Can you recognize a phish when you see it?

A phish is a phish. We think we know one when we see one, and we wonder how people get away with such obvious attempts. I mean, come on! Sending me an email designed to look like it’s from Paypal, asking me to log into my account–but the URL you’re sending me to is from Russia. Not today, pal. Better luck next time.

But they do get away with it, and they do fool people. Apparently, a fairly high percentage. A recent survey showed that a shocking number of Web users can’t identify different types of phishing. The survey asked over 1,000 respondents to identify fraudulent phishing sites, by showing two Web sites side by side. One of the sites had obvious give-aways, and the other was legitimate–but a shocking number of people couldn’t tell the difference. Eighty-eight percent were fooled by a web site with obvious spelling errors. Sixty-eight percent were fooled by a bogus Web site that didn’t have the characteristic padlock symbol common to sites using the https protocol, and 42 percent were fooled by sites that had strange numerical domain names, and 33 percent were fooled by sites that asked for account information that should not be necessary.

Another surprising statistic, and one that is somewhat embarrassing for us Yanks, is that out of the seven countries included (US, Germany, Sweden, Australia, India, Denmark, and UK), the US respondents were least likely to identify the give-away signs that should tell you you’re at a phishing site.