014 @01:04AM (#47520825) Journal

        How are spammers successful so often? Simple, companies don't train people

        As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

        Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

        It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

        No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

        • by Anonymous Coward on Thursday July 24, 2014 @04:51AM (#47521251)

          As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

          Doesn't help if you start out with not even trying.

          You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.

          This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.

          Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.

          Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.

          Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.

          At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.

          Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.

          This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.

          • Why would you slap a single line atop someone's letter and send the entire thing back?

            Because we can and bytes are cheap? Hiya! I promise I'm not trying to start a religious war over top-versus-bottom posting or the like, but I'm genuinely curious:

            I save all emails. Always have. I can usually find a thread easily enough, but there are times when multiple people are in a thread and the subject gets manually mangled, so Outlook won't incorporate those in its "conversation" search. So having the whole thread, TOP-POSTED, makes it simple to quickly review what was said about whatever we were discussing. As long as the email client clearly marks each message's beginning, how hard is it to read the top one and only scan down if needed?

            That said, I'm all for stripping out inline images on reply, and if the topic shifts I have no problem [snip] -ping out the completed thread to make room for the new one. Or if an email thread goes marathon and bounces more than like 10 times...

          • by tsqr (808554) on Thursday July 24, 2014 @08:52AM (#47522153)

            Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works.

            Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

            • Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

              Well, given the default to most company emails requires reply-all, it's not a surprise, really. I mean, if you're on a project and you need to send information to others, you probably will put in several people. And the recipient probably uses reply-all so everyone can be aware of the followup as well. Because things get awfully stilted if everyone merely replied to the original sender and they get flooded with dozens of the same question and notes.

              So it's natural in a business setting to use reply-all since you expect to share with everyone else. Hitting reply just feels unnatural.

              And yes, that's what the BCC field is for, if you really need to break the reply-all chain.

        • by s.petry (762400) on Thursday July 24, 2014 @09:38AM (#47522427)

          As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

          I agree, but those are not people you want working for you if you are concerned about security.

          Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

          I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.

          Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.

          It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

          If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.

          Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.

          No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

          I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.

          I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.

        • by Tom (822) on Thursday July 24, 2014 @03:54PM (#47525413) Homepage Journal

          As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

          Not everyone can train people. Almost nobody can train all kinds of people, because they need to be trained differently.

          More importantly, not everyone is acceptable as a trainer. Many, especially smart people, don't like being trained by someone they consider to be their inferior.

      • by phantomfive (622387) on Thursday July 24, 2014 @01:35AM (#47520883) Journal

        We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link.

        How did you know that others didn't click on it and then not mention it to anyone?

        • by Antique Geekmeister (740220) on Thursday July 24, 2014 @07:19AM (#47521663)

          > How did you know that others didn't click on it and then not mention it to anyone?

          Of course they did. Why would anyone normal report this kind of incident to a security department that is bombarding them with warnings, and will fire you if you can't prove you've read their warnings?

        • Re:well (Score:5, Interesting)

          by gstoddart (321705) on Thursday July 24, 2014 @08:25AM (#47522007) Homepage

          How did you know that others didn't click on it and then not mention it to anyone?

          The company I work for does periodic in-house phishing/spam tests.

          If you fail and click the link, you get sent for extra security training. They know, because they're the ones who own the machines you went to.

          I gather a surprising amount of people actually fall for them. I find myself looking at "1 in 5800" and thinking "wow, you have some good training".

          When my parents got on the interwebs, in so uncertain terms, I sat them down and had "the talk": The internet is a dark and scary place, and not something you just trust. I explained phishing and spam, as well as how to spot fake telemarketers and scams.

          My parents have learned to be wary and a little skeptical when someone initiates contact with them, and know to ask for proof. On many occasions they've spotted stuff, though I still worry they might miss something.

          But, I still remain amazed at how many people who work in technology fields still blindly click stuff. I expect senior citizens and the like to be less aware of this stuff, but if you've worked in technology for any period of time, you should know better.

          • by gfxguy (98788) on Thursday July 24, 2014 @10:23AM (#47522717)

            Interesting... I should stop clicking on those links, then. I feel like, since I'm using linux, I likely won't get a virus, so when I get a "you need to change your password" link, I usually just curse them out in it. Email: eat@shit.and.die, password: youfuckingasshole. I know it doesn't solve any problems, but it feels good.

            Hey, if enough people did it, they'd have to wade through tons of insults before finding one where the person actually fell for it.

            • by s.petry (762400) on Thursday July 24, 2014 @12:16PM (#47523557)
              Which is fine until your IPs start to get extra attention for fucking with people. Avoiding drug dealers in a big city is not hard once you know what to look for. I'd not recommend that people start driving by and throwing eggs at them, eventually they will get pissed and shoot someone.
              • by gfxguy (98788) on Thursday July 24, 2014 @12:55PM (#47523837)
                That'd be a fair warning if phishers weren't pussy ass scaredy cat losers who wouldn't actually be able to inflict harm in any way except with a keyboard.
                • by s.petry (762400) on Thursday July 24, 2014 @01:11PM (#47523971)

                  Going by personal history here, it's easy to mistake a "stupid phisher" for a syndicate. Often they operate the same, and the syndicates do test what they sell to the "stupid phishing" people.

                  I'm not against what you are doing at all, but pointing out the risk which you overlooked. Definitely not something a novice should attempt.

        • by s.petry (762400) on Thursday July 24, 2014 @09:44AM (#47522453)

          Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.

          Sadly many people think a proxy is a bad thing and believe direct access is better.

      • by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday July 24, 2014 @06:00AM (#47521409) Homepage Journal

        How are spammers successful so often? Simple, companies don't train people.

        Also, people are stupid. It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

        • by gstoddart (321705) on Thursday July 24, 2014 @08:37AM (#47522061) Homepage

          It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

          Of course, the problem with this is, anybody who does that more or less gets called a bit of a paranoid loon now and then. :-P

          Not everybody understands that a certain level of paranoia is actually required to survive the internet and other scams.

          Sometimes people look at you like you're over-reacting, right up until they realize they've given their credit card information to someone who was lying to them.

      • by oobayly (1056050) on Thursday July 24, 2014 @06:09AM (#47521435)

        They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

        This is also made harder with the use of CDNs nowadays. A while ago our office started receiving large numbers of "InterFax" notification with a download link. I don't know what a proper InterFax notification looks like, but as you said, they did look professional, and in some cases the URL didn't look too dissimilar to some CDN URLs we've used.

        I tend to visit web pages used in phishing attacks for a couple of reasons. First, I like to input useless data. Second, I like to rate what sort of job the scammers did in cloning he web site - I always feel a little let down when I see dead links, as they didn't make the effort to duplicate all the pages linked to by the cloned login page. Seriously guys, put some effort into your scams - the work ethic of the criminal world is really dropping.

        • by gfxguy (98788) on Thursday July 24, 2014 @10:32AM (#47522781)
          I pretty much do the same thing, but instead of useless data I put insulting data. Sometimes I'm impressed with the effort... sometimes it links to a google form, and that's pretty sad. Some of them are so good, though, if they just put that much effort into honest work, they'd be pretty well off.
      • by clickety6 (141178) on Thursday July 24, 2014 @06:56AM (#47521585)

        They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

        It doesn't help that legitimate companies that should know better do the same. I recently got a survey from PayPal, but rathet than going through their verified site at www.paypal.com, the links in the email directed only to www.paypal-survey.com. It looked like a classic phishing scam but was apparently a legitimate survey request.

      • Re:well (Score:5, Insightful)

        by FireFury03 (653718) <slashdot AT nexusuk DOT org> on Thursday July 24, 2014 @07:20AM (#47521669) Homepage

        How are spammers successful so often? Simple, companies don't train people.

        Or they train them with exactly the opposite of good behaviour.

        Case in point: a few years ago my (at the time) bank sent me a marketing email (and yes, I confirmed it was legit). It wasn't from the bank's normal domain name and it contained lots of links to product descriptions that were also on an unusual domain. It said that I could verify it's authenticity because it contained the first half of my post code (i.e. something that's trivial for anyone to find out). I complained to the bank and the regulator - neither of them would do anything. The bank's excuse was that none of the pages linked from the email asked for my bank credentials so it was ok. This kind of thing trains people to expect that their bank will legitimately send them emails with clickable links that don't go to the bank's main website - the distinction between a link that asks for your credentials and one that doesn't is going to be lost on a lot of people.

        Similarly, my Paypal account is currently suspended because they sent me an email telling me I needed to "verify my ID" (by sending them a scan of my driving licence)... this email went into the bin along with all the phishing emails asking me to "verify my paypal account", so when I didn't send them any ID they suspended the account.

        Now, banks _do_ need to communicate with their customers, and I can't discount email as a viable method for them to communicate, but they really really need to start providing a sensible method for people to authenticate the legitimacy of the email - why the hell don't they MIME sign the messages, for example? At the moment they are sending out emails that are indistinguishable from phishing messages and then blaming the customer when they get phished.

        • by gfxguy (98788) on Thursday July 24, 2014 @10:46AM (#47522871)
          The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.
          • by FireFury03 (653718) <slashdot AT nexusuk DOT org> on Thursday July 24, 2014 @11:54AM (#47523391) Homepage

            The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.

            It is some kind of a hardship because you still have to figure out which emails are legit - I'm not going to go log in to my bank every time I get a phishing email. When the vast majority of emails claiming to come from my bank are phishing mails, I'm pretty much guaranteed to miss legitimate ones unless the bank give me a trivial way to know that they're legit - MIME signed emails would allow that, but no banks seem to be interested.

      • Re:well (Score:4, Funny)

        by T.E.D. (34228) on Thursday July 24, 2014 @08:16AM (#47521965)

        At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated.

        Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

        - IT Team

        • by gfxguy (98788) on Thursday July 24, 2014 @10:48AM (#47522883)

          Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

          - IT Team

          ... and don't forget to sign in with your username and password so that you get credit for having read the memo!

      • by nabsltd (1313397) on Thursday July 24, 2014 @10:06AM (#47522601)

        How are spammers successful so often? Simple, companies don't train people.

        Companies also don't often have the infrastructure set up to help their people do the right thing.

        As an example, every company should provide users with unlimited e-mail addresses that end up in their real e-mail inbox but can be filtered using rules. Employees should then be instructed that they should never use their "real" e-mail address for anything that gets put into a database. This means that if they sign up at Cisco's support portal, they don't use "realaddress@example.com", but instead something like "cisco-realaddress@example.com". This means that if you get what seems to be an official-looking e-mail about paying an invoice from Cisco addressed to "amazon-realaddress@example.com", you know it's fake.

        If ISPs provided the same feature, phishing success would be reduced dramatically. I get any number of e-mails that pretend to be from a bank (some actually from a bank I do business with), yet all come to the wrong e-mail address, so they are immediately trashed. With a little work, it could even be automated, especially if companies co-operated and documented keywords that would always appear in every e-mail from them. This would allow you to compare the keywords in the body to the recipient and see that they don't match as being from the same company.

      • by Tom (822) on Thursday July 24, 2014 @03:52PM (#47525375) Homepage Journal

        Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average").

        Security awareness training in companies is largely nonsense. Your scenario is different not because of your memo, but because your people realize that something more important than shareholder value is at stake. And I dare to say that your weekly reminders are the secret, not any awareness training. Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up. It doesn't matter if people read it at all, what matters is that they consider it long enough to activate the desired memory of adequate behaviour, which means 2-3 seconds.

        And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

        • by s.petry (762400) on Thursday July 24, 2014 @04:21PM (#47525713)

          Security awareness training in companies is largely nonsense.

          Rubbish! If you are starting from scratch you have to lay the foundation. Jumping right into impersonal communications shows that your security team does not care, therefor the amount of people with genuine concern will never increase.

          Reminders are incredibly powerful, there's now a decent amount of psychological research to back that up.

          That we agree on, but you are choosing to ignore all of the precursor psychology which is just as well documented.

          And from your one incident I gather you also have a reporting culture where people are not afraid to report problems. Many companies don't have that, people constantly sweep problems under the rug because they're afraid it would damage their career to report them.

          It's hard to tell if you were attempting to be condescending with that first sentence. I've been working in IT for 3 decades, so have much more experience than one incident. Going beyond one example is not necessary.

          Re-read my last paragraph, I point out that in SV there is a culture issue to overcome. That said, where I work currently the culture is open and honest and is in SV. Corporations can change their culture, if they try to do so.

          • by Tom (822) on Thursday July 24, 2014 @05:55PM (#47526443) Homepage Journal

            Rubbish! If you are starting from scratch you have to lay the foundation.

            Which foundation? Boring people for half an hour with stuff they couldn't care less about? I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

            therefor the amount of people with genuine concern will never increase.

            For all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

            It's hard to tell if you were attempting to be condescending with that first sentence.

            Not at all. If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with. The problem is that culture is pervasive, so if the culture is different, you cannot change it just for this one thing, you need to tackle the entire corporate culture, and as soon as you start you have enemies, namely everyone currently profiting from the existing culture.

            • by s.petry (762400) on Friday July 25, 2014 @02:58PM (#47534115)

              I've seen first hand that many employees consider those security trainings either a waste of their time or a coffee break.

              Ahh, so you work at one of those places with horrible culture.

              or all I know, the only people who think that security awareness training increases the number of people who give a fuck are the marketing drones selling security awareness trainings. People who cared before the training will get information. People who didn't care before will not care after. Why should they?

              Got it, you are a lively participant in the horrible culture and happy to propagate the culture.

              If you've managed to get your people to reliably report incidents, you've managed something that a lot of companies struggle with.

              In 30 years of working IT (right after college which was right after the military) I have seen both good and bad. You are in a bad place with a bad culture, period. It usually takes a whole lot of new-hires and terminations to change a culture (depending on the size of the company).

              As stated in a previous post, this is all behavioral psychology. When management and IT dismiss security as "stupid" and pee away opportunities to share knowledge that is a problem with management and IT. Of course accountants don't care, you are teaching them not to! Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

              • by Tom (822) on Friday July 25, 2014 @06:11PM (#47535431) Homepage Journal

                Ahh, so you work at one of those places with horrible culture.

                I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

                It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.

                Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.

                I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

                I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

                I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

                • by s.petry (762400) on Friday July 25, 2014 @06:51PM (#47535649)

                  I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.

                  As stated several times alrady, this is a culture problem with a company. Not an issue of security or training.

                  I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large.

                  Your opinion vocalized will ensure that it is a waste of time. I gave an example of ensuring it's not. Hell, I'm not a security trainer. I provide data to ours, and work extensively securing systems and networks. When we have training I nudge people to listen instead of making it a "waste of time" or a "coffee break" as you claim the training is.

                  Most people are not experts, and most people don't deal with risks every day. Showing them "hacking" is like magic to an accountant, and it's a pretty effective way of teaching.

                  Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.

                  Wrong question to ask, followed by more of the same rubbish perpetuating your opinion.

                  There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

                  I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.

                  Writing policy is not the same as educating people. Two different skill sets. It's interesting that you claim to have so much knowledge yet hate to teach listen to shared knowledge, from a psychological stand point.

                  I'll hear you whine about depth of security policies after you have built and secured NISPOM/JFAN compliant networks. Knowing the policy is required to set them up, audit them, and maintain them. Once again, you bring up people not following or using policies which is a Culture issue and not a security or training issue.

                  I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.

                  Because everyone is exposed to and knows as much about security as you do right? Rhetorical question, don't answer it. Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

                  • by Tom (822) on Saturday July 26, 2014 @06:06AM (#47537637) Homepage Journal

                    I gave an example of ensuring it's not.

                    And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

                    There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

                    That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

                    Writing policy is not the same as educating people.

                    That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

                    Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

                    Because everyone is exposed to and knows as much about security as you do right?

                    No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

                    What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

                    Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

                    Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
                    I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

                    • by s.petry (762400) on Monday July 28, 2014 @05:55PM (#47553751)

                      And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

                      This does not match what you state later, which is in essence claims that all 3,000 people in your company need in depth knowledge of your security policy. That is, plainly, nonsense.

                      Corporate "Security Awareness Training" has to address the needs of _many_, and not everyone needs that level of detail. In fact very few do, and a small percentage could even understand them. Which could explain your repeated claims of bad experiences.

                      Jane and John, the new accountants, need to know what Phishing is, not what your encryption policy for tape back up is. You previously complained that for you it was redundant so "stupid" (your words). Stop moving the goal post.

                      What I mean is that we replace actual security with trainings and think it's a solution.

                      Security awareness training is not a replacement for security. If a Company believes it does, this matches what I stated repeatedly about a broken culture. Not a Security or Training deficiency.

                      Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.

                      I know plenty that underscore how bad corporate cultures are and can be. Any Corporate level trainer will tell you the same thing. You have to train everyone in the basics. After they have a grasp of basics, reminders and nudges from audits work. A reminder about phishing attacks will be ignored by people that don't know what phishing is or how it works. Reminders to follow the password policy will be ignored by people that don't know the policy.

                      Finally, as stated previously, there are plenty of people that contribute to poor culture. The guys that talk smack about the training because they know it all are a huge issue. You have to build a culture of security if you want to be secure. That will never happen with a crew of sexual intellects (F'king know it all's) discouraging knowledge sharing and personal growth.

    • Re:well (Score:5, Insightful)

      by dunkindave (1801608) on Thursday July 24, 2014 @12:09AM (#47520685)

      The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

      Except the article is about spear-phishing. In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts, such as an email from their boss or their HR department, and the emails normally include information that the victim assumes isn't public which adds to the email's trust. Such emails may pretend to contain important employee training updates, company newsletters, specific conference information for conferences the target is known to attend, references by project name to projects the victim is working on, etc. This means the spear-phishing email is very different from typical spam which is clearly marketing, or so generic as to be obvious spam. It also means that without confirming the email's legitimacy via out-of-band methods, it may be virtually impossible to verify if it is real or not.

      The problem for the defenders is the only real defense against a well crafted spear-phishing email is to instruct people NEVER to open an attachment, to click on a link, to visit a website if so instructed, or even to respond with information that may be requested. But such a world would render most business email useless.

      • by techno-vampire (666512) on Thursday July 24, 2014 @12:57AM (#47520807) Homepage
        In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts...

        You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?
        • Re:well (Score:4, Insightful)

          by dunkindave (1801608) on Thursday July 24, 2014 @01:08AM (#47520835)
          No, like if they want to gain access to data in company ACME Co, they do some research about that company, find people who belong to it, often in specific groups they are particularly interested in (the missile division of ACME for example), then seak out information on these people, like what conferences they have attended (attendee lists are often published on the web) or what projects at the company they are working on (a newsletter on the web mentions them in a small article about the Ramrod SuperAgile Counterstrike Missile System), then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

          The spam from your bank doesn't normally address you by name, or mention details like your account number or which local branch you use and when. In fact, it is the lack of such details that most people use for clues that it is spam, so when those details are there they typically trust it. That is the gist of the article.
          • by techno-vampire (666512) on Thursday July 24, 2014 @01:37AM (#47520887) Homepage
            The spam from your bank doesn't normally address you by name...

            Actually, much of the spam/phishing email I get claiming to be from my bank has my name in the subject. I'm rather glad it does because I never get any real email from my bank that does this, so seeing my name there is a dead giveaway.
          • In the past, I used whether an email contained my first name as an indicator (a textual token) of whether the email was legitimate, as a sort of password to gain access to your attention. That stopped being useful several years ago as many spammers must have a name database to go with email addresses now. That also would not work for people whose entire first name was in their email address, as is often a corporate practice. Still, the idea of filtering email on a token can make sense, where the token says the sender has been authorized to send you email.

            I still have filters for certain keywords like products I support as a way of doing some of this filtering. A next step could be to tell people (on a contact web page) that they need to include some token phrase like "swordfish" in any email to you if they want it to get read as a first-time sender. Or the token could be a random uuid like "f34f775b-3ccb-45e0-a75e-06f845f0c318". It is relatively easy to make filters in many email clients that would prioritize emails with an expected token. After you get such an email from someone the first time, you can whitelist the sender. Granted, phishing or spam often forges sender email addresses. So, there is a problem here that the validity token ideally should be in every email sent to you to avoid relying on whitelisting address.

            Ideally, there could be one unique token per entity (or email address) you want to get emails from. Then you could selectively disable and change the token if spammers got one. These tokens then are specific to an allowed communications channel. That requires more complexity though. For example, when you signed up for a mailing list, you could give the list a token such as the above (or perhaps just accept a random one from the list signup procedure), and the list software would store that token to include in a header when it sends a message to you. You would also tell your email client about the token being associated with the sender somehow (either the email address or the sender name or perhaps some other unique sender identifier like a public key). When your client software receives email, it would check if the email has the expected token for the sender. If the email does not have the token, it would be marked as probably spam or phishing. Email tools would need to have this facility built into them, both for sending and receiving. Public mailing lists might need to filter out such tokens from their public web pages of email archives to prevent spammers from harvesting such data to spam the list.

            Still, how can people contact you the first time? One answer is to separate the process of getting emails from a trusted source from the process of requesting a token. For example, when someone new wanted to contact you, they could need to go to a web page (or other means) and get a token for their sending email address (or other identifying information, like a public key). That web page might include some sort of captcha challenge or something requiring computational cost or even direct monetary cost (like a small amount of money required to be spent via Paypal or another service, perhaps as a donation to a favorite charity). A web form to do this might need to send a special email to your client that includes both its own token and the new sender and new token, which would need to be processed by your email client to make the association.

            This would be a big difference from now, when the first contact you get from someone new might be directly via a new email which could be the spam or phishing attempt. Tokens could also be valid for a limited time. There could even be general tokens not associated with a specific email address, perhaps time-limited ones, ones that need to be paired with other tokens or perhaps topical key words (like a product name) to be considered valid. This does make it harder for senders to send emails, but it makes it more likely they will be read and not ignored as spam.

            One advantage of this system is it could build on top of the current email

          • by nabsltd (1313397) on Thursday July 24, 2014 @10:23AM (#47522711)

            then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

            Frank doesn't sign his e-mail that way, so something must be up. Or, I don't know Frank personally, why would he send this to me? Or, Frank always sticks his head in my office right after he sends and e-mail and asks "did you see my e-mail?", so this must be fake. If your investigations that allow you to "spear phish" are good enough to solve these sorts of problems, you don't need to phish for stuff, you've paid off the cleaning crew and they can just take the papers.

            As for technological solutions (after all, this is /. ), we can assume that the e-mail was flagged as arriving at our e-mail server from an external server (i.e., not authenticated against our network), so it has a header added that causes it to be filtered by e-mail rules to not go directly into the inbox, but instead into the "external contacts" folder. Yes, I know most companies don't do this, but they should. My company adds headers, but doesn't automatically filter...that's up to the user.

        • by N1AK (864906) on Thursday July 24, 2014 @03:03AM (#47521035) Homepage

          You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?

          What exactly's your point? Obviously emails about accounts with banks you don't use aren't going to catch many people (although if they're threatening consequences like fines or rewards it'll catch some of the more naive), but when it gets to someone who does use that bank/business the effectiveness increases considerably. What you're doing is the equivalent of laughing at advertising billboards, roughly 3/4s of the people who see an add for female deoderant aren't the target market but the company knows that and doesn't care because the cost is worth it to reach the 25% it wants.

          • by Sique (173459) on Thursday July 24, 2014 @03:14AM (#47521061) Homepage
            Even if I get spam that claims to be from my bank, I can see it being spam because I got similar spam allegedly from other banks I never did business with. The same with the two messages of unclear status, I seem to have with so many sites, that the one that claimed to have sent by a site I actually have an account with was easily spotted.
          • by techno-vampire (666512) on Thursday July 24, 2014 @03:17AM (#47521073) Homepage
            My point is that all of those emails I get about accounts I don't have is a counter-example to the claim that spear-phishing is carefully crafted to look real.
            • by Anonymous Coward on Thursday July 24, 2014 @05:14AM (#47521305)

              You don't grasp the concept of spear-phishing at all, and you've almost certainly never been targeted by it. Generic emails crafted to look like they're from your bank are NOT spear-phishing - they're sent out en masse, along with lots of others crafted to look like different banks, just like any other phishing attempt.

              A hypothetical spear-phishing attack from your bank would address you by your real name, with specific reference to the names of accounts and products you actually hold with them (not just "your account"). A genuine junk email from my bank includes my name, post code (zip code for the Americans), the name of a now-obsolete credit card that I have, and several digits of its number. A spear-phishing attack could include all of that - the last four digits of a credit card are easily available from any store receipt. The phishing emails you talk about include none of it.

            • by raymorris (2726007) on Thursday July 24, 2014 @09:37AM (#47522417)

              You're talking about regular phishing. Phishing is not spear-phishing. Phishing, like fishing, involves casting out a bait and hoping that someone (anyone) takes the bait.

              Spear-phishing, like spear-fishing, is DEFINED as identifying a specific target and launching your weapon against that target specifically.

    • by kajla00007 (3757539) on Thursday July 24, 2014 @12:35AM (#47520747) Homepage
      That i well said
    • Re:well (Score:4, Informative)

      by Joe Gillian (3683399) on Thursday July 24, 2014 @07:51AM (#47521819)

      I think it's more that the criminals tend to structure their phishing emails around things that look like they need to be clicked - I've seen a lot of phishing emails that purport to be from the reader's bank (I've gotten a few of these, all mimicking banks I don't use) telling them that fraud has been detected on their account or that there's some other urgent issue threatening their money. A lot of people will click these things without even giving it a second thought because to them, it looks like their life savings/credit score are at stake.

  • Remember (Score:4, Interesting)

    by djupedal (584558) on Wednesday July 23, 2014 @11:42PM (#47520603)
    It's the singer....not the song.

    School smarts lose to street smarts.
  • by Anonymous Coward on Wednesday July 23, 2014 @11:45PM (#47520611)

    and DON'T appear to be selling anything?

  • by tquasar (1405457) on Wednesday July 23, 2014 @11:45PM (#47520613)
    No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?
    • by Anonymous Coward on Wednesday July 23, 2014 @11:47PM (#47520617)

      No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?

      Do you have some kind of confusion that prevents you from distinguishing phone calls from e-mails?

  • by Animats (122034) on Wednesday July 23, 2014 @11:48PM (#47520621) Homepage

    I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?

  • by Anonymous Coward on Wednesday July 23, 2014 @11:54PM (#47520631)

    Trying harder counts. The fact that these people only have to think about how make people read and click, and not any legalities also helps considerably.

  • by xxxJonBoyxxx (565205) on Wednesday July 23, 2014 @11:57PM (#47520643)

    >> can tell-apart

    You can't fool me...I'm not going to click any links on this craptacular "story."

  • by Anonymous Coward on Wednesday July 23, 2014 @11:58PM (#47520645)

    Holds true for phishing and marketing. IDK were they are getting their numbers, I've clicked exactly once on a phishing link. The average day when I am not adjusting my filters to not see them I see 3 or 4 a day. My filters catch hundreds/day for over a decade now.

  • by super_scalt (2978137) on Wednesday July 23, 2014 @11:59PM (#47520651)
    .. would be if the link in this article was in itself a phishing scam
  • by dilvish_the_damned (167205) on Thursday July 24, 2014 @12:23AM (#47520711) Journal

    Trained to click on shit by bad interface design. It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

  • by Anonymous Coward on Thursday July 24, 2014 @12:38AM (#47520755)

    How do we known that the link in the post isn't a phishing attempt tailored to /. readers?

  • by gweihir (88907) on Thursday July 24, 2014 @12:56AM (#47520801)

    The phishing emails I get (and I get a few...) are targeted at semi-literal morons that have no clue how the world works. But it may be that there are a lot of these people around, judging from other observations.

  • by PPH (736903) on Thursday July 24, 2014 @01:05AM (#47520827)

    From TFA:

    people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds

    That's not really phishing. More like a drive-by download. Phishing is where the e-mail or web site attempt to truck the luser into entering an ID/password for the legitimate site being masqueraded.

    Phishing attempts to exploit a weakness in the user, downloads exploit the o/s or client software.

  • by pr100 (653298) on Thursday July 24, 2014 @03:04AM (#47521037)

    Criminals can promise things that legit marketing emails can't.

  • by curty (42764) on Thursday July 24, 2014 @03:09AM (#47521047)

    If the marketing experts used the same tactics (disguising their emails as linked-in requests) they could compete with the cybercriminals.

    Some things about this article smell. The author is a director of the company whose research the article cites. And what about the claim that "a dating website was hacked and approximately 10% of the passwords were âoelove1234â"

    That seems like a lot! (Unless there were only 10 accounts....)

  • by pereric (528017) on Thursday July 24, 2014 @04:45AM (#47521241) Homepage
    What about making it as wide-spread as possible organization policy to alway *sign* your e-mail with pgp / gpg?
    That would at least increase the effort needed (ie, actual access to someones computer) to send "genuine" e-mail from a coworker ...
  • by blackest_k (761565) on Thursday July 24, 2014 @04:47AM (#47521245) Homepage Journal

    The one that seems to catch people out is the link which they click on in a mail in gmail.
    that takes them to gmail.google.com.myphishingsite.info/sessionexpired
    which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.

    Most people don't question why would that happen a few seconds after clicking on the link
    quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
    The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
    often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
    e.g http://it.slashdot.org/comment... [slashdot.org] of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org

    Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
    Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.

    Most people think they had thier email hacked not realising they gave away thier password.
    kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.

    People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.

    It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.

  • by lippydude (3635849) on Thursday July 24, 2014 @05:53AM (#47521381)
    "Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

    Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]
    • by sociocapitalist (2471722) on Thursday July 24, 2014 @08:46AM (#47522113)

      "Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

      Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

      A live CD isn't going to help against a redirect attack and subsequent harvest of your login credentials.

      The only real protection for this type of attack is if your banks, credit card companies, etc. and you use one time passwords (i.e. one or more tokens of some sort)

    • by GuB-42 (2483988) on Thursday July 24, 2014 @12:59PM (#47523875)

      Mainly because Windows doesn't know the difference between OPEN and RUN.

      And what is the difference between "open" and "run" ?

      If you are at a system level, of course windows makes a difference between open (as in "give me a handle to a resource") or run (execute code).

      If you are at a GUI level, and it's probably what you are thinking about, it's not about windows or linux or whatever, it's about the program you are using to do the "open". When you are clicking on an URL or an email attachment, the browser or mail program decides what to do with it.
      On windows, many apps use the "ShellExecute" action with the default action which is the same as double-clinking a file on the desktop but it is not the only way to do it. On linux, there isn't a standard way of opening files so it's really app dependent.

  • by mark_reh (2015546) on Thursday July 24, 2014 @06:13AM (#47521447) Journal

    That's easy. They don't care about laws that are intended to protect people from "legitimate" marketers. When you don't worry about the law you can literally do and say whatever you want.

    New news:
    Bank robbers withdraw more money from banks than they have in their accounts!

  • by sabbede (2678435) on Thursday July 24, 2014 @07:35AM (#47521727)
    Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.
  • by ArcadeMan (2766669) on Thursday July 24, 2014 @07:35AM (#47521731)

    Life is pain, Highness. Anyone who says differently is selling something.

  • by ruir (2709173) on Thursday July 24, 2014 @11:06AM (#47522987) Homepage
    I have received a couple of years ago a dozen emails with messages of account terminations-or-you-have-to-click here to review from "Apple" that looked like the real deal, and only at looking to the headers you would notice they were coming from someplace else, and where using strange URLs. If you were looking at the emails, they looked like the real deal.
  • by iMadeGhostzilla (1851560) on Thursday July 24, 2014 @11:21AM (#47523101)

    And it would be simple: the browser would know that it's reading email (from URL -- gmail, yahoo, custom) and *would not open any links* the user may click on unless the link URL is on the click-to-open whitelist (initially empty). It would still let you copy the link to the clipboard (possibly with a warning) that you could paste yourself in a new tab (possibly with another warning), but this speed bump of having to take the destination URL in your hands, so to speak, would -- I'm assuming -- be good enough to let you pause and think if "support-raytheon.com" is really where you want to go.

  • by oldmac31310 (1845668) on Thursday July 24, 2014 @11:38AM (#47523251) Homepage
    just what the f*** is that?

"Never face facts; if you do, you'll never get up in the morning." -- Marlo Thomas

Working...