Back to previous post: Common fraud

Go to Making Light's front page.

Forward to next post: Request for feedback

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

December 4, 2004

Identifying phish
Posted by Teresa at 08:40 AM * 67 comments

Found via Pericat’s Unlocking the Air: the MailFrontier Phishing IQ Test II. This is good stuff. It tests your ability to distinguish legitimate business email—“the credit card number you have on file with us is about to expire, please update your account,” that sort of thing—from lookalike phishing scams.

(Backstory: Phishing scams are emails that appear to come from a trusted source—usually a real company that does business online—which try to trick you into giving out passwords, account names, email addresses, and personal financial information. In their commonest form, phishmail tells you that for some reason or another, the company they’re impersonating needs to have you update or verify your account information. If you follow the links in the letter, you’ll arrive at a mockup webpage for that company, where you’ll be asked to type in your personal information, codes, etc. Needless to say, this info will be used for nefarious purposes.)

The test has a couple of particularly good features. One is that it uses real business emails and real phish from MailFrontier’s collection. The other is that the answers page not only tells you how you scored on each question, but has a little “Why?” link that takes you to back to that letter and shows you where the clues were. It’s very instructive. I scored 10 out of 10 on the test, but I still picked up a couple of valuable pointers from their explanations.

If you want to test yourself further, MailFrontier’s first phishing IQ test is still up and running, though its punctuation has gotten a little wonky. The earlier version of the test doesn’t have the explanatory links on its answers page, but it does hit you with some impressively slick phishmails. They also have a couple of helpful articles (which would be even more helpful if they weren’t .pdf files): Ten Tips for Finding a Phish, and an up-to-date general article on Email Fraud.

Comments on Identifying phish:
#1 ::: Michael Weholt ::: (view all by) ::: December 04, 2004, 10:36 AM:

These things are so scary. I'm really cautious about anything that even slightly smells of rotten phish. I took the test and got one wrong, erring on the side of caution (i.e., I called one phish that was legitimate). However, in the explanation on that particular one, they advise caution because of blah, blah reason, which was precisely the reason I called it phish.

Still, I'm just waiting to make a mistake on one of these things. Like, going to one of these "test your knowledge of phish" sites and ending up with my pants down around my ankles. No, just kidding.

Though I do dread a call from one or two family members telling me that their checking account has been mysteriously drained.

#2 ::: xeger ::: (view all by) ::: December 04, 2004, 11:00 AM:

My criteria are pretty simple (and although they resulted in a 7/10 score, the 3 I missed, I identified as dubious, which is an acceptible failure - I'd rather be too cautious in this case).

1) No email should ever ask me to email back personal information.

2) No "click on this URL to [subscribe|update|blah]" link should ever be followed. Go to the website of the provider directly.

Those two rules take care of a pretty broad range of fish - and going directly to your providers website tends to handle the rest.

#3 ::: Bill Blum ::: (view all by) ::: December 04, 2004, 11:04 AM:

My stepmother fell victim to one of these scams earlier this year.... the aftermath has been impressive, to say the least.

Had to put fraud alerts on her account at the three major credit bureaus, and deal with the 21 accounts that got opened in her name--- along with the one enterprising soul that managed to get about $20k from her home-equity line of credit before we stopped them.

To this day, she still thinks it was a Reasonable Thing to get asked to provide SSN and driver's license information in response to an email.

#4 ::: Michael Weholt ::: (view all by) ::: December 04, 2004, 11:20 AM:

Oh, gawd, Bill... my worst nightmare...

And the degree of denial in my family might be even worse than in yours. I can think of one or two who would rather move into a refrigerator box than tell anybody they lost that amount of money.

#5 ::: Dan Blum ::: (view all by) ::: December 04, 2004, 11:20 AM:

I got the same result as Michael, I think. I don't usually think about this too hard because all my e-mail of this nature comes to my Panix shell account - when reading e-mail in plain text format, it's dead easy to spot bogus URLs.

#6 ::: Tom Whitmore ::: (view all by) ::: December 04, 2004, 11:22 AM:

The test left out one of my methods of watching for phish, but I still got 10 of 10 -- look carefully at where links lead to. If it routes by domain number rather than domain name, it's almost undoubtedly illegitimate.

The simple grammar/typo test eliminated almost all the phish for me (if there's a grammatical or typographic solecism, it's phish until proven otherwise --and it's never proven otherwise in my experience).

#7 ::: Stefan Jones ::: (view all by) ::: December 04, 2004, 11:51 AM:

Both eBay and PayPal (well, they're part of the same family now) have very efficient spoof mail processing departments:

Coincidentally, I sent a dubious ebay mail to not more than half an hour ago. I got back a reply (it was a spoof) within five minutes.

#8 ::: Graydon ::: (view all by) ::: December 04, 2004, 12:00 PM:

Nine out of ten, with the error being a false positive for phish.

I'm the sort of person who stopped using online retailers when they started asking for the credit card confirmation number, who uses a character cell MUA, and whose financial institution is small, obscure, and very stuffy, so I don't worry about this much.

#9 ::: Bob Oldendorf ::: (view all by) ::: December 04, 2004, 12:27 PM:

Me, too: nine out of ten, also erring on the side of caution. So thanks for the link.

If they weren't so evil, some of the phishing I've received has been so silly that they could almost be viewed as charmingly child-like. The examples at the phishing IQ test were much more serious.

I received one yesterday that began:

"Deary Earthlink services customer,

This is an automated e-mail notification sent to your registered email-address.
Please do not reply to it as it will not reach the just department."

I've wondered who would fall for something like that, but seeing the examples of phishing done right makes it much scarier.

#10 ::: Jules ::: (view all by) ::: December 04, 2004, 12:27 PM:

Well, I got 2 false positives (Bank of America and Capital One) because both of them looked like faked URLs to me. The content can be as good as they like, but they have to drive you to _their_ site, which is the only real way of spotting them.

That said, I think the explanation of the Washington Mutual phishing mail missed a trick that should have been noted: it contains information that your card issuer would not have. Seriously, do you think retailers really tell them what you're paying for when you put a transaction on your card? Obviously the phishers in this case don't know enough about how the banking system works to make up a convincing story. Think about the information you're given, and how the company the e-mail claims to be from would get it, if it were true.

#11 ::: Michael Weholt ::: (view all by) ::: December 04, 2004, 12:35 PM:

Well, it's probably too late now... :)

... but if you want to "take the test" without your results being tainted by anything anyone says in here, you should probably do it before you read any more of the comments in here. In short, this is probably a SPOILER ALERT.

For those of us who got that "9 out of 10" result, I'll betcha it was all on the same one. I'll mention mine after a while longer... just to let a little more screen space get used up before I give mine away.

#12 ::: Lisa Spangenberg ::: (view all by) ::: December 04, 2004, 12:59 PM:

One of the reasons I use Eudora, or terminal based email clients, is that I want to see the real text of the email; I want all the headers, and I want to see the html and embedded scripts.

I notice that the latest version of Eudora includes "tool tips" style warnings of possible Phishing expeditions based on the criteria used in the "IQ Test"; matching URLS, IP numbers, etc.

#13 ::: Mike Booth ::: (view all by) ::: December 04, 2004, 01:05 PM:

This test is great: it demonstrates that the line between legitimate corporate email and phish is so fuzzy that you can never be sure.

I refuse to click on any emailed link from a company. I disable HTML email and all emailed graphics to make those links less tempting.

I wish I could configure Thunderbird (the open-source email client) so that only emails from trusted sources (say, the folks in your Address Book) could contain clickable links, and clicking on any other emailed link would bring up a Phish Warning Box. (Not that clicking on links from your friends is 100% safe, given that email can be spoofed and viruses can hijack your friends' machines. But it would be a big help.)

I also like the idea of those Eudora tooltips that Lisa mentions.

#14 ::: lightning ::: (view all by) ::: December 04, 2004, 01:06 PM:

Well, I missed two; one each false positive and false negative. Unfortunately, I couldn't use my main means of detecting phish -- looking at the link URLs. Those in phish tend to be obviously bogus.

That said, I'd say they were all phish:

1. I don't have accounts with any of these organizations (duh!)

2. None of them are digitally signed.

Digital signature software is built in to all e-mail programs that I know of that are even remotely up to date. If a message is signed by the organization that's supposedly sending it, you can be pretty darn sure it's legit.

If you want to send your own signed/encrypted e-mail, Thawte will give you a free personal e-mail certificate to play with. Setting up to use it is a bit tedious but not particularly difficult.

I've been beating my gums on this subject for over ten years. Fat lot of good it's done.

#15 ::: Dave Bell ::: (view all by) ::: December 04, 2004, 01:08 PM:

8 out of 10...

Both the errors being, in part, because the style of your US email use is so different from that in the UK. But one of them was that "real but suspicious" already mentioned, and I noticed that even the genuine emails don't bother with addressing the customer by name.

#16 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 04, 2004, 01:09 PM:

Thomas, I got 10/10 on both tests, and I'd never spot the domain name/domain number thing. I did it all by ear plus a little how-things-work logic.

Jules, the Washington Mutual phishmail had a bad case of TMI, but subtler TMI turns up in a lot of the more sophisticated phish. This may turn into a theory. I need to think about it some more.

#17 ::: David Dyer-Bennet ::: (view all by) ::: December 04, 2004, 01:20 PM:

The way they present the test deprives me of most of the clues I use to decide how to deal with a possibly-spoof email, so I didn't complete it.

The main one is that I look at URLs (and not as presented by a browser; since I don't use anything that renders HTML email, I look at the URLs in the original href= attribute) before I go to them, and you can't see the URLs in these samples.

Since that's IMHO the primary line of protection against phishing stuff, seems like a dumb way to present a phishing awareness test.

#18 ::: xeger ::: (view all by) ::: December 04, 2004, 01:35 PM:

Tom posits:

... look carefully at where links lead to. If it routes by domain number rather than domain name, it's almost undoubtedly illegitimate.

Actually that's safer to generalize as "check the domain name carefully" - there's a lot of 'near miss' names out there -

All fun :)

#19 ::: Dan Blum ::: (view all by) ::: December 04, 2004, 01:41 PM:
The main one is that I look at URLs (and not as presented by a browser; since I don't use anything that renders HTML email, I look at the URLs in the original href= attribute) before I go to them, and you can't see the URLs in these samples.

Actually, you can - the actual URLs are shown in the browser status line (I think it was) in the test. Admittedly this is easy to miss.

#20 ::: Chad Orzel ::: (view all by) ::: December 04, 2004, 01:43 PM:

In a similar vein, I was sent a link to a spot-the-spam survey, meant to test spam filtering ability:

It's not a fun quiz with scores and answers, just a survey by somebody who's working on anti-spam measures. It might be of interest to people here, though.

#21 ::: Avram ::: (view all by) ::: December 04, 2004, 02:04 PM:

That's interesting. I got 7 out of 10, with the three errors all being excess of paranoia (mistaking legitimate email for phish). In each of those three cases, the visual artist in me said Looks legitimate, and was overridden by my inner computer geek, who is more paranoid. But the artist was right.

#22 ::: sdn ::: (view all by) ::: December 04, 2004, 02:20 PM:

i don't ever answer phishing emails -- 99% are obvious scams (i.e., i have no bank account at WaMu) and the other 1% are easily dealt with by checking the referrer link's dropdown.

i figure if there's *really* a problem with my account i'll find out soon enough.

#23 ::: Michael Weholt ::: (view all by) ::: December 04, 2004, 02:25 PM:

OK, the one I "false positived" was #9, but now that I look at it, I am for some reason less confident that my fellow "9 out of 10ers" got the same one wrong.

#24 ::: Aquila ::: (view all by) ::: December 04, 2004, 02:28 PM:

I also got 8 out of 10, with Bank of America and Capital One being false positives.

Mind you I thought I'd been phished by phone earlier this year. Someone rang up and said "we see your AA membership hasn't been updated". I blithely gave them my creit card details over the phone, then realised I hadn't asked for any identifying details after I'd hung up, and panicked. Luckily it turned out to be legit, my membership had been updated and no strange goings on occured with my card. And when I locked my keys in the car a week later I was glad. But I felt very foolish for a while.

Another information literacy test:

#25 ::: Larry Brennan ::: (view all by) ::: December 04, 2004, 02:32 PM:

I think I'm a member of the 9 out of 10 club, too.

I've given up on sending phishing emails back to the spoofed institutions, though. They simply don't seem to care. (I'm talking about you, Bank of America and Chase.)

It's the wild, wild west out there, isn't it, and the undertakers got the slowpokes all measured for their financial coffins. On the brighter side, the upcoming hyperinflation and banking collapse should make it all moot anyway. :-(

#26 ::: Larry Brennan ::: (view all by) ::: December 04, 2004, 02:39 PM:

Michael - Yeah, #9 was the one that was inconclusive. There were phishing indicators, but the content seemed legit.

Teresa - once again, you've acronymed me into insensibility. What does TMI stand for?

(And I pre-apologize for having verbed "acronym". I'm sure the vocabulary gods will be lenient in my punishment.)

#27 ::: Andrew Gray ::: (view all by) ::: December 04, 2004, 02:44 PM:

Teresa: At a guess, the most likely "demographic" to respond to one of these mails is the person who opens it, thinks "damn, that must be a mistake/problem/&c" and responds without stopping to think through "So why *would* my bank want to email me? They never did before. And did I ever give them this address?"

So... if you're writing a phish, you want to increase the chance that someone will react quickly to it - the a-charge-to-your-account trick is all the more effective when it says "you spent $300 on an iPod" rather than "you spent $300", since the reader knows they didn't buy an iPod, and don't have to think about it. So, they click straight through and Sort It Out. If they stop to think about it, there's much more chance they'll twig there's something wrong.

I'm not sure if that completely explains the TMI thing, but I suspect it goes some way towards it - every detail the reader "knows" is wrong and needs to be corrected by giving their details and stopping the charge is something that distracts them from the fact that their bank never emailed them when they bought plane tickets last month...

#28 ::: Jill Smith ::: (view all by) ::: December 04, 2004, 02:48 PM:

9 out of 10, with a false positive on #9 as well.

Most phish comes to my "" account which I don't use for any commerce at all - between that and the "I don't have an account at Citi/Chase/WaMu/etc.," phenomenon, phish has been pretty easy to spot so far...

#29 ::: Kylee Peterson ::: (view all by) ::: December 04, 2004, 03:04 PM:

I'm with the others who want to see all the headers and read the mail as plain text. That's the easiest way -- well, no, the easiest way is to know whether the person receiving the mail has that sort of account at all, but it's very easy.

Eight of ten isn't too bad, though, and I only missed through being over-cautious. I do have an awful lot of family members who need to try this. Thanks.

#30 ::: JoshD ::: (view all by) ::: December 04, 2004, 04:19 PM:

Another here with 8 out of ten, erring on the side of paranoia.

I just this morning got a phishing email from ebay on gmail (which I use as my webform address, and not for commerce at all, thus making things easier, like Jill Smith).

I hadn't noticed before, but gmail has a good "report phishing" button and a warning at the top of the screen that says: "this email may not be from who it claims to be!" Likely because they logic-checked the headers, which (viewing source) were definitely bogus. Sufficiently advanced technology == magic...

#31 ::: Reimer Behrends ::: (view all by) ::: December 04, 2004, 04:20 PM:

Michael, I'd actually argue that the reason that gives to trust #9 is not valid; the last four or five digits of credit card numbers and such are too often sent through insecure channels to then be trusted as a means of authentication; in the case of #9, it is the only means of authentication, with the actual URL of the link being a strong counter-indicator. Thus, I'd say that is giving bad advice.

Unfortunately, sometimes even reputable companies use URLs that look fishy, but are legitimate. For example, the first time I encountered an online merchant that was using "Verified by VISA", I was sent to a URL that smelled like something straight out of a phishing scam (apparently due to VISA outsourcing the verification to individual financial institutions that sometimes use generic third-party domain names for hosting). And then I was asked for my SSN and some other personal information to verify that it was me (date of birth and last four digits of my home phone number, I think). My immediate reaction was, "yeah, right", but after clicking through from I ended up at the exact same address. Scary.

#32 ::: pericat ::: (view all by) ::: December 04, 2004, 04:21 PM:

I highlighted that test primarily for my mom's sake; phishing is becoming more sophisticated in its use of graphics, and she uses an email client that interprets and displays all the bells and whistles by default.

Arin's whosis tool, if anyone wants a bookmark. Don't forget that trick with the '@' symbol. That's a nasty little exploit.

#33 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 04, 2004, 04:25 PM:

Why I figured #9 was legit:

The language all sounded right: clear, clean, amiable, and slightly abstract and impersonal. You wouldn't notice it unless you were paying attention, but that stuff is hard to write, and harder to perfect.

The page has sales, marketing, and promotion agenda-pushing all over it. It was written by person-or-persons who're familiar with CapitalOne's marketing concerns, and were mindful of all of them when they wrote that copy.

They gave the last four digits of the user's account number. That's appropriate for a bank that has the complete number but doesn't want to send the whole thing to what might be the wrong person. A crook would be likelier to either have the whole number, or nothing at all. It's possible for a bad guy to just have the last four digits, but unless they had the last four digits on a lot of account numbers, I think that having that knowledge would alter their tone.

They encourage customers to go to the regular CapitalOne website.

So much effort is given to specifying exactly when and how payments will post, and there's a very carefully worded notice warning users that the site's not guaranteed to always be up. Those bits were written by people who anticipate the problems that are going to arise when customers can't get through to post a payment in time for the 3:00 cutoff. They're thinking like bankers.

The Bank of America letter was much the same. It didn't have four digits of the account number, but it did have a link to an Equal Housing Lender page. That would be a natural thing for the real Bank of America to include, but a risky and labor-intensive piece of verisimilitude for a scammer to have to fake up.

#34 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 04, 2004, 04:31 PM:

If you want to check out the one that came closest to stumping me, look at #6 (Earthlink) on the original test.

#35 ::: Daniel Martin ::: (view all by) ::: December 04, 2004, 05:17 PM:

Note that the @ sign trick won't work with vaguely up-to-date versions of internet explorer. At one point, Microsoft decided that there was too much abuse of this feature to continue with it. (it wasn't part of the HTTP URL spec anyway) There was much hue and cry from nerds all over about throwing the baby out with the bathwater, but I think that the call they made this time was the right one.

I'll have to check again, but I seem to remember seeing (in a phishing scam a bit ago) that there's an interesting trick one can still play with Microsoft html-reading products and client-side image maps such that even with all javascript disabled, clicking on a link sends you to a site that is different from the url shown in the address bar when you hover over the link. I should dig that up and document it.

#36 ::: Michael Weholt ::: (view all by) ::: December 04, 2004, 05:27 PM:

"Number 9, number 9, number 9..."

The four final digits of the supposed card number tempted me. If it had been a real email addressed to me, and I recognized the final four numbers, I might have been just tempted enough. But, in fact, that's what made me shy away... the fact that I might just be tempted enough. That, and this too: I own a number of credit cards. I happen to know all their numbers (or, their last 4 digits anyway), so I would have recognized a bogus 4 digit combination. However, there are others who have a number of cards who I propose don't pay that much attention to their last 4 digits. I could see a phisher taking a stab at those people, thinking that a number of people would know the 4 digits were bogus, but that a respectable number of people wouldn't recognize them as bogus. Under those circumstances, the 4 digits being there is more of a danger sign than not, in my view.

Other things that bugged me enough to make me bail on it... in combination, mostly... the fact that there were two "log in" links (no reason... it just bugged me), in spite of the perfectly understandable nature of the warning that "this site may be unavailable during normal weekly maintenance...", that in combination with the mentioning of the banking hours -- it bugged me (no reason, it just bugged me), the URL at the bottom-left bugged me.

So, in effect, I really have no good reason to have bailed except, possibly, in my view, the 4 digits. It was more a matter of a bad gut feeling that I then went with. Which, considering what could go wrong, is OK with me. I'm happy to go with a gut feeling that errs on the side of caution.

#37 ::: Bill Blum ::: (view all by) ::: December 04, 2004, 06:09 PM:


Yeah, we'll just say that many people in my family aren't the brightest ones around...

Between my stepmother and phishing, my in-laws and spyware, and co-workers asking for General Technical Support because their own families won't help them anymore.....

I just want to go into a cave.... but only if I can take a laptop, and if the laptop is in range of a wireless hub.

#38 ::: John Stevens ::: (view all by) ::: December 04, 2004, 06:38 PM:


Delurking at long last - I've been reading with pleasure for some time, but haven't yet felt I had something to contribute.

It was the 4 digits from "Capital One" which convinced me it was phish. If you send enough of these e-mails out, with the same number in each case, you're going to get lucky and match the recipient's number.

Now, if they were to include an answer to one of the security questions my bank uses to check identity, I'd be more likely to thin they weren't just hoping to get lucky.

#39 ::: David Goldfarb ::: (view all by) ::: December 04, 2004, 06:52 PM:

As many here, I got 9/10, with a false positive on Capitol One. I had no problem with Earthlink, since I get my DSL from Earthlink and it looked just like plenty of mail I have really gotten from them.

The style and content on the Capitol One message seemed legitimate to me, for the reasons that Teresa has described. But I didn't like the URL being "", and the bit about the site sometimes being unavailable also seemed suspicious -- it looked like a cover for "when we've phished enough we'll close down". I did say to myself when I marked it phish, "Damn, that one was slick."

#40 ::: Dave Bell ::: (view all by) ::: December 04, 2004, 07:05 PM:

One of my false positives was down to the style of advertising language. We have different banking laws in the UK, and while it maybe does't specify every detail of what an advert can say, the effects seep through into the phrasing of adverts. For instance. we don't get vague claims about interest rates.

The site is dealing with stuff that slips through the obvious checks -- do I have an account with this outfit, was it sent to a correct email address -- but it maybe should have made people more aware of those checks.

And I wonder what the underlying HTML looked like...

#41 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 04, 2004, 08:00 PM:

Larry, TMI stands for Too Much Information.

#42 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 04, 2004, 09:33 PM:

Someday I'm going to get nailed, playing it by ear, because a scammer will simply copy the text and layout of a legitimate email.

#43 ::: Yoon Ha Lee ::: (view all by) ::: December 04, 2004, 09:37 PM:

I am paranoid about these things, and also scored 9/10. Am I the only one who missed #10? *squirm*

On the other hand, I would rather be erring on the side of paranoia.

#44 ::: BethN ::: (view all by) ::: December 04, 2004, 10:02 PM:

2 false phishes here (BoA and Capital One). Beter safe than sorry, says I.

Coincidentally, my bank has recently posted a Consumer Alert about phishing on their website, which includes this useful tip: To verify the true URL of a website, cut and paste the following text into your Browser Address Bar:

javascript:alert("The actual URL of this site has been verified as: " + location.protocol + "//" + location.hostname +"/");

A small pop-up will display the true web address of the page you're viewing.

#45 ::: JoshD ::: (view all by) ::: December 05, 2004, 12:03 AM:

BethN: Thanks for that. I copied the text and pasted it into the "URL" field of a bookmark to create a bookmarklet that does the lookup with a click in the toolbar of my browser. Yay.

I don't think Making Light's comment section would let me post the link as a bookmarklet if I tried, though.

#46 ::: Jules ::: (view all by) ::: December 05, 2004, 04:45 AM:

Regarding having the last 4 digits of your card number, I wonder how many people would realise just how little this would mean if it were the _first_ 4 digits instead?

One to watch out for, that. Anyone giving you the first 4 digits of your credit card number are almost certainly just guessing them.

#47 ::: Jules ::: (view all by) ::: December 05, 2004, 04:46 AM:


I didn't get enough sleep last night.

#48 ::: NelC ::: (view all by) ::: December 05, 2004, 09:51 AM:

I got #9 wrong, but when I opened the quiz page I was enormously tempted just to label them all as phishes, which is how I tend to treat all email of this type, anyhow. If it smells even slightly phishy, I bin it.

When the whole phishing thing was starting out I replied to one, thinking it legitimate because of the coincidental timing, but not giving them the information they asked for. Listening to Captain Paranoia paid off for once, but when I read an article about phishing a few weeks later and I realised how close I'd come to being taken in, I sure felt the shivers run up and down my wallet.

#49 ::: CHip ::: (view all by) ::: December 05, 2004, 10:41 AM:

Yoon Ha Lee: I also mismarked #10, but I can't say how the judgment weighed among not knowing the system, not liking the tone, and having my paranoia level increased by the test.

I also "missed" Washington Mutual (#4) by refusing to mark it. I'm very strong on "corroborative detail intended to give artistic verisimilitude to an otherwise bald and unconvincing narrative" (and annoyed/ashamed that I had to look that up to get it exactly right), enough that I can forget the loose use of "artistic" in the quote and the nature of the story that it's referring to. I figured that the point of the test was to have enough "legitimate" mails to make the phish harder to find, and I've looked at enough bills that the heap of information looked reasonable -- until Teresa said TMI and I realized that a hold or even an advance payment probably would not have the \dates/ of the stay.

And I was ... interested ... to note that \every/ \one/ of the explanations, including for the legit emails, said to go to the known main page and work your way in from there. The problem with that approach is that it assumes that the web site is designed in a way that works with the specific shapes of every customer's mind; I've had enough frustrating experiences as a customer, and enough go-arounds with the bits of GUI I've worked on, to find that less than entirely helpful.

It's definitely a discomfiting test; as a programmer I've found hunches rarely get me where I want to go, but as a musician I've developed an "ear" that I can rationally explain only isolated pieces of -- and here I was relying as much on the feel of the items as on anything I could quantify. In the real world I haven't been burned but had heard enough about phishing by the time I got my first piece that I've tossed everything I've gotten. Yes, I'm a paranoid curmudgeon sometimes (learning that people would con other people not even for gain but simply for sport was a youthful lessons I took a long time to learn); it helps that I haven't gotten as involved in the online world as the boosters of the dot-com bubble assumed we all would.

A comment on the Amazon item (which particularly caught my attention; there were probably others similar). I didn't know about the precise meaning of the intermediate '@', although seeing it roused my suspicions. But more important is that I've never seen an online seller who wouldn't happily take all my credit information in the course of making a sale -- so even if I were more trusting and this looked less illegitimate I would have dumped it.

#50 ::: Charlie Stross ::: (view all by) ::: December 05, 2004, 01:39 PM:

I got four wrong. Three of those were legit emails that I flagged as phish (i.e. false positives) -- the one that worries me is that one of the pieces of phish looked legit to me. On the other hand, in real life I refuse to deal with banks by email: so I'd be okay if this was a real-life situation rather than a test.

My rule of thumb is that false positives for phish are not a problem -- at worst, they're a trivial inconvenience. False negatives are a problem.

#51 ::: Tom Whitmore ::: (view all by) ::: December 05, 2004, 04:24 PM:


The first four numbers of your credit card specify (a) the type of card (Visa is 4, Mastercard is 5, AmEx is 3, for example) and (b) the issuing bank (old Bank of America Visas all began with 4138, for example). So if they're sending out a phish based on a specific bank, they're _much_ more likely to hit positives if they do a little work than they are on the last 4 digits, which are much more random. I know this from paying only slight attention while working retail for many years....

#52 ::: Charlie Stross ::: (view all by) ::: December 05, 2004, 04:56 PM:

Another point of note: the final digit in any credit card number is a LUHN checksum (details here). While the first digit is the card type, the next three indicate the issuing bank, and the individual banks usually use the next four digit group to denote the type of card (often a given bank will issue different types of Visa card -- at least in the UK, where Visa cards are issued by banks: I know the card clearing system differs significantly in the US).

I don't think any of the banks are stupid enough to hash the customer's debit account number into their card number, but having dealt with the IT departments of several banks nothing would surprise me ...

#53 ::: Heresiarch ::: (view all by) ::: December 06, 2004, 02:21 AM:

Gmail has a built-in phish filter now. I just discovered it today, when I got something from PayPal (or so it claimed). If it matches the google criteria as a potential phish, it seems, then Gmail pops up a little "Warning: this might be phish!" above the email, with a link to a phish identification guide. Pretty spiffy, actually.

#54 ::: Leah Miller ::: (view all by) ::: December 06, 2004, 03:30 AM:

Two false positives here, one being the oft mistaken number 10. However, I seem to be the only person who false-positived number one. I did most of the list through a combination of intuition and logic, and looking back I realized I phished the first one because it was an offer I would decline anyway, and one that any bank would be unlikely to offer me legitimately (I spent my time after college living in a cash-intensive country where I paid every expense with cash/bank transfer/money order, so I have very little credit on record.)

#55 ::: Graydon ::: (view all by) ::: December 06, 2004, 05:41 AM:

Leah -

#1 was my false positive. Probably becuase I couldn't believe an actual bank would send html mail and *not* set the body text font.

#56 ::: Magenta ::: (view all by) ::: December 06, 2004, 10:25 AM:



How is this a information literacy test? It seems to be a lovely spoof page. All I had to do was check the real CNN site, and unfortunately, the headline was not true.

#57 ::: Yonmei ::: (view all by) ::: December 07, 2004, 08:34 AM:

Ironically - this comment is meant for the Feedback thread - I now can't view the Feedback thread at all (when I click on it, I get a nice white screen and nothing else) so I can't tell if my query about not always being able to view the comment threads has been answered. I stopped reading Making Light so often because being unable to read the comment threads was so frustrating: but the whited-out thread is a new problem.

Oh, and I can't read the Squick and Squee comment thread most of the time, either. As far as I can see (either in IE5 or IE6) I can't read a thread if it's presently active. I can read it once no one is posting to it, but by that time the discussion is over.

#58 ::: Jeremy Preacher ::: (view all by) ::: December 07, 2004, 01:58 PM:

I got #9 because I'm a Capital One customer, and I get that email every month - but the first time I got it, it sure did look suspicious to me.

#59 ::: Tina ::: (view all by) ::: December 07, 2004, 03:45 PM:

The test was not suited to my normal way of double-checking, which is to not only look at the URLs and the wording but the mail header info. So I didn't answer three of the questions because they would have been into header territory. (I got the other 7 right.)

But as a rule I just assume all links in email where it matters (meaning finances are on the line) are bogus and go straight to the site if I actually want to follow up for whatever reason, and that's what I tend to recommend to people.

#60 ::: Kevin Andrew Murphy ::: (view all by) ::: December 08, 2004, 02:45 AM:

Part of my method of identifying phish is to do an on-mouse-over of the links and see if the main one they want you to go to is something other than the real site. Couldn't do that with the test.

Moreover, I identified (they said falsely) a number of the letters as phish because I don't do business with those companies. If Washington Mutual or Chase contacts me about my account, they're either phishers or on serious drugs.

One of the other method of identifying phish that I have, which wasn't mentioned, is that I have two emails that I operate in tandem which tend to get on the same spammers lists. If I get the same slightly different letter to both of them, it's a quick bet that it's phish. Though this is mostly useful for identifying Nigerian 411 scams.

#61 ::: David Goldfarb ::: (view all by) ::: December 08, 2004, 05:04 AM:

419, actually.

#62 ::: John M. Ford ::: (view all by) ::: December 14, 2004, 05:19 PM:

Found this stuck in the spam filter:

[Cut 'n' pasted Washington Mutual logo]

Dear Wamu user,

As stated in the User Agreement, Section 41.1, we may send you this email.
After the multiple frauds registered lately, our company has initiated a study regarding this problem. In this study the company has reached the conclusion that most of the frauds were possible because of the low email service security level .
For a best deployment of our further activities (the frauds prevention) our company has decided to check your identity for fraud protection .
Hoping you have understood that we are doing all these for your own safety and for the good deployment of the relations between our company and its parteners we suggest you to acces the following form to verify your Wamu account:

[URL deleted for obvious reasons]

Thank you for your patience in this matter.

Regards, Wamu security (Security Department)
Washington Mutal, Inc. Web site

Thank you for using Washington Mutual!

I especially like the "Washington Mutal" part, and extra points for the creative use of the word "deployment."

Do I need to point out that I've never been a customer of the real company?

#63 ::: Jonathan Vos Post ::: (view all by) ::: December 14, 2004, 06:52 PM:

John M. Ford:

Hard to tell. The actual Washington Mutual did something to me last year that still causes chaos.

I enquired exactly what I needed to pay to be current on my home's mortgage, including alleged late fees and the like, as I was a month behind.

I was told, to the penny. I phoned again to confirm that amount with another customer service person. Same.

I went to the nearest branch, spoke with the Branch Assistant Manager, triple checked, and paid that amount exactly with two checks, one from my wife's checking account at WAMU and the difference from my account at another bank.

I received a receipt for the total. The Branch Assistant Manager assured me that they would deliver the two checks, plus deposit recipt, to the [regional?] "back office."

A couple of month later I started to receive Notices of Intent to Foreclose. Customer service insisted that I was 2 or 3 month behind, and denied that I was current.

I revisted the local branch. the Branch manager spent an hour and a half on the phone with some department Elsewhere, and I had an additional hour. Nobody Elsewhere could confirm that I'd made ANY payment on the date of the roughly double-payment. They refused to put this in writing, even when the Branch Manager asked.

Finally, as we worked up the chain of command, we got someone on the phone who said (I slightly paraphrase, notes not in front of me):

"That's strange. We show two deposits on the same day, but one wasn't posted for 3 months, and there is no indication of where if anywhere the second one went."

I memorialized this all in writing, in enormous detail, with praise for those who'd actually helped me. I demanded that they apologize, delete any spurious late fees, send a letter acknowledging that the Notice was null and void, and that they pay me interest on the vanished check.

They sent me a form letter asking for the cancelled check that they admitted losing, or depisitng and losing, or depositing to someone else.

I sent them a fax of my NCR copy of that check.

They asked again for what I'd faxed them

Then they sent the annual IRS form as to what Mortgage Interest I'd paid. It failed to reconcile with either their version or mine.

I demanded in writing that they refile with the IRS. I filed my tax return with the IRS and had to pay roughly $2,000 instead of getting a refund. I advised IRS and WAMU that I'd have to refile my taxes when WAMU refiled theirs, and that WAMU would have to be for the Tax Preparation, plus interest, plus any penalty.
WAMU has not replied, nor refunded anything, nor waived the spurious late fees.

I've been advised to sue them for, I forget the fancy Banking term, theft. But I've passed my lifetime quota for courtroom drama.

And now, this week, the California State Franchise Tax Board (who make the IRS look like friends by compasison) is threatening me over all of this.

So honestly, I have a VERY hard time distinguishing between Washington Mutual and someone phishing in their name. Not clear to me who's the bigger crook.

I hereby fully and completely indemnify Teresa for anything that happens from this posting. Also, the truth as backed by numerous Certified Letters is an absolute defense. We now return you to your regularly scheduled program.

#64 ::: Georgiana ::: (view all by) ::: June 21, 2005, 11:46 PM:

Teresa - thank you for the interesting link.

I got 8/10 with two false positives. The Chase got me with the expression "save up to hundreds of dollars" which struck me as odd and then I got number ten wrong but I already forgot why I thought it was evil.

I tend to be really suspicious of everything and even when I get emails that I am sure are legit, regarding accounts I actually own, I don't use the links. I open a fresh browser and type the URL in.

#65 ::: Zoila ::: (view all by) ::: September 21, 2014, 10:26 AM:

I like the valuable information you provide
in your articles. I will bookmark your blog and check again here regularly.
I am quite certain I'll learn lots of new stuff
right here! Best of luck for the next!

#67 ::: Mary Aileen sees old spam ::: (view all by) ::: November 02, 2014, 02:13 PM:

undeleted spam from September at #65

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.

(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 by Patrick & Teresa Nielsen Hayden. All rights reserved.