McAfee have a great ten question quiz to challenge whether or not you can spot phishing sites. Give it a go. I got 9 out of 10.
Once you finish, it shows you the answers, and how to spot the fake sites.
Of course, one of the problems is that a prime indication of a fake site is awkward or badly phrased wording. This, unfortunately, is not limited to fake web sites. While it isn’t generally a trait of big corporate web sites, that have professionals working on them, there’s any number of smaller businesses that have badly designed, misspelt or awkwardly-worded sites.
In most cases, it’s careful inspection of the URL that will indicate for sure if you’re talking to the right people. Some of the quiz examples excluded this information, to make you look for other signs, which was good. But in practice all browsers should be displaying the URL. Some older versions don’t do this on popup windows and so on, which is a problem… you can see it by right-clicking and looking at the properties of the page, but most people wouldn’t remember to do this consistently.
Definitely have to agree. Since legit sites will have errors and not everyone is a professional proofreader who will catch some of the less glaring errors McAfee pointed out, there needed to be other factors to look for that they left out.
But on the Capital One and AOL ones, where they pointed out a wrong logo or slightly-off copy of the logo… WTF? Like I know the finer points of the AOL and Capital One logos? I got both of them right because of other telltale signs, like asking for way more information they needed.
And your point about the URLs was important. In 99% of cases, the dead giveaway is in the link in the phishing e-mail and you just never even click it.
But most important is that this test isn’t so much for consumer education, but for marketing. McAfee doesn’t want to teach you enough to avoid phishing sites on your own. They want to make you feel helpless while establishing themselves as experts, which is why they hide important clues (like URLs) and use stuff like the logo being slightly off as indicators. They want you to buy their software to help protect you against phishing sites and you’re not going to do that if you pass their test with flying colors, feeling confident about your phishing avoidance skills, are ya?
So, which one did you get wrong? I got the Chase one wrong 🙁 Still, 9 / 10 isn’t to bad.
I got 8/10 – I got the AOL and Capital ones wrong – as Greg says above, I don’t know the ins and outs of their corporate. However, if I had an account with them, I would know. And given I don’t have one, I would neither respond to an email from them nor try to log in to their website… So therefore I wouldn’t have been caught out!
I don’t remember which one I got wrong, but yeah – there’s no particular reason one would know the intracacies of a corporate logo, for instance (esp bearing in mind they change from time to time; eg Qantas are about to tweak their logo).