I think most people who are in IT have learned to junk the phishing scams they get every day in their mailboxes.
Hopefully most of those not in IT have also learned (or had their sys-admin implement protective measures). Yet I suspect people are still getting caught out.
I don't think it's a case of stupid people rather one of education. It is possible to go through the entire primary/secondary/(and even) tertiary education systems without learning critical thinking. It's amazing how many people are willing to just believe sentences like that below without asking key questions such as who are they?, when was this done?, do you have a reference for that?.
A study was done concerning the business success of a day's worth of travellers on a particular airline and they found that over 90% of the people who stepped off the plane leading with their right foot, received wage increases within 6 months!
It's not true. I just made it up.
Trying to teach users about phishing scams is only partly successful because of this gap in critical thinking ability. You can tell them that they'll never receive a letter from their bank asking them to enter their username and passwords after following a link in that email. This will probably be effective, but it doesn't mean they'll apply that to an email from ebay, or some other service.
Explaining the underlying concepts behind phishing and the key tells is likely to have more success. But chances are that it'll be learning by rote if critical thinking is not engaged. For example, if a user receives an email, addressed to them, and is asked to click on a link that goes to www.secureebay.com from an email who's "From" address appears to be support@secureebay.com, they'll probably do it. The link address looks okay (it says ebay.com and "secure" is good right?) Further, the email address actually matches the domain (that means it's okay, right?).
What we also need to get users to do is read the actual email and determine if it sounds plausible based on the language used within. For example consider a random piece of junk I received today:
You have recieved this email because you or someone had used your account to make fake bids at eBay. For security purposes, we are required to open an investigation into this matter.
...
Please Note:
If we do not receive the appropriate eBay account verification within 48 hours, then we will assume this eBay account is fraudulent and will be suspended.
The purpose of this verification is to ensure that your eBay account has not been fraudulently used and to combat the fraud from our community.
Italics mine.
Hmm. So my account has already been used fraudulently, but this verification is to ensure that it hasn't been... I can spot an issue here.
Unfortunately, I can imagine my users still clicking on the link and jumping through whatever hoops they're told to, just to keep their account. You can read them the contradiction, but they just won't think about it. :(
Definately need to come up with a way of teaching people more critical thinking.
It might even help with some of the social problems we're having.
It is possible to go through the entire primary/secondary/(and even) tertiary education systems without learning critical thinking.
All the more reason to skip them completely so the vast amounts of time wasted there can be spent learning important skills like this, which may or may not be taught effectively at any particular institution. This is one item in my list of many, many reasons why I was persuaded to homeschool.
Similarly, I learned more about detecting and eliminating bias in writing in my first three months working on Wikipedia than I did in my entire twelve years of public school education, even though "detecting bias" was an explicit goal of instruction many years. (I suspect many people were public-schooled into thinking that "detecting bias" means "detecting when someone has the wrong opinion because he doesn't agree with me.")
What we also need to get users to do is read the actual email and determine if it sounds plausible based on the language used within.
Taking another meaning from the same sentence, the only time I got a mail that almost persuaded me, I was extremely suspicious due to the poor grammar (or maybe it was spelling) in a couple of places. It wasn't Nigerian 419 quality, but it still made me wonder and helped me to slow down and think things through before acting too quickly. (The only reason I found it plausible was they hit me by coincidence when some similar events actually were going on with my account.)
I'm told over and over again by people online and in real life that I'm foolish for caring so much about grammar and spelling. The idea that people should actually know how to write is outdated. The language is moving on, and so should we. It's just like back in school when people who actually wanted to learn were mocked, and being ignorant was a virtue to be praised and laughed joyfully about.
Yet I'll be the one who doesn't have my shirt stolen by scammers because I know enough to tell when a letter sent to me is professionally done, or just written by the willful ignoramus from sixth grade who made fun of me for telling him that "alot" was two words and still hasn't taken any steps to learn anything. Said ignoramus is now apparently incapable of making an honest living.
