I still can't decide whether or not it's a good thing that I scored 100% on that test without spending more than 2-3 seconds on each example.

HTML mail is the devil.
posted by ibidem at 12:39 AM on February 9, 2005

I got 80%, but both my wrong answers were on the side of caution. I listed two of them as frauds because the domain names shown at the bottom were off kilter. It was difficult with those as they didn't directly ask for information from the email, but it's entirely possible that the links to the site take you to a fake login page.

I usually end going to the site in question by typing in their URL by hand just to make sure.
posted by Swervo at 12:52 AM on February 9, 2005

I got 80% on the side of caution, too. Some of them were very obvious. The Chase and CapitolOne ones (which I incorrectly thought were phishing) should NOT have a link in there to login to your account -- very, very poor security policy on their part.
posted by neckro23 at 1:12 AM on February 9, 2005

Ooh, why do Bank of America emails always look dodgy?
posted by NinjaPirate at 1:42 AM on February 9, 2005

neckro23 - Why is including a link to your login page a poor security idea?

[honest question]
posted by NinjaPirate at 1:45 AM on February 9, 2005

NinjaPirate: Because you have no way of knowing where you might end up by clicking on that link. How do you know it's not a fake site designed to extract passwords?

The only safe way to visit important web sites like your bank, ebay or paypal is to type the address into the location bar, or select it from your bookmarks. NEVER click on a link.

I also got 8/10, for exactly the same reasons as neckro.
posted by salmacis at 2:15 AM on February 9, 2005

salmacis - that's exactly what I don't understand. All companies, from Amazon and eBay to the provincial companies I work with use "check your account now" links. It's a link to a web page.

If you set up a scam site with 2 pages - home and login - and you direct people in an email to the home page with the instruction "...then click on the big 'My Account' button to log in" you have exactly the same situation. You're herding people to your scam which may or may not convince them to enter their personal details.
It's not a security failure of sites to have a "My Account" link on the front page, is it?

I'm still 'fused.
posted by NinjaPirate at 2:37 AM on February 9, 2005

OK, so Paypal send you an email which contains a links to Paypal's login web page. How do you distinguish that from my bogus email which directs you to a fake Paypal site?

Now, I picked an easy one to spot: paypall.com. It's easier to make a mistake with the Unicode bug described yesterday. Or paypal-verification.com, or paypal.verification.com.
posted by salmacis at 2:55 AM on February 9, 2005

What salmacis said. It's not a bad thing, per se, for there to be links in companies' legitimate emails. However, this encourages very risky behavior in end users, as there's no way to tell (short of digital signatures, which companies almost never use, and most users don't even know about) whether the email in question is legitimate. And if the email is illegitimate, there's always a possibility that it's a scam link that would pass all but the most careful examination. It's simply not worth the risk.
posted by neckro23 at 3:04 AM on February 9, 2005

neckro23: However, this encourages very risky behavior in end users ...

While that's true, many (most?) companies are willing to sacrifice a bit of security in favor of "usability." They could say in the Email, "Go to our homepage and login to access your account," but in the age of rich-text/web-based/HTML Email when companies and friends pass URLs around like candy, people are going to wonder why they didn't just get a link to click instead of being told to type it out or find the site in their bookmarks.

People are inherently lazy and companies will often do whatever they can do to make it easier for you to do business with them.
posted by ibidem at 3:53 AM on February 9, 2005

I got 100% on this one.

Amazingly enough, I haven't gotten any of these yet. I do get a Smith Barney phish email at least once a week. Go figure.
posted by SisterHavana at 6:15 AM on February 9, 2005

I got 90% because I said the Chase one was a fraud. My reasoning being what moron would click on a big button in an email that says TRANSFER FUNDS NOW?? I would never ever move money around by just clicking on a button in some email I got, regardless of how legitimate the email looked. And I thought it was a fraud because I assumed Chase would have the same reasoning. I think it's kind of scary that Chase would allow their customers this option.
posted by spicynuts at 6:31 AM on February 9, 2005

Scams abound in the snail-mail universe, too. MY father damn near got took for $2500 through the Canadian Lottery scam with a twist - he was to wire me $2500, give THEM the confirmation number, and then the next day a Brinks truck would show up with $100k.

Oh, he checked it out - with a pendulum. (My father's a great guy, but never recovered from the psychic wars of the '60s and '70s.) He does that with all the scam mail he gets. Some the pendulum says no on, and he trashes them. Some are 'okay', and he'll send $5 or $10, on the off chance he'll get something back. What he gets is more mail. 20-30 pieces a DAY. He calls it cheap entertainment. We call it a damn headache.

But he was sure this guy was legit - the guy called, said he was from the Canadian lottery, gave a good pitch that pushed all the buttons for my father - and he was going to suprise us all with the money showing up the next day. All he had to do was send me a wire transfer for $2500, and give the guy on the phone the confirmation number - and the next day at 5 Brinks would show up and unload!

It took the police, the BBB, AND a call to Brinks to dissuade him of the idea. That was one damn nerve-wracking afternoon.

Thankfully, he's not on-line. I could just see him falling for the Nigerian scam and losing EVERYTHING. There should be a special place in hell reserved for scammers who prey on seniors.

JB
posted by JB71 at 7:47 AM on February 9, 2005

I got a 90%... thought the PayPal one was legit. Never used it and don't buy or sell anything on the 'net... but I wouldn't donate through the innernets anyway... Already gave at the organizations in my 'hood.
posted by Debaser626 at 9:06 AM on February 9, 2005

8/10 for me, but at least in both cases it was false positives. Why oh why would a bank direct links to anywhere other than its own domain?
Here in Ann Arbor, we have local scams- about every other week I get mailed some for TCF bank, which has a large local presence. They get bulkmailed to umich.edu addresses, including mailing lists, so it's not uncommon to get 5 or 6 such messages in a row during a flareup. Luckily the university supplies a wonderful filter which is updated very frequently, so most of this crap doesn't get to my inbox.
posted by monocyte at 9:07 AM on February 9, 2005

100% right here, baby. But I despair for more "normal" people (not internet freaks like us, in other words). I find the "suckers list" a little puzzling though; if you respond to a scammer, how is it in his best interest to share your address with other scammers? Why wouldn't he prefer to keep it to himself for future use, as opposed to letting everybody else tip over the honeypot?
posted by taz at 9:33 AM on February 9, 2005

then you could end up being deluged
I'm not sure what's worse... being deluded or being deluged.

what moron would click on a big button in an email that says TRANSFER FUNDS NOW??
Actually Chase is pretty stupid to send out this kind of thing. They are desensitizing their customers to a real risk by sending out legit e-mails that smell like a phish.
posted by missbossy at 10:19 AM on February 9, 2005

I went to the cited scambusters page (on tsunami relief), and from there to the scambusters home page. The google ads there (left side) were:

* "Free eBay Success Kit - How I Earn $277,000 a year on eBay";

* "Nigerian - Great deals on new and used items. Search for nigerian now! - aff - www.ebay.com;

* "Nigerians Connecting";

* "Nigeria Dating"; and

* "Play an Urban Legend - Ocho Vampiros - Forkloric Card Game.


I wanted to see if they had anything about St. Matthew's Churches , a scam [we'll pray for you to get money and other blessings; just send us money to help us with this mission] operating in Tulsa that reportedly sends out a million letters a month, looking for gullible folks. [Nope, nothing on the scambusters website.]
posted by WestCoaster at 10:35 AM on February 9, 2005