59
submitted 10 months ago by Peaces@infosec.pub to c/technology@beehaw.org

Take this quiz to find out if you can spot what’s real and what’s fake

WP gift link expires in 14 days.

top 50 comments
sorted by: hot top controversial new old
[-] ArtificialLink@yall.theatl.social 50 points 10 months ago

This quiz is dumb af. The two that weren't scams didn't give you enough info to identify if they aren't and they both just as likely to be scams? And at the end they said it was still possible for me to get scammed even though I called every single item a scam. How am i gonna get scammed if i assume they are all scams?

[-] davehtaylor@beehaw.org 13 points 10 months ago

Exactly. There was no context.

Did the person actually sign up for GeekSquad AV? They didn't say.

Does the person actually have a Facebook account? They didn't say.

Plus I always assume anything that references Facebook in an email is a scam.

It's never a bad thing to be overly cautious when it comes to this stuff

[-] dark_stang@beehaw.org 10 points 10 months ago* (last edited 10 months ago)

If you take the quiz it all you don't get a 100%. That's the real test.

[-] ArtificialLink@yall.theatl.social 6 points 10 months ago

That doesn't make sense. Don't trust Washington post either? Got it.

[-] dark_stang@beehaw.org 13 points 10 months ago

It was a joke but no, I don't trust a news organization owned by Jeff Bezos.

[-] LinkOpensChest_wav@lemmy.one 6 points 10 months ago

Honestly, I did pretty well (except the last one which I had no way of knowing was a legitimate web site -- and what the hell kind of name is that for a legitimate site anyway? But I digress...), but I would have taken steps to verify every single one of these before taking any further action. I just inherently distrust email and SMS messages.

[-] CanadaPlus@lemmy.sdf.org 4 points 10 months ago* (last edited 10 months ago)

How am i gonna get scammed if i assume they are all scams?

Because presumably you still interact with society as opposed to going full unibomber, and so you can't do that.

The two that weren’t scams didn’t give you enough info to identify if they aren’t and they both just as likely to be scams?

They were

spoilera real bank statement and a real settlement.
It'd be weird if they weren't something that applied to you but it's still not a scam, and they explain how to tell.

[-] ArtificialLink@yall.theatl.social 4 points 10 months ago* (last edited 10 months ago)

The article and quiz talk specifically about these types of vectors for scams. If i assume they are all scams there is a zero % chance i get scanned in this way. Even on the two not a scams they talked about better alternatives to ensure their authenticity which i would have done as soon as i saw any of these "scams" its just a poorly written article that just assumes any wrong answers mean you are more likely to be scammed. I understand there is no way to 100% avoid being scams especially if you just out in the world but the answer from the article is dumb.

Edit: also the censored info made it impossible to tell if it was real.

[-] CanadaPlus@lemmy.sdf.org 1 points 10 months ago

I actually did search the second one to confirm it's real, and the first is from a domain I know. I've gotten messages like the first, if I assumed they were all scams that would probably backfire.

I understand there is no way to 100% avoid being scams

That's probably the point of this. If you ace it, it calls you paranoid and then tells you you can still get scammed.

[-] confusedwiseman@beehaw.org 49 points 10 months ago

I didn’t click the link, it felt scammy. Did I pass?

[-] argv_minus_one@beehaw.org 31 points 10 months ago

Psh. That last one could easily be a scam. Maybe scammers haven't tried the fake class action settlement website angle yet, but they will, and I have no intention of being their first victim.

[-] boogetyboo@aussie.zone 10 points 10 months ago

Half the emails in my junk inbox are 'class action settlement' emails, so it's definitely an angle they're trying (presumably with some success)

[-] Rentlar@beehaw.org 2 points 10 months ago

Yeah even if the last one is not a scam, it is a scam to me, even if I knew about it. I'd go and apply on the official website rather than from the email itself.

[-] jemorgan@lemm.ee 1 points 10 months ago

Yeah, but the point is that if you open a web browser and look that settlement up, you’ll find a ton of authoritative sources that link back to that URL.

The point of this wasn’t to see if you could tell if each thing was likely to be a scam in the context that you would genuinely run into them.

If my grandma approached me with the class action website and asked if I was a scam, I’d tell her “it looks really suspicious, let’s see if we can find anything from a credible source that will link to this website.” Which is exactly what the article tells you to do. Of course nobody could just magically know if a screenshot of a webpage is scam just by looking at it.

The other options all either give you enough information in the screenshot to be able to Google a couple things and say “it’s a scam” confidently (class action, geek squad), or they’re full of super blatant red flags (Zelle bike).

[-] CanadaPlus@lemmy.sdf.org 26 points 10 months ago

Damn, I got the antivirus one wrong because it wasn't clear I didn't buy the thing in this scenario.

[-] Quatity_Control@lemm.ee 20 points 10 months ago

Yep. It relies on information not present in the example. It's intended for most people to get wrong.

Similarly the Facebook one genuinely looks like a scam unless you know of the Facebook case.

[-] outer_spec@lemmy.studio 9 points 10 months ago

It’s intended for most people to get wrong.

So what you’re saying is… …this article is a scam?

[-] Quatity_Control@lemm.ee 6 points 10 months ago

While yes, that's an accurate quip, it actually does highlight a deeper issue in the industry. If everyone passes your scam test, they don't need to buy your scam test.

Additionally, scam emails aren't 50/50 yes/no pass/fail. It's more a combination of red flags to gauge how risky the email is to click on links, reply to, download attachments from, etcetera.

Currently the scam testing industry has no way to rate an individuals ability other than how many scam emails they did or didn't click on. That is a false metric. It incites scam testers to trick people to justify their value to the customer.

load more comments (3 replies)
[-] jemorgan@lemm.ee 2 points 10 months ago* (last edited 10 months ago)

You (and half the people in this thread) are totally missing the point here.

No where does the article say that you’re supposed to be able to tell if it’s a scam or not just by looking at it. In fact, in multiple places it says that you’ve got to ~~Google~~ use a credible source to externally verify some information to determine that some of the examples are scams.

The point of the article is to teach people how to recognize scams, it would be totally useless if it imposed the constraint that you can’t look for context. If you’re actually trying to recognize scams IRL, you should be doing exactly what the article says and looking for authoritative corroboration of any information in the potential scam.

[-] Quatity_Control@lemm.ee 1 points 10 months ago

In the phishing Awareness course I wrote and sell, I do advocate to confirm that domains, phone numbers and other contact details, logos, are correct with the official website.

I don't advocate that when they receive a bill for something they know they didn't buy, they should go to Google.

And with googles current state, I could easily buy a domain and buy ads to put it at the top of search results. Googling the answer isn't actually the answer. Verifying against known legit sources is.

It's a shit test, which more than half of the people in this thread got right, yourself excepted.

[-] jemorgan@lemm.ee 2 points 10 months ago

I’m the CEO of an anti-phishing training corporation that services multiple Fortune 500 companies and has a yearly revenue of over 10m USD (I can also share unverified credentials to make myself seem more credible).

Someone could potentially build a website that makes their phishing attempt seem more credible, and maybe they could get that website ranked highly on Google (even though that is far from straightforward for a website presenting fraudulent information to do), but that’s a total red herring. The article didn’t recommend that people Google for a single random website that confirms the questionable information, the recommendation was that you should check multiple authoritative sources.

You are absolutely wrong. Not surprising that you’re (ostensibly) able to scam the technologically illiterate with such bad information, a little ironic that your scam involves getting them to think that you’re teaching them how to avoid scams.

[-] Quatity_Control@lemm.ee 1 points 10 months ago

You're just pointing out that you are overqualified for this test.

At its root, it is a TEST. Not many TESTs allow you to Google for answers and supporting information. Unless specified any TEST provides in the question the information to determine the answer. By not providing all the information and not informing you to utilise any source available to obtain extra ESSENTIAL infirmation, it's a bad test. Intended to trick you.

You and I both know if we create a test phishing email with no mistakes, it's not a failure if people click on it. It's a failure on our part for creating a BAD TEST. Same concept.

[-] jemorgan@lemm.ee 1 points 10 months ago

At its root, it is a TEST

No, at its root, this is an educational article meant to teach about recognizing internet scams. It includes a quiz designed to help you determine your natural reaction to many popular scams, along with information about best practices for how to identify them.

This differs from a test, which is designed to quantify your current knowledge on a topic. Sure, the article used a quiz as a teaching aid, but the results of the quiz aren’t the point and don’t matter. Which makes it super weird how you and others are getting so butthurt about thinking you deserved a perfect score, but we’re robbed by an unfair test.

Unless specified any TEST provides in the question the information to determine the answer

This is a foolish assumption outside of the context of academic examinations. There’s no reason to assume that’s a requirement on an online quiz, where many of the explanations of the answers specifically tell you that the best way to identify some scams is to verify information with authoritative sources.

You and I both know if we create a test phishing email with no mistakes, it's not a failure if people click on it. It's a failure on our part for creating a BAD TEST.

The best test phishing emails realistically emulate actual phishing emails. Intentionally adding errors only serves to train employees to catch bad phishing attacks. Regardless, I’m not sure what your point is, since every one of the scam examples here does contain either verifiably false information, or obvious scam indicators.

[-] Quatity_Control@lemm.ee 1 points 10 months ago

"Learn more about how to keep yourself safe by testing your instincts below and guessing whether each instance is a scam, using real-life examples."

Distinctly not saying to research online and verify information.

As for tests outside academia, such as this one, even a bone headed dunce understands tests test the knowledge and ability you have, and not what you google online. To the point that if a test allows you to use other sources, that is always specifically stated. So that normal, reasonable people do not treat it as a normal, reasonable test, and complete it with their inherent knowledge and ability. I'm sorry you missed this valuable and important life lesson in learning. Explaining in the answers that you should have known to use outside sources is exactly as I have stated; a bad test.

"The best test phishing emails realistically emulate actual phishing emails. Intentionally adding errors only serves to train employees to catch bad phishing attacks."

I'm glad as a CEO you don't actually produce any content for your company. Emulating phishing emails means including the errors that are in phishing emails. Those are the ways you train people to recognise a phishing email. If you don't include the errors then the only true verification of a genuine/phishing email is verifying with the purported sender by another communication channel. Not at all an effective policy, I'm sure you would agree.

No one's butt hurt here. Treating a genuine email with caution and wariness is inherent good phishing awareness behaviour. If you can pull your vacuous head out of your voluminous arse for a moment, you will realise that once again, this is a bad test, a bad quiz, not an effective teaching tool, and just plain old click bait. Disparaging it is an appropriate response, and a fucktard such as yourself, with your vaunted claims of related professional acumen, trying to defend it is reprehensible.

[-] jemorgan@lemm.ee 1 points 10 months ago

Not gonna read all that lol you are a goofy little guy aren’t ya.

[-] Quatity_Control@lemm.ee 1 points 10 months ago

Yeah, choose ignorance. We'll both be happier.

[-] jemorgan@lemm.ee 1 points 10 months ago

You’ve thoroughly demonstrated yourself to be entirely devoid of any real knowledge or experience in this area, and yet you’re continuing to pontificate. You’re clearly enjoying the sensation of having an audience to which you can monologue from a place of ignorance ad nauseam, and I’m depriving you of that. Trust me, you may not be intelligent enough to tell, but I’m doing you a favor. Like averting my eyes when the mentally ill transient defecates himself on the streets. He may not know it, but it’s a mercy not to observe someone in such a state.

Please, feel free to continue. And I’ll continue doing you the kindness of allowing you the uninterrupted company of the only person ignorant enough to think any of your unfounded claims are intelligent.

[-] Quatity_Control@lemm.ee 1 points 10 months ago

Indeed, by pretending to ignore what I wrote but devoting time to putting in a reply, having no basis for your mistaken assumptions and following up with insults that only relate to your own behaviour, I'm finally comfortable calling you out as unfit to be CEO of your own skid marks. Couldn't even troll your own turds.

load more comments (1 replies)
[-] ActuallyRuben@actuallyruben.nl 3 points 10 months ago

Still, who pays 419$ for an antivirus?

load more comments (2 replies)
[-] jemorgan@lemm.ee 2 points 10 months ago

The correct thing to do if you got that email would be to try to verify the information that it presents. Is Geek Squad Academy a real thing? How much does their antivirus cost?

Which is exactly what the article says to do, and what you should have done before answering the question. Of course the getting the questions right doesn’t matter, but the question and explanation are an excellent example of what they’re trying to teach.

Also, the grammar was just a little bit funky in that email. Could just be that the geek squad email writer has funky grammar, but it’s definitely a red flag that should make you want to double check the info in the email.

[-] AbidingOhmsLaw@lemmy.ml 24 points 10 months ago

Nice try, scammer.

[-] balls_expert@lemmy.blahaj.zone 22 points 10 months ago

This is not a good article

To know if an email is a scam I would check the domain of the link it's sending, which this doesn't provide

Also you shouldn't trust the sender address of an email, you can spoof that

[-] ExLisper@linux.community 18 points 10 months ago

This looks complicated. I will just DM you my account number, address and credit card details, ok?

[-] Karlos_Cantana@sopuli.xyz 11 points 10 months ago

I'm not falling for that.

[-] heyfluxay@artemis.camp 11 points 10 months ago

I just assume everything is a scam now 🫠

[-] Fafner@yiffit.net 8 points 10 months ago

If you clicked that link then, no, you are not smarter than a scammer.

[-] Erdrick@beehaw.org 7 points 10 months ago

This reminds me of the site to see if your email address had been pwned or not.
Well, if you looked yourself up, I’ve got some bad news for you….

[-] renard_roux@beehaw.org 10 points 10 months ago

You're wrong on this one, as the other comment noted.

Have I Been Pwned has a database of leaked credentials, with notes on where the data originated, when said site was hacked, etc. It is an incredibly good resource to see if any site you use has leaked your data in a breach, and how compromising that data is (legible or unsalted passwords, credit card information, etc.).

It is a tool used to react intelligently to data breaches. You input your email address, and it tells you if your email address is present in any leaked data sets. If so, you go change that password as fast as you can.

For your comment to make any sense, giving someone your email address means you've been "Pwned". I guess you don't subscribe to a lot of newsletters, then? How does entering your email address give anyone an advantage, apart from the knowledge that it exists? 🤔

The exact same feature is baked into Chrome's password manager, 1password, and many others. Does that mean that users of those services have been "Pwned"? 😐

[-] Erdrick@beehaw.org 4 points 10 months ago

I stand corrected, with thanks!

[-] renard_roux@beehaw.org 3 points 10 months ago* (last edited 10 months ago)

You're so welcome! 😃

It's one of those tools more people ought to use (like password managers), because it not only exposes real threats, it also opens your eyes to the fact that you really should be a lot more paranoid about you data than most people are.

Running my main email through it just now, this is the list of sites that have managed to lose my data. Many of these included passwords in various states of undress. These particular breaches span from 2013 to 2023. Each company name is followed by the information contained in the breach:

  • 123RF — Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames

  • 500px — Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames

  • 8tracks — Email addresses, Passwords

  • Adobe — Email addresses, Password hints, Passwords, Usernames

  • Bitly — Email addresses, Passwords, Usernames

  • CafePress — Email addresses, Names, Passwords, Phone numbers, Physical addresses

  • Data Enrichment Exposure From People Data Labs — Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles

  • Deezer — Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Spoken languages, Usernames

  • Dropbox — Email addresses, Passwords

  • Gravatar — Email addresses, Names, Usernames

  • Kickstarter — Email addresses, Passwords

  • LinkedIn — Email addresses, Passwords, Education levels, Email addresses, Genders, Geographic locations, Job titles, Names, Social media profiles

  • MyFitnessPal — Email addresses, IP addresses, Passwords, Usernames

  • Plex — Email addresses, IP addresses, Passwords, Usernames

  • TheTVDB.com — Email addresses, Passwords, Usernames

  • tumblr — Email addresses, Passwords

  • Twitter — Email addresses, Names, Social media profiles, Usernames

Because I use unique passwords for everything (long time 1password user, recently switched to Bitwarden which is free and works and syncs great on/between my Mac and Android phone), I'm not particularly worried about any of these, and all the passwords have since been changed.

But look at all the other shit that's in there 😳 DOB, IP, country, usernames associated with my email, education level, gender, social media accounts, phone numbers, home address. Even if you're not paranoid, do you really want everyone with a Tor browser and a cheap VPN to have access to that shit if they want to get to know you? 🤢

That's why I wanted to point out that HIBP is one of the good guys; no need for people to get bad vibes about a tool they might actually have an interest in using 😊

[-] Erdrick@beehaw.org 2 points 10 months ago

Yeah I really called it wrong on my initial comment.
I took a look at my pwned history and it looks like we share a lot of sites.
Quite concerning and now I am at least using a password manager.
I am still on LastPass but am considering others.
It simply “works” in my case though, and I’m not sure how easy it would be to change to a new one so with them I stay.
It sucks that they made it into a “pay to play” if you want full cross platform access, but I use my gaming PC for so few sites that it isn’t a huge deal to just lock my LasPass to iOS.

[-] BCsven@lemmy.ca 5 points 10 months ago* (last edited 10 months ago)

Pwned is legit though. its just databases of breaches.

load more comments (1 replies)
[-] veloxy@lemm.ee 6 points 10 months ago

I feel like this link is a scam itself lol

[-] sibloure@beehaw.org 5 points 10 months ago

Not sure how paying for an item online using Zelle is in itself a scam. The scam would only come later if the stranger had requested your bank info, or you reply to a dodgy email, etc, but so far nothing untrustworthy had happened yet? I don't think that was a good question.

[-] marco@beehaw.org 5 points 10 months ago

Obviously one can use Zelle legitimately, but somebody requesting online payment and then sending somebody else to get the goods is like 95% a scam. I think the more common Zelle scam is that they fake a Zelle email that only looks like they paid you.

[-] mugthol@lemmy.blahaj.zone 2 points 10 months ago

I've been nearly scammed like this myself. If you sell something and somebody wants to pay you via an external site (no simple transfer) without being interested in the product, it is an extremely red flag

[-] IntentionallyAnon@lemm.ee 5 points 10 months ago

Wapo claims that the email being from official chase means it’s not a scam but scammers can spoof emails.

[-] doomkernel@sopuli.xyz 3 points 10 months ago

So every question was a scam or not quite a scam. Sure.

[-] Kolanaki@yiffit.net 1 points 10 months ago* (last edited 10 months ago)

This isn't a scam is, it? 🤔

load more comments
view more: next ›
this post was submitted on 20 Aug 2023
59 points (100.0% liked)

Technology

37213 readers
128 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS