The term “phishing” refers to the malicious practice of trying to extract sensitive information (such as passwords) from users. Compared to numerous other Internet-related terms, “phishing” is one of the least understood ones among users. I have found this in my work as have others in theirs. Of course, it may be that people understand the concept of phishing without knowing it is called as such. It is difficult to do large-scale data collection using more elaborate methods, but I implemented some related questions on a survey recently taken by over one hundred students who were randomly sampled from a diverse group. (See the end of this post for details about the data set.)
In the context of a larger study, I showed participants three hypothetical emails and offered several options for how they might proceed (respondents could check off several actions such as “delete it”, “ignore it”, “forward to tech support with a question”, etc.). When shown an email that looked very much like the one that comes from the IT department of the university (one that would not be hard to replicate by someone with malicious intent) over half of respondents said they would “follow the instructions outlined in the email”, which included going to a Web site and entering their username and password. Even more students said that they would “click on the links in the message and follow the instructions on those pages”. Less than 15 percent checked off the option of contacting tech support with a question or reporting the email as abuse. And in the open-ended field where respondents could explain what else they might do, only one student described actions that suggested the potential problem with the email. This among the generation that is supposedly savvy about digital media. See my forthcoming paper on The Role of Expertise in Navigating Links of Influence for more on this (especially pp. 12-19.).
When I talk to my students (at a different school than where the above study was conducted) about online privacy and security issues, and ask them about the potential implications, the usual response is about financial concerns: credit card numbers stolen, money lost. However, as I try to remind them several times throughout the course, financial issues are not the only ones at stake when managing one’s identity and actions online. For example, in the realm of health and politics one can easily come up with examples of cases where third parties should not have access to our information.
And then there is reputation. I have noticed some troubling incidents on Flickr recently and wanted to write a post about these experiences to remind people about the importance of being vigilant. Don’t stop reading just because you are not a Flickr user, by the way. These same issues could occur on lots of other sites as well.
Flickr is a photo-sharing community site where people post photos and often comment on others’ images. These comments sometimes include cute little awards that let you add your photo to an invitation-only group or whatnot. Recently, I received such a comment on one of my photos and clicked on the link included within it. This led me to a login screen seemingly still within Flickr. The people behind that site did a very good job replicating Flickr. You had to be very conscious of your actions not to proceed and follow what you were being instructed to do, namely, enter your Yahoo!/Flickr username and password.
Lucky for me, I did realize that there was something phishy going on here. I was already logged into Flickr so this login request did not make sense to me. I checked the location bar of the browser, and as expected, it did not say flickr.com/etc. Then I did a search for phishing on Flickr groups and confirmed that this was not something I wanted to pursue. Others had encountered similar issues and had already reported them so hopefully the admins were aware.
So what could one do with the username and password of Flickr users who were not as cautious or who simply did not realize what might be going on? First, one’s Flickr username and password is the same as one’s Yahoo! ID and password so it allows access to one’s email account and all other associated services, none of which is desirable. Within Flickr itself, it allows the malicious user to post comments on others’ photos using the account.
And that is precisely what I experienced this morning. Click here for a screen shot of a picture I posted and the comment that followed immediately after. Note that this comment came from someone who is not on my contacts list and whose account I had never seen as far as I recall. The comment on my photo of a Dublin door reads:
Someone at RAMCON said you sell nude images of children on flickr(loldee etc..) and i was just wondering(if this is true) then how much do you charge and what payment methods you accept?
There is very minimal chance that someone from a paid account would leave such a message publicly on a photo.
Searching on Flickr, I see that others are experiencing the same issue with the exact same message, but using different people’s accounts. This can be really damaging to the person whose account is used for such messages especially if this person does not realize or does not understand what is going on. Already several people have reported the person participating in that discussion thread accusing him of having left at least three such messages.
So I thought a reminder was in order: before entering your username and password anywhere, be sure to check that you are on the Web site you think you are on, look at the address of the Web site in the browser and if it is not the one you expected then beware.
[*] Details about the data set: In February-March, we administered a paper-pencil survey to students in the one class at the University of Illinois, Chicago (UIC) that is required of all students thus posing no selection bias as to who was in the sampling frame from the university. UIC is one of the most ethnically diverse research university campuses in the US. We have a 98% response rate of the 85 course sections, and an 82% response rate of all students enrolled in the class. The survey data about understanding the term “phishing” represents the responses of 1,236 participants. We used stratified sampling (on gender and user skill) for the follow-up observational study (March-May, 2007) that also included a short additional survey. We achieved a 58% response rate on that portion of the study with 103 students participating.
Thanks to the MacArthur Foundation for supporting this work.