Following post talks about the results of my SonicWall Phishing IQ Test. I also go over some of the notes I’ve taken during the test.
Figure 1 illustrates my results from the SonicWALL Phishing and Spam IQ Quiz at https://www.sonicwall.com/phishing.
Figure 1: Results of the SonicWALL Phishing IQ Test for Jozef Jarosciak (Dell, 2012)
I have decided to compile the following table of methods I have used to detect the legitimate emails from phishing emails and mark each one of them on the difficulty I have experienced during the detection process.
|QUESTION #||EMAIL FROM||LEGITIMATE / PHISHING||DIFICULTY LEVEL||DETECTION METHOD|
|Question 1||Paypal||Phishing||EASY||The email claimed to come from PayPal, but the URL in the body of the message pointed at com-stz.info TLD. Misspelled domain name, which anyone could have bought and used inside the phishing email. Spelling error in the first sentence.|
|Question 2||Wells Fargo||Legitimate||EASY||No spelling errors, plus there was no urgent or threatening language used in the body of the email. Also, email had the correct domain name in URLs.|
|Question 3||IRS||Phishing||EASY||HTML form inside the email with submit button. There is no way to detect where will such information be sent, plus Internal Revenue Service would not send the legitimate email containing the in-email HTML form.|
|Question 4||Bank of America||Phishing||HARD||The email phishing was a bit harder to detect. However, upon inspection, I found issues such as HTML formatting, missing image at the top, incorrect salutation, omitted account number. All are pointing to a phishing email. This email intentionally did not show where the real link points to, which would be a further giveaway.|
|Question 5||Bank of Choice||Legitimate||MEDIUM||This email contained much information that a hacker would not normally have, such as partial account number, phone number, as well as information about the request made to the bank. However, I need to know, that if I did not request anything from the Bank of Choice, even though this was a legitimate email, I would have still deleted it.|
|Question 6||Cayman National||Phishing||EASY||Same case as PayPal’s email in Question 1, URL points to a different domain name. Also, grammar is not correct.|
|Question 7||Chase||Legitimate||EASY||A lot of green flags, such as proper use of salutation, there were no spelling mistakes, there was a correct use of masked account number, and also correct domain on URL.|
|Question 8||UPS||Phishing||HARD||This one was likely the hardest of all because the only method to detect the wrong email was to look up all links in the email, which screenshot did not allow me to do. That put me on alert to look for further issues. I found the problem in the grammar and marked it correctly as a phishing email.|
Note: If this was a real-life email and I was in the hurry, it is possible I would have incorrectly classified it as a legitimate email. This was likely the only email that had a potential to trick me.
|Question 9||PayPal||Phishing||EASY||Lots of details about the transaction, but unfortunately, I had no way to confirm if the details were legitimate, which normally I would have known. However, as soon as I have seen the wrong domain name, it was evident this was a phishing email.|
|Question 10||FDIC||Phishing||EASY||Email from FDIC was pointing to URL of shores.com, immediately suggesting phishing.|
My immediate observation was that the quiz was strictly about identifying phishing emails and it’d be nice if it included also some spam emails to see if people can pick up on those. Unfortunately, I did not detect any spam emails among the group of test questions.
Just to note, there is a difference between spam and phishing emails. According to Morimoto, M., & Chang, S. (2006), the spam is an unsolicited commercial e-mail characterized as communication from marketers that consumers did not ask for. Moore, T., Clayton, R., & Stern, H. (2009) on the other hand state, that although there is certain correlation between spam and phishing email, the phishing email is characterized as the criminal activity of enticing people to reveal their passwords and other credentials, which can later be used for fraudulent activities.
That said, the spam is an unwanted email of commercial nature (also called junk email), whereas the phishing email is a method of fraudulently obtaining personal and confidential information.
According to research from cyber security company Diligent Corp (Elise, A., 2017), for instance, Americans overestimate their ability to detect phishing emails, which is problematic since the US reports more phishing scams than any other country in the world. For example in 2011, approximately 25,000 phishing emails were detected per month in the US and by 2016, the number increased to 225,000 per month. An approximate number of phishing emails sent every day across the world is estimated at 156 million. This is especially important to large corporations, who recognize the need to become much more proactive in the fight against phishing scams. It’s a traditional axiom that the greatest threat to data security comes from the inside. This was demonstrated by JPMorgan, which has decided to simulate the threat by sending a fake email to all of their staff. According to the Wall Street Journal (Nexustek.com, 2017) an incredible 20% of staff were fooled by the email and clicked on the phishing links. Similar results I’ve experienced in the test running in the firm I am currently working for.
I have passed the test with flying colors by following the simple rules, such as not trusting the display name, because I know that hackers can easily spoof them. I took the time to look for grammar errors and spelling mistakes and always analyzed the salutation, as well as all clickable links. Additionally, I have looked for urgent language which is rarely used by legitimate organizations and reviewed the signatures and HTML formatting of the email.
Moore, T., Clayton, R., & Stern, H. (2009). Temporal Correlations between Spam and Phishing Websites. In LEET.
Morimoto, M., & Chang, S. (2006). Consumers’ attitudes toward unsolicited commercial e-mail and postal direct mail marketing methods: intrusiveness, perceived loss of control, and irritation. Journal of Interactive Advertising, 7(1), 1-11.
Tunnelsup.com. (2016). Differences between spam and phishing emails – TunnelsUP. [online] Available at: https://www.tunnelsup.com/differences-between-spam-and-phishing-emails/ [Accessed 20 Apr. 2017].
Return Path. (2015). 10 Tips on How to Identify a Phishing or Spoofing Email – Return Path. [online] Available at: https://blog.returnpath.com/10-tips-on-how-to-identify-a-phishing-or-spoofing-email-v2/ [Accessed 20 Apr. 2017].
Dell (2012) SonicWALL Phishing IQ Test [Online]. Available from: http://www.sonicwall.com/phishing/ (Accessed: 19 April 2017).
Elise, A. (2017). We overestimate our ability to detect phishing scams, survey says. [online] WTAE. Available at: http://www.wtae.com/article/we-overestimate-our-ability-to-detect-phishing-scams-survey-says/9271496 [Accessed 22 Apr. 2017].
Nexustek.com. (2017). Phishing Scam Quiz | NexusTek. [online] Available at: https://www.nexustek.com/phishing-scam-quiz/ [Accessed 22 Apr. 2017].