09 Sep 60 Percent Of Consumers Flunk Phishing Exam At New York’s Largest Shopping Mall
What people (don’t) know about cyber scams… and what to do about it
– Ruth Bashinsky, Senior Editor
Northport, N.Y. – Sep. 9, 2019
I have a confession to make.
Thirty-four days ago I didn’t know what phishing meant.
I do now.
Phishing is a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly, according to the Merriam-Webster dictionary.
The email you get may seem familiar and trustworthy, but it is not. Typically, the sender is asking for your personal information such as a name, birth date, Social Security number, or credit card details. The scammer is in it for monetary gain, but in some extreme cases your bank account can be wiped out and your identity stolen.
Phishing attacks are a serious cybercrime. Every day there’s news of another hospital, financial institution, university, or other type of organization targeted. A multitude of sources state that around 90 percent of hacks and data breaches stem from phishing.
Over the past month, in my new role as senior editor of Cybercrime Magazine, I’ve immersed myself into the dark side of cyber. After learning what a phishing scam is, I was curious to learn how much of the general public knows.
And, so I found out.
I traveled to the Roosevelt Field Mall in Garden City (on Long Island), N.Y. with a plan to give everyone I meet a two-question phishing exam. The first question is:
Do you know what a phishing scam is? And, if the answer is Yes, then I ask: “What is it?” If their response sounds similar to the dictionary, they pass. If their answer is vague or they don’t know, they fail.
For me, Roosevelt Field (as the locals refer to it) was the ideal testing location. For one, it is the largest shopping mall in the state and draws people of various ages, occupations, and socio-economic backgrounds.
Plus, who doesn’t like going to the mall? It’s a happy place for so many, particularly my teenagers who love to shop and decided last minute they wanted to tag along. Not to help their mom but to go shopping with my credit card. A scenario many parents can relate too. (And yes, I gave them a budget.)
I was in work mode, so before they took off, I made sure to ask them if they knew what a phishing scam is. Unfortunately, they did not. I guess there are no surprises here.
The mall was buzzing. Shoppers young and old rushing around enjoying the end-of-season sales; frazzled moms on the hunt for back-to-school items; packs of kids enjoying the last days of summer and a handful of people just waiting around.
One of them was Arthur. The seventy-year-old retired music teacher was like many cooperative husbands on standby as their wives shopped.
I happened to be sitting on the bench next to Arthur, who glanced at my notes and asked if I was going for a job interview. I smiled and asked if he’d like to take a phishing exam from Cybercrime Magazine, and he was hooked.
“Phishing is when someone online tries to get your information and make purchases with your credit card or tries to get your Social Security number and open bank accounts with your numbers and your information.”
He was on a roll answering the questions when suddenly his phone rang.
It was his wife.
Appearing as if he gets interviewed all the time, Arthur responded before taking the call and signing off, “If something sounds good, ask yourself, ‘Is it really good?’”
Thanks, Arthur. Duly noted.
On the upper level of the mall, thirty-two-year-old Dianne was walking with her three-year-old daughter when I approached her.
As soon as she mentioned that she was having her baby in two weeks but looked as if she could go into labor any minute, (I never delivered a baby before. Breathe Ruth breathe.) I suggested we go over to the sitting area.
It took no time before I realized that Dianne, who explained that she’s never experienced a phishing attack but has friends who have gotten emails that were not legitimate, is that cyber-savvy mom.
“I’m a teacher so I am cautious about what I do on the Internet and the phone,” she says. “I get a lot of scam calls like when the IRS called and wanted my information. The last time that happened I reported it to the IRS.”
Sixteen-year-old Christopher is just as careful and says he watches videos to stay one step ahead of the scammers.
“There are tons of videos online that teach you what’s what. I have watched videos to help me not get scammed because people are always trying new methods,” he says.
He explains that some of his friends have gotten some of their online items stolen with their video game accounts.
“You have to be careful on certain websites. There are trading communities online and a lot of scammers around. People my age need to educate themselves and avoid sketchy places online.”
After hours of meeting different people ranging in age from 10 years old through 88, with various occupations ranging from a nurse, a wine taster, and a welder to a business owner, cupcake seller, barber and dentist, it was time to tally the results.
Drum roll, please.
Of the 108 respondents, the majority did not know what a phishing scam is. 66 people failed and 44 passed. And, there was a mixed reaction that included laughter, bewilderment, and confusion. Feeling like a race at times, the males were neck and neck: 21 passed and 23 failed. With a more significant disparity with the females: 23 passed and 41 failed.
The outcome we discovered is that not everyone is an Arthur, a Dianne or a Christopher. And that is okay. Our exam did validate the need for greater cyber awareness.
To further our research, we had a few people take an online phishing quiz developed by Google. The questionnaire is comprised of eight questions that require no registration, and all a person has to do is enter their name and email address (it’s not a phishing scam, I promise).
Twenty-six-year-old Christen, a sales associate at Bloomingdale’s, who was on a work break, was eager to participate after confirming that she is very familiar with phishing.
“Part of my job training was taking a phishing exam,” she says. “These cybercriminals try and suck you in. I have not been scammed, but have heard co-workers and friends who have.”
Pulling up the link on her phone, she reads the first question out loud and stares at the two choices: A. Phishing. B. Legitimate.
Clicking the button, she says with certainty, “Phishing.”
The word “Correct” pops up, and a smile appears.
Moving closer to the screen, Christen bites down on her lip. “Mmmm. This one I am not sure about.”
She selects her answer, and then the word “Incorrect” appears.
“Oh, it’s not!” she says, surprised before showing her final score: a five out of eight. Five answers correct and three incorrect.
“I think I did decent, but I thought I would do better,” she admits. “You have to be very strategic when you’re looking through those emails and make sure it’s from a legitimate organization and that you just don’t click on things you don’t know.”
Last stop of the day: The Body Shop.
The Oriental scent with hints of jasmine was enough to lure me in. Looking at all the sweet and musky fragrance, body mists, and handcrafted soaps on display, I wanted to try them all but knew the phishing quiz came first.
Gillian, the Body Shop beauty manager, was happy to participate and up for the challenge.
After signing into the link, she took her time answering the questions. Reading a few of them out loud, some of her emotions began to unfold from frustration and surprise to wonder and concern.
“Now I am getting nervous,” she says while staring at the last question on the screen, “Is it right, or is it not right?”
I could even feel the tension in the air. That ended once she clicked on the answer.
Her total score: A five out of eight. Five correct. Three incorrect.
“Good effort, Gillian,” she says out loud before sharing her observations.
“You second guess yourself. Some do look legitimate. You have to be a detective. Next time, I will get an eight out of eight hopefully.”
That’s the spirit, Gillian.
One of my big takeaways is that people are eager to learn and share what they know about phishing and cybercrime. They want to protect themselves and help others.
Arthur and I are phishing buddies now. Or maybe I should say fishing. A couple of weeks after meeting him at the mall, we spoke again. He had just returned from a trip to Costa Rica, where he caught a really big mahi-mahi, and a yellowfin.
Stay tuned for a report on our next phishing trip – to Citi Field, home of the New York Mets. Cybercrime Magazine will be at 12 venues over the next year, and tallying the numbers for our readers.
– Ruth Bashinsky is the Senior Editor at Cybercrime Magazine.