Two relatives of mine got scammed/phished recently. Nothing serious happened fortunately. Some interesting observations:

- People see URL's as opaque blocks. They have 0 clue where they point to since they have 0 clue about how to read them.
- "Check the domain" doesn't help (even assuming the knowledge of what part of an URL string is a domain) if you have no information about what domains are "normal" (whatever that means).
- Regular people don't see giving out CC's or other sensitive information as a critical task. One of the victims told me they gave out their CC while doing two other things - I'd drop everything to focus such a task, while for them it's just another boring physical copy-paste.

Based on this most of our awareness advise is shit.

#phishing #scam

@buherator @raptor I completely get that URLs are technobabble to many.

But giving out your credit card info to anyone who asks? Look, you can't fix stupid. You're just going to get scammed if you can't think critically about who you give money to and why.

@buherator Worse than shit might even be harmful. They have been told over and over, drilled to death to be vigilant of the phishing email that arrives in their inbox but just as often the victims are the ones who initiated the contact and are not expecting that link sent directly to them by the person who wants to pay them for the crap they sold on ebay to be a whole ass mock up of their bank.

@buherator

• “Check the domain” doesn’t help if you have no information about what domains are “normal”

Damn right. I rememberd doing some phishing training from Google, and they asked if some email sample is legit, and demonstrated its legitimacy by pointing out that it uses legit DropBox domains.
That’s where I thought “but no one here (DropBox isn’t accessible in China) uses DropBox at all! How are they going to learn if this is legit?!” 🫠

@stilescrisis @raptor CCs are literally written on the card, visible to anyone who looks at my hand while I pay. Why should I keep it secret? (Not sure if this is part of the actual thought process but I think this is an interesting angle)

@buherator Is a good defense against this to check the URL string for more "standard" characters? I've heard of attacks where the malicious domain is made to look similar to the legitimate domain. I presume these characters are not the more "normal" ascii characters one sees.

@asicc My point is exactly that the contents of an URL doesn't seem to matter _at all_ because many people have no idea what trustworthy domains are (or how they would like like as part of an URL).

In other words you don't have to register n<very weird e-like character>tflix[.]com for your scam because people will just trust PayForYourTV[.]so.

@buherator I understand now, you definitely spelled it out clear in the OP. That's unfortunate.

Web of Trust issue? Should we be engaging in PGP practices where we verify signed links by reputable identities? The government(s) or more "reputable" private bodies should manage these web of trusts?

@asicc I have no clue how this should/could be resolved unfortunately.

People getting more familiar with the infrastructure around them would probably help, but technology goes in a direction that hides these details, hence its popularity.