Follow

@rtwx Actually it's the fact that lots of people (of all ages!) don't really know how URLs are structured and which parts are relevant for authenticity which causes them to fall due these scams.
They see the "microsoft-support" at the start of the URL and the visuals of the page and they think it's really a Microsoft page.
I've spent three years on scientific research in this exact area, so if you want links to some research on this, let me know.

@colomar
Absolutely correct. I'd go further and say most (non-techie) people don't understand URLs.

In a similar way, email addresses aren't understood. I have a spam reduction procedure whereby I create a unique email address for every organisation that I communicate with, in the form: [company]@mydomain.com
Staff representatives frequently question me as to how I got that email address. They think I have some formal relationship with the company.

No wonder scam emails still work.

@rtwx

@fitheach Absolutely. With emails it's even more tricky because nobody except for the most technology-versed people know that - at least without SPF - spoofing a sender address is trivial, so even if the domain of the sender address is perfectly fine, that still does not mean anything.

There is still a whole lot of knowledge to be spread - and UIs to be improved! - to allow "normal" users to detect attacks like that. These issues have been known for years, yet little is done to fix them.
@rtwx

@colomar
[no research opinion 😉]

Years of browsers hiding parts of the URL and email clients showing a display name, not the actual address, are part of the problem.

@rtwx

@fitheach It's worst when it comes to links in emails. Many web email clients wrap links in emails into referrer URLs, which results in the actual target URL being somewhere towards the end of a loooong URL where nobody ever looks for it. Worse still many popular desktop email clients don't even show the URL when hovering over links at all!
From a usable security perspective, that is the absolute worst-case scenario, it's as if they actively want to help phishers and scammers.
@rtwx

@colomar
> many popular desktop email clients don't even show the URL

Name and shame.

@rtwx

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.