Saturday, July 7, 2012

OTR: Why are Phishing Messages so Lame?

I was taking a quick troll through my spam folders this morning to make sure nothing of importance got stuck there before I flush them. I find that Yahoo! does a decent job of catching spam and phishing messages with few false positives, but Google seems to catch a lot of legitimate messages (btw, Google, if I have a rule that tags a message, that should override the spam filter,... just sayin'). I'm easily amused by a lot of the more obvious phishing messages. I've been of the opinion that the people writing these things ought to invest in native English speakers for more effectiveness. But they keep coming, so obviously they are working on some people.

I read somewhere recently, that one theory about why lame phishing messages continue to be sent is that they work. If someone actually bites on one of these, they are clearly not too bright and if they aren't too bright (and usually greedy to boot), they won't overthink the messages that come next. I guess that is one theory. I suppose another is that there are more than a few people who are either naive or extremely trusting souls and they get hooked fairly easily. These are generally the same folks who fall in with con artists and withdraw money from the bank in exchange for an envelope full of stacked newspaper.

At the Day Job, we see the more advanced phishing messages. These are targeted and are called "spear phishing" messages because they tend to selectively target individuals with "bait" indicative of some knowledge of the individual. There's another class of phishing messages referred to as "whaling", which targets high value individuals -- we haven't seen much of that. But even some of the best spear phishing messages are lame. Seriously, why would a C-level executive send you an email from a Yahoo! account? But people clicked away on that because it was "signed" by that exec. It was a low number, but still... and the funny thing is that the phisher could have done a few simple things to disguise the message, but didn't. So I have to think that even the spear phishers are looking for people who are either too harried to really look at email or simply aren't bright enough to realize that they are being phished.

So for today's lesson: Stop. Think. Connect.