Monday, January 26, 2009

Don't be a Phish

I admit that I'm partial to the music of Phish, but I don't appreciate the constant stream of web-based IQ tests that are finding their way to my inbox.

A few days ago, I shared a phishing attempt that represented itself to be from Google. Would you have fallen prey? Why my G-mail account failed to recognize it, I'm still wondering... But surely, more elaborate phishing attempts can be anticipated.

How about a follow-up test?
One of the two websites below is authentic, the other is a phishing attempt disguised to trick users into giving away their login details. Can you tell which is which? What additional information do you need in order to decide?

Would you like a hint or two?

This is a copy of the original email that linked to both the real Paypal site, and the phishing site. DO NOT ENTER ANY INFORMATION INTO THE FIELDS OF THE PHISHING SITE.

With luck, your browser may caution you prior to displaying the dishonest site; and in most cases, close inspection of the web address should confirm that you are not at an authentic site. Note that it is possible for a site manager to cloak the real address and to display a false but authentic-looking domain name.

This mimicry, is the same type of work that fooled many in the Twitter community, to share their login details during last month's phishing expedition. Though that episode appears to have been horseplay, the consequences of falling for such a ploy can be grand. It's just one more reason to follow practical password advice.

If you're looking to teach others about 'phishing', I highly recommend the clever creative work of Common Craft. Regardless of your audience, Phishing Scams in Plain English is a great little tutorial.