Skip to content

Phishing and Spam IQ Quiz – Will You Pass?

I just took the Sonicwall Phishing and Spam IQ Quiz and I’m proud to say I passed with flying colors.  All told, it probably took under 5 minutes to complete, while I was getting ready to leave for work. 

It’s doubtful if Sonicwallwill ever release any data from this quiz, but I would hazard a guess that the results wouldn’t surprise anyone.  Those who would describe themselves as “technical” probably got near to 100% in all cases, while those who could be described as non-technical probably scored similarly to random chance.  If you consider yourself techincal and still missed a few, consider this.  These emails are deliberately designed to be deceptive.  Any of us scoring 100% probably applied my more care and reasoning to the quiz then we normally do to our email.  If everyone went at their typical scanning speed, I’m sure there would have been no perfects!

So, why is it that to some of us these phishing scams are blindingly obvious?  I think the answer lies in what we look for.  For most of the technical audience taking the test, I would suspect they scanned the emails the same way I did.  Look only at the urls, if they “look” legitimate they probably are, if they “look” fake they are probably a scam.

My thought is that a less sophisticated user would probably read through the email, trying to weigh the tone of authority, the context and various other clues to determine if it was legitimate or not.  And therein lies the problem.  By even reading the email they have started to sell themselves into the “false context” trick of the social engineer.  People will do seemingly careless things (give away social security numbers, passwords, etc) if the context is crafted in a way to make them believe “this is okay”.

How can we defend against this, both for the people we may be educating , but also to ourselves?  My personal plan is to develop “shortcuts”.  Logical rules that will immediately tell me whether something is probably a scam or not.  That way I don’t allow myself to get caught up in the narrative and buy into the context offered.  For instance, in the quiz above, my personal “rule” or shortcut was to look at the url, if it looked odd I would assume that it was fake.  There is little to lose by doing this because if it turns out to be a legitimate request, someone will contact you another way.

Anyone out there brave enough to admit they have fallen for a scam?  What were the telltale signs, that are now obvious, that you didn’t pick up on?  Do you have any personal “shortcuts” that you use when evaluating emails, phonecalls or other requests for your personal information.

If you are a system administrator I implore you to create a similar test for your users and report back with the results!

No related posts.

Comments 4

  1. james wrote:

    I consider myself technical, but answered #5 as phishing (while supposedly legitimate) and the others correctly.

    My reasons:

    never had heard of “bank of choice” which seems like a phishy name,

    the from header seemed bizarre (CSIeSafe – a name unrelated to the bank name instead of a viewable email address),

    the addition of online to the name of the bank in the url,

    the improper grammar (“if your statement recently generated” instead of “if your statement was recently generated” statements don’t generate anything),

    and no information about unsubscribing, FDIC, or whether you had recently contact them about your account activity.

    I could easily envision a scam, where you are informed of bank activity on an account you have never heard of. You then contact the phishers about this bank activity and give the phishers private information to verify your identity to cancel this fake account.

    Posted 02 Jun 2010 at 3:45 pm
  2. Zach Peters wrote:

    James, you bring up a really good point. Where do you draw the line between precaution and paranoia?

    Posted 02 Jun 2010 at 4:01 pm
  3. Rick wrote:

    Zach, thanks for covering the quiz. Since out quiz is just educational, we do not collect user information and cannot tell who is technical or not.

    We do occassionally release summary data on the Phishing Quiz. My recollection from the last report was that only 10% of the users acheive a perfect score. Given that our audience is mostly technical, I am pretty sure there are some technical folks in the 90%. As James points out, false positives are common.

    Posted 21 Jun 2010 at 3:01 pm
  4. Toby Galino wrote:

    Oops I admit to missing one. Not good considering my affiliation with VeriSign.
    I read and article recently that suggested that phishing attacks are down quite a bit, probably because consumers are getting keener about watching where they are when they’re online. More sites are using extended validation ssl than ever before, which is a great way to put security front and center as you’ve suggested (the green url bar and more secure padlock has been connected to fewer abandoned carts). The quicker this stuff gets implemented across the board, the better —
    Here is another “phish or no phish” quiz
    https://www.phish-no-phish.com/default.aspx
    which will challenge your knowledge of legitimate websites

    Posted 22 Jun 2010 at 3:29 pm

Post a Comment

Your email is never published nor shared.