We saw this great post indicating exactly how clueless the average person is when trying to detect spam of phishing schemes in their in-box. The blogger launched a site called SpamorHam.org to see how savvy Internet users were across the board when trying to detect email fraud. Unfortunately, users of the site are failing the test in overwhelming rates.
Here’s one that the average user doesn’t think is a fraud attempt, for example:
I get about a hundred of these in my inbox a day. There’s some criticisms we could level at the site’s methodology: to be honest, the only way we really know some emails are actually scams (we get paid by Paypal, for example, and some of those fake messages are extremely good forgeries) is by hovering over the links and carefully identifying where they lead. That may still be a bit savvier than the average email user, but SpamorHam.org doesn’t let you figure out where links leave intuitively — they give a raw output of HTML, but most people don’t know how to read it. Text alone really isn’t enough anymore to detect phishing scams, if it ever was.