We’re catching a better class of Phish.

I’ll be honest: this one was detected by a machine, not a human. (It was flagged as possible spam by a mail-server, but still delivered.) This example was –

• Plausible because it very accurately mimics the email and website of a legitimate, trustworthy organisation.
• Confirmed as fraudulent because the Reply address, buttons and links point to salvationarmyeast.com which is not the usual domain of the real Salvation Army and does not have a website. (Right-click a button and read the domain after the @ or the https://)
• Risky because attempting to donate may lead you to disclose credentials, identity and/or financial details which could be cross-referenced with data harvested in other scams.

Unreasonable lengths

What would it take to avoid this trap?

1. Be skeptical of the first message – or any unusual message – from everyone.
2. Get contact details from a more trustworthy source: a mutual contact is good, but Google is better than nothing.
3. Whitelist the trusted contact details, and block unverified senders that look similar.

But this mindset is not discriminating enough for school. While a student probably could use these rules, they are impractical for anyone who needs new customers – most small business and freelancers. To equip students for entry to an increasingly casualised workforce, we need to better understand and convey how trust can be established between strangers.