Test your bait for phishing

Discovering that your online street smarts aren’t up to snuff has got to sting, yet more than a half-million individuals have unflinchingly summoned the courage to take MailFrontier’s Phishing IQ Test since July 2004.

Test takers are asked to scan 10 real-life e-mail messages and judge whether each is a phishing attempt or legitimate commercial correspondence.

Because we thrive on danger in the news profession, I made two decisions this week: I’d take the test myself; and I’d reveal the results here, no matter how abysmal my score. (You’ll simply have to trust me on the pledge and the grade.)

Before we find out if everyone gets to have a good laugh at my expense, let’s take a look at how the masses have been doing on the test. It’s a mixed report card that says plenty about the obstacles being faced today by honest companies that want to connect to their customers via e-mail.

“The first 50,000 who took the test were terrible at identifying the fraudulent e-mail,” says Andy Klein, manager of the MailFrontier Threat Center. That group was able to sniff out just north of 60 per cent of the stinky e-mail, meaning that about four of every 10 phishing lures in this mock exercise were gobbled hook, line and credit card number.

“The results have been getting better over time,” Klein says, with the company’s most recent analysis showing an 82 per cent accuracy rate for spotting phishing attempts.

What’s driving the improvement? Growing public awareness of the telltale signs of phishing and greater diligence on the part of legitimate businesses in educating their customers about their standard do’s and don’ts regarding e-mail. “A little bit of knowledge and common sense go a long way,” Klein says.

But the news is far from all rosy. Although people have gotten better at shooting phish in a barrel, that higher success rate has produced collateral damage: A lot more legitimate e-mail is getting tagged as fraudulent. Whereas the early test takers correctly identified 75 per cent of legit e-mail, that rate is now down to 50 per cent, according to Klein.

In other words, people are pretty much guessing.

“The natural reaction is to back away and assume everything is bad,” Klein says. It’s an instinct that online merchants and security vendors are going to need to combat fiercely and effectively, lest it threaten the continued growth of Internet commerce.

OK, how’d I do on the test? Not bad, if I must say so myself: nine out of 10 correct, including nailing all five of the fraudulent e-mails.


Want to brag about acing the test? The address isbuzz@nww.com.