MB: Yes there is clearly an opportunity here, as I say I have spent a number of years working in the identity industry and related fields and I think that in the next few years we are going to see some movement on this front, but today it is a real problem for the average consumer.
But getting back to educating the consumer about what they can do to manage their security, those messages about awareness of phishing, password management, running a good modern anti-malware package that's kept updated and installing the latest security patches for the operating system and applications, should assure a good level of protection. These don't take too long to explain and our experience is that the average consumer, if you walk them through that, will say 'Oh OK, I can do that'.
hS: Well perhaps the problem is, speaking as a regular user of PayPal, that in my normal interaction with PayPal that information and advice isn't apparent.
MB: Well there's a security section on the site (PayPal UK – How we keep you secure and the security center). Recently we did an interactive tutorial a sort of quiz / game and people have a really good reaction to it, as I said one of the things we had found was that people don't react very well to words on web pages for this kind of thing and there's a very rapid drop off rate, but other forms of training do get through to them, so we've been experimenting with that. As far as phishing is concerned the best way to detect phishing is to look at the company an e-mail purports to come from and then look at the URL it's trying to take me to. If it says it comes from PayPal but its going to www.imathief.ru, or even worse – number.number.number.number, it probably isn't on the up and up and it's probably not PayPal. However, many people don't know how to parse a URL, so explaining that to them is actually quite difficult, so what we did was ......
hS: So rather like this e-mail I received today (hands MB a printout of an e-mail, sent to a mail address that is not registered with PayPal, with the To: field suppressed, claiming to represent a PayPal purchase in dollars, of a smart phone from US supplier for delivery to a US address (e.g. not the e-mail account holders address) and inviting the recipient to click on a URL link to dispute the purchase)
MB: Yes! Exactly, the prosecution rests. If you can parse a URL, that screams out – I want to take all your money you stupid fool. Now it turns out it 's much easier to teach people how URLs work if you can show them, so about a year or eighteen months ago we slung together a fairly quick video of some examples of legitimate e-mails and fake e-mails and stuck it on You Tube, it's actually a very effective training device.
Talking about phishing, another thing I'm quite fond of is, if you have never seen a fake e-mail in your in-box you're probably not on the lists the bad guys use. Once you get an e-mail that purports to come from some company and you go 'but I don't have an account with them why are they sending me this' then OK you're on the lists mate, from then on you should be very suspicious of any e-mail that purports to come from any company that you DO have a relationship with, because it may, or may not, come from them. If you have lets say a Virgin in-box and you have never seen an email from a source you don't recognise, then that's one state, but as soon as you see an e-mail from a company you don't know, claiming you have made some sort of transaction with them, you should switch into super-paranoid mode about all e-mails to that address, as long as you keep using it.
The other thing I always tell people is, do a mental gut check, if, when you read the thing it seems to be trying to get you to think 'oh this is really urgent, something bad is going to happen unless I take action on this right now' be dead suspicious, that's actually a dead give away, because the bad guys know there are people like me who are out there getting their sites shut down in under 24 hours, that's sort of the industry average. They are trying to get as many 'marks' as they can to click on the link quickly, so they are always trying to socially engineer the e-mails to engender a sense of urgency and if you feel like its 'that urgent' it probably is bogus. If its a real company, like you know a bank or so on, they will have your address and if its a really serious problem, they will send you a letter. If an e-mail seems to be from a large company and you are really concerned, call their customer services, because the bad guys find faking that much harder to replicate. There's a lot of very simple advice you can follow in this area, but people get fooled by not knowing how to parse a URL and by a false sense of urgency.
hS: Is this something you have considered raising with schools at all. To teach schools kids how to protect themselves from e-mail scams when they start to earn a living?
MB: Well that's a very interesting question I have never seen any research on it, certainly you see phishing e-mails going to university students.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
