Amateur Hour
Though spelling errors and poor design were once considered the telltale signs of a phishing attack, those same traits now may put online consumers at ease. A study in the Journal of Consumer Research, which is published by the University of Chicago, found that "the disclosure of private information is responsive to environmental cues that bear little connection, or are even inversely related, to objective hazards."
An article published Aug. 25 on the tech news website Ars Technica said the study's conclusion is "a bit of a surprise … most studies have assumed people were rational actors."
In one pair of tests, researchers presented participants with two websites: one that looked professional and suggested the backing of a major university; the other was made as amateurish as possible. Participants said the professional-looking site was the most trustworthy, but when they filled out surveys at each, they divulged more personal information to the sloppy one.
Participants even deemed the same questions to be less intrusive at the unprofessional-looking site. The differences in presentation "seemed to loosen participants up," Ars Technica said.
In another test, researchers asked participants to identify phishing sites before presenting the survey questions. This served as something of an equalizer, leading participants to be equally cautious on both the professional and amateurish websites.
The study did not ask about passwords and PIN codes, though the researchers expressed interest in requesting that type of information in later tests. So far they have only succeeded in manipulating people into divulging "salacious facts," the article said.
The conclusion, however, is clear, Ars Technica said: "users can be fooled by cues that are the exact opposite of those recognized by an independent observer. Which is precisely the reason that maintaining high security standards can be so difficult."
Cover Story
When fraudsters began to steal more than $600,000 from the Catholic Diocese of Des Moines, they were quick with an explanation to address the concerns of the people they had tricked into helping them.
To move the money out of the United States, the scammers relied on money mules, people who are found on job sites and told they are being hired for a legitimate job, only to discover later that they'd assisted a financial fraud, Brian Krebs reported Monday online at "Krebs on Security."
Mules are typically told they that they have landed jobs as accountants or payment processors and that they are to receive money into their own bank accounts and wire it away to another location.
Daniel Huggins was hired for such a scheme by a group posing as a company called Impeccable Group. The scammers told Huggins they found his contact information in a resume he had posted online.
When Huggins noticed that the payments he received seemed quite high — one for nearly $20,000 and another for nearly $10,000 — and that both came from the Catholic Church, he began to ask questions.
The scammers, however, had an answer ready, drawn from headlines about sex-abuse scandals. They said these payments were "going to be payouts to some of the settlements in the sex crimes cases against the Church," Huggins told Krebs.
