Saeed Abu Nimeh wrote:
> Hi All,
> If I want to explain email phishing to set of user (novice,
> intermediate, and experts), can I summarize --let us say-- a list of 100
> questions that a user answers gradually to find if this email is
> phishing or not? Examples of questions I can think of:
> - does email contain html
> - does email contain java script
> - is there a mismatch between the url displayed in the email and the
> source link <a href>

This remains the only way to figure out that something is wrong. A close
look at the href and the url displayed in the e-mail will reveal
phishing to a trained eye even if it uses XSS. This, still, is not a
foolproof way, if the e-mail looks like "click here"(where click here is
a link).

> - does the email contain misspellings

About 40% of a country's population misspells words. This is not
something to direct your attention on.

> - does the email contain an open greeting (i.e. dear customer instead of
> dear j smith), etc.

Depends on the site that is sending the e-mail. There is more than one
site that will use "dear customer" or "dear member" instead of
addressing you by name.

> I was thinking of summarizing couple of hundred questions (or less)
> targeted to novice, intermediate and expert users. I have around 20
> thing in mind, however i was hoping to gt more.
> Thanks,
> Saeed
> p.s. of course answering one question by it self will not lead to the
> conclusion that this email is phishing. For example: email contains html
> does not mean it is automatically phishing
>
>
>

The bottom line is this. There is no way to tell if an e-mail is what it
pretends to be by simply looking at one e-mail received from that
source. The most common way to spot phishing attacks is by knowing the
normal format of the e-mails sent by a certain site. The point is to
train your users to do things like:

- not click on an url directing them to a login page; instead, tell them
to log in by normal site access via internet explorer
- use common sense; do not give away your atm pin number when the first
guideline in any bank that will give you a credit/debit card is to tell
you that you must NOT give away your pin number even to employees of
that bank. Explain to your users that the data stored on servers of the
firm/institution they are accessing online does not require them to
validate data using their personal information. If the site they are
accessing really is that stupid/careless to shred their personal data
from their servers then it is probably not a very good idea to sign up
with them in the first place. If they receive an email telling people
that they should do this and that, things that they are feeling
uncomfortable with, they should first call the support staff at that
site via an authenticated phone line.

The attacks presented as phishing will continue and will get more and
more advanced as the most weak layer in protection remains the human
being. As Kevin Mitnick puts it: once you get a user to divulge
information, however insignificant it may be, the game is over.

[ reply ]