Why do People Get Sucked in by Phishing Scams? They Don’t Think

I bet I post a new phishing scam warning at least once a week on Facebook, — along with lots of other people — and yet, thousands of suckers (sorry for being blunt) continue to fall for them every time. Sometimes the offer is so ridiculous it baffles me why anyone would fall for it, but they do, over and over and over.

This morning I got an email from “Facebook Surveys” and the subject was, “Vote now for your opinion of Facebook features”. I have included a screen shot of the email below and as you can see, they used Facebook’s logo and style to create a very convincing email. Of course, as always, there are all kinds of clues that this is bogus, ranging from subtle to incredibly obvious.

I’m going to list all of the clues, some of which you should have been able to pick up by just looking at the screen shot but others that you can’t ascertain from a graphic.

1. Let’s start with the email subject: “Vote now for your opinion of Facebook features”. That doesn’t even make sense gramatically. Why would I vote FOR my opinion? Wouldn’t I vote WITH my opinion? tweet

2. Facebook wants to give me a free gift for taking part in a survey and my opinion is “greatly valued”? C’mon, Facebook doesn’t ask for our opinions before they do anything, that’s why there’s so much hue and cry every time they change something. tweet

3. From the fine print: “The advertisers in this email are not affiliated with any of the above brands.” Hmmm… the “above brands” being Facebook, I guess but if they aren’t affiliated with Facebook, why does the survey invite look like it’s from Facebook? Oh yeah, to fool the suckers. tweet

4. More fine print: “This is a third party advertisement sent to you by the list owner.” I guess they think that disclaimer covers them legally for using Facebook’s logo and inferring that the offer was from Facebook. I’m pretty sure they didn’t get that advice from an attorney, unless he got his degree from the ACME Law School he applied to from a bubble gum wrapper. tweet

5. Now, for the big clue and the one that the vast majority of suckers never pay attention to. The mouse over. That’s right folks, if you mouse over any link, whether it’s on a web page or in an email, you will see the actual URL that it links to. In this case, assuming you hadn’t read the fine print and already knew it wasn’t going to be a link to a Facebook URL, this would be the time to wonder, when it wasn’t. tweet

All three of the blue links in this email link to the following URL and I didn’t hyperlink it or include the full URL on purpose. tweet


Hello? Why would anyone, sucker or not, click a link for a Facebook survey that went to a sports betting website? Would you? Please say no so I don’t have to come over and slap you upside the head. tweet

So, what have we learned here today? Phishing scammers are crafty, but kind of dumb, and unfortunately, the dumb part doesn’t matter, because as P.T. Barnum once said, “There’s a sucker born every minute.” Now, would you like to see a photo of a real mermaid that has the body of a monkey and the tail of a fish?

  • http://twitter.com/cpconstantine CP Constantine

    PT Barnum never said this (one of his rivals did actually).

    And as sad as it is to say: the mouseover thing doesn’t help folk without a certain level of internet familiarity – they’re just as confused by the vast number of third-party marketing providers that run the legit version of all these things, that a sports betting site is about as significant to them as “crowdfiremarketing.com’ or any of the other number of “notthesiteyou’reexpecting.com” that appear in these things. Take it from a guy whose worked in Incident Response for a long time here – stuff coming across our desk as ‘phishing attempt! OMGWTFBBQ’ was just as likely to come from our own marketing dept.