Sep 09 2009

How’s your phishing savvy?

Published by at 12:37 pm under General

I’ve taken the SonicWall phishing quiz, or at least one very like it, at least once a year for the last few years.  It’s a fun test of your ability to recognize a phish at a glance, but the reality is that it’s more depressing than fun.  After a few examples you start to realize exactly how hard it really is to recognize a well done phishing attempt.  And that if security professionals have a hard time recognizing phishing attempts, what’s it like for our parents and non-geek friends? 

This is the really scary thing about phishing to me:  If I can’t easily recognize a phish and all the filters I use are having a harder and harder time sifting the good email from the bad, how long is it before we have to throw up our hands and declare the bad guys the winners?  I’ve read reports that state anywhere between 75% and 95% of all email on the Internet is actually spam these days, even though the numbers are apparently a bit down the last month or two.  How long can we sustain a minimum level of usability under those conditions?  I know that some non-geek members of my family are already stepping back from email simply because of the spam, so I’m sure there are others out there.

By the way, I scored 10/10.  How’d you do?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

10 Responses to “How’s your phishing savvy?”

  1. Imranon 09 Sep 2009 at 1:22 pm

    Hey Martin,

    Sad, but true. It is getting harder and harder for us security proffessionals to identify a phish at first sight; they are getting better at it.

    Thanks for posting the Phishing test. BTW, I got 10/10 as well.

  2. The DONon 09 Sep 2009 at 1:55 pm

    I scored 9/10…
    I flagged the bank of choice as being a phishing scam when it was legitimate.
    If I had a bank of choice account, then I would have checked the phone number given before calling it.

    I am quite pleased with my results on the whole though, and I share your view on how others would / would not be able to perform as well.

    It surprised me how many things have to be taken into account when deciding if a message is a scam or legitimate, I had never actually thought about it as a process in any detail before.

    I would dispute the 75 to 95% figures, but I am fairly careful about who I give my email address to.

  3. […] the original post: Network Security Blog » How's your phishing savvy? Share and […]

  4. Mallikarjunon 10 Sep 2009 at 7:54 am

    I scored 8/10, but felt sad for missing those 2.

  5. […] out your ability to get off the hook in a phishing attack. Network Security Blog >> How’s your phishing savvy? Tags: ( phishing […]

  6. Kris Amundsonon 10 Sep 2009 at 4:57 pm


    I have turned into habit staring at the to/from headers, mousing over URLs to see how long that domain is they are taking me to, and what exactly they are asking of me.

    Also, if say, Discover is trying to get a hold of me, I will not use any email links to login, but use my own verified browser bookmark with credentials that are stored in a GPG file. Or call them.

    I never save passwords in Firefox.

    I also treat additional verification questions as additional passwords. One can social engineer where I went to high school (resume), or where I bought a house (public records). I make up answers to these which also go into the GPG file. User names can also be guessed and where applicable, I mix these up. If I have to reference my GPG file anyway, there is no additional work to make my username “xx9888–149” vs. “foob” or “foobar” since I am cutting and pasting all of this. Mostly what I encounter is poorly written web apps that don’t except a full ASCII set for passwords (the worst are ones that truncate length without telling you).

    The GPG file (and the rest of laptop) sits on top of a LUKS partition. With good nightly backups all I loose in theft situation is the hardware.

    Google “diceware” for a decent methodology for creating easy to remember but more difficult passwords (if you have to remember them). I use a different delineator other than a space bar due to the analysis one can do on acoustics (this one is more for grins.. no I’m not wearing any tinfoil). :)

    Will this stop the NSA? Nothing beats the pipe wrench or rubber hose crypto analysis method, but it’s good enough for me. :)

  7. Pen Testeron 11 Sep 2009 at 2:01 am

    Harder than i would have thought! But still 10/10.

    I will pass this around the office. Thanks

  8. Mikeon 12 Sep 2009 at 10:51 pm

    9/10 – Bank of Choice one got me as well – didn’t look into it at all, but it just seemed they were asking for a lot of information. I also don’t have any of those services/accounts, so I think a 9/10 was pretty good. I also don’t get any phishing email, so my ‘low observability’ tactic online seems to be working. 😉

  9. Richieon 11 Nov 2009 at 11:59 am

    it’s an interesting and also problematical point that up to 95 per cent of all emails on the internet is just spam. And i have to draw the attention to the fact that also my personal experience verfies this thesis. The main problem was that many of these mails were “delivered” to the inbox of my business mail account. Furthermore, i wasn’t able to identify (possible) phishing mails. btw .. i solved the problem by implementing a virtual appliance from underground8, which is a serious supplier for email security products.

    Here is the link, where you can download a test-version of this virtual appliance (14 days for FREE):

    Best regards,

  10. Jlyonson 19 Apr 2011 at 12:04 pm

    I scored 8/10, but felt sad for missing those 2.

%d bloggers like this: