Phishing and Spam IQ Quiz - Will You Pass?

I just took the Sonicwall Phishing and Spam IQ Quiz and I’m proud to say I passed with flying colors.  All told, it probably took under 5 minutes to complete, while I was getting ready to leave for work. 

It’s doubtful if Sonicwallwill ever release any data from this quiz, but I would hazard a guess that the results wouldn’t surprise anyone.  Those who would describe themselves as “technical” probably got near to 100% in all cases, while those who could be described as non-technical probably scored similarly to random chance.  If you consider yourself techincal and still missed a few, consider this.  These emails are deliberately designed to be deceptive.  Any of us scoring 100% probably applied my more care and reasoning to the quiz then we normally do to our email.  If everyone went at their typical scanning speed, I’m sure there would have been no perfects!

So, why is it that to some of us these phishing scams are blindingly obvious?  I think the answer lies in what we look for.  For most of the technical audience taking the test, I would suspect they scanned the emails the same way I did.  Look only at the urls, if they “look” legitimate they probably are, if they “look” fake they are probably a scam.

My thought is that a less sophisticated user would probably read through the email, trying to weigh the tone of authority, the context and various other clues to determine if it was legitimate or not.  And therein lies the problem.  By even reading the email they have started to sell themselves into the “false context” trick of the social engineer.  People will do seemingly careless things (give away social security numbers, passwords, etc) if the context is crafted in a way to make them believe “this is okay”.

How can we defend against this, both for the people we may be educating , but also to ourselves?  My personal plan is to develop “shortcuts”.  Logical rules that will immediately tell me whether something is probably a scam or not.  That way I don’t allow myself to get caught up in the narrative and buy into the context offered.  For instance, in the quiz above, my personal “rule” or shortcut was to look at the url, if it looked odd I would assume that it was fake.  There is little to lose by doing this because if it turns out to be a legitimate request, someone will contact you another way.

Anyone out there brave enough to admit they have fallen for a scam?  What were the telltale signs, that are now obvious, that you didn’t pick up on?  Do you have any personal “shortcuts” that you use when evaluating emails, phonecalls or other requests for your personal information.

If you are a system administrator I implore you to create a similar test for your users and report back with the results!