Of all the types of spam that make use of deception (ie, all of them), the most damaging of all of them are phishing messages. Phishing messages are when a spammer impersonates a legitimate entity -- a form of reputation hijacking -- in an attempt to trick the user into giving up personal information like banking information. The phisher then uses the information in order to steal money from the victim.
So how do you recognize a phish? Microsoft has a good description on this. Below is a screen shot of a sample message:
A good phish (and even a bad one) takes the form:
So does phishing work? Research (that I am sure I have seen somewhere) shows that these types of scams cost consumers millions of dollars each year. So yes, it does work. But why does it work?
I don't know for certain, but I have theories. Research shows that we, as people, can detect real smiles from fake smiles, but most of us choose not to because we like to think that smiles are genuine and that people really are happy in their interactions with us. I don't think that phishing has that same problem.
My guess is that if a phisher sends several thousand messages to people, perhaps 5% of them will go to people who actually have an account at that bank. Thus, for 95% of us, it's a waste of time. But to the 5% of us who it actually hits, it preys on people's fears. Fear is an innate human emotion (see Ekman, Unmasking the Face, 2003). When emotions get involved, people don't always act rationally (for an example, see the Incredible Hulk). So, by invoking the fear response of the threat of their account being shut down, people can be tricked into doing something that wouldn't otherwise do. While we can all say "Oh, I wouldn't have been fooled by that" the fact is that under other circumstances where you are put under psychological pressure, you might do something that wouldn't otherwise do.
Of course, the more people get wise to these tactics, the less they actually will work in real life. In the meantime, it's up to the anti-spam crusaders to keep this stuff out of people's inboxes.
PingBack from http://asp-net-hosting.simplynetdev.com/truth-and-deception-phishing/
I've seen a lot of phishing emails that didn't target financial institutions. Most notably, there seems to be an entire sub-racket aimed at stealing domain name registrations.
The fact that idiots like GoDaddy send out legitimate emails that smell like phish in every respect (including the dead-obvious 'no mention of this problem on my account page' one) just makes the problem worse.