We’re catching a better class of Phish.
I’ll be honest: this one was detected by a machine, not a human. (It was flagged as possible spam by a mail-server, but still delivered.) This example was –
- Plausible because it very accurately mimics the email and website of a legitimate, trustworthy organisation.
- Confirmed as fraudulent because the Reply address, buttons and links point to salvationarmyeast.com which is not the usual domain of the real Salvation Army and does not have a website. (Right-click a button and read the domain after the @ or the https://)
- Risky because attempting to donate may lead you to disclose credentials, identity and/or financial details which could be cross-referenced with data harvested in other scams.
Unreasonable lengths
What would it take to avoid this trap?
- Be skeptical of the first message – or any unusual message – from everyone.
- Get contact details from a more trustworthy source: a mutual contact is good, but Google is better than nothing.
- Whitelist the trusted contact details, and block unverified senders that look similar.
But this mindset is not discriminating enough for school. While a student probably could use these rules, they are impractical for anyone who needs new customers – most small business and freelancers. To equip students for entry to an increasingly casualised workforce, we need to better understand and convey how trust can be established between strangers.