[Sigia-l] What's your score?

[Karl Fast]

> As a savvy professional how well did you do?
> Does an ordinary user stand a chance?

This test is interesting, but I think it is also flawed (depending
on the purpose).

I got 6 out of 10, which is terrible. But I labelled all messages
phishing frauds if they came from an organization I didn't do
business with. I didn't even look at the message in these cases.

This was in accordance with the instructions. The question was "If
you received one of these emails in your inbox, what would you do?"
I don't do any business with Earthlink, so if I got email from them
I would delete it.

I ignored six of the ten messages for this reason. I don't care if
an email from Capital One is legit or a phish. Makes no difference
to me.

For the four companies that I have done business with, I correctly
identified all of them (3 phishing, 1 legit). And they were easy.

For raising awareness about phishing, this is a good test.

But for evaluating how well people can identify phishing attempts,
this is a flawed test.

Unfortunately, MailFrontier has a press release claiming that
500,000 people have taken the test and the average score is 75%.
That figure is bound to be misleading. I scored 60% overall. But on
the emails that mattered to me, I scored 100%.

Still, I think the basic idea of the test is a good one. But I
wouldn't use the results to claim that people can only identify 75%
of phishing attempts. Not unless they changed the test.


The press release with the quoted figures.
http://www.mailfrontier.com/press/press_fieldguide.jsp



-- 
Karl Fast
http://www.livingskies.com/