다음을 통해 공유

phishing in Mom terms

  • 아티클

My mom called me earlier this week to wish me a happy birthday and to complain about spam. Mom, you see, has joined the digital age. She's got herself a laptop, she's got herself an email address. She doesn't have a blog and she's not on Twitter yet, but it could just be a matter of time. If you see the "Confessions of a Judge Judy Addict" blog in the future, you can take comfort in knowing that my mom has started blogging.

Mom is going through all of the stages of new email user that I've come to expect over the years. The first stage is the email forward. They're all new to her, so she religiously forwards them along as well. I haven't had the heart to tell her that all of those jokes have been around since the dawn of time, and no, they really aren't from George Carlin or Jeff Foxworthy.

The second stage is replying to spam. Spam is an easy thing to understand, since it's just the same as the junk mail that ends up in her physical mailbox at home. If you call the company sending the junk mail to say “please stop”, they will. So, she reasoned, if she hit the "unsubscribe" link in the spam, she'd stop getting so much junk mail. Sigh. She's learned the hard way that doesn't work.

Now that she's mostly understood the concept of spam, we're now working on the concept of phishing. She told me that she nearly got caught by a phishing scam. My parents have been talking about joining the AARP. So when she got an email last week that purported to be from the AARP, she followed the link in the email and began happily filling out the information. She only stopped when the site didn't give her an option for sending in a cheque instead of providing her credit card details.

Like spam, she's got the basic concept of phishing down, in that she understands that there are scammers out there who want her credit card details or her Social Security number. But she doesn't quite know how to identify phishing on sight, so it falls to me to explain it to her. It turns out that it's hard to do it in non-geek-speak.

So I spent most of the time on the phone explaining various ways to identify phishing websites, and trying to put it into Mom terms. Here's what I came up with:

  • If the email refers to you as "valued customer", or gets your name wrong, ignore the email.
  • If the first thing in the address bar is numbers, don't do it. It doesn't matter if the site that you want is later on in the address bar.
  • If the website doesn't end in .com, .net, or .org, don't do it.
  • Check the address bar closely, make sure it's spelled properly. There's a big difference between lvie.com and live.com. Also don't accept microsoft.somephishingsite.com for microsoft.com.

This isn't a perfect list of how to identify phish, but it's a reasonable start for my mom. Here's hoping that I don't have to get deeper into phishing identification with her ...