Why phishing works
Phishing, the art of obtaining information from users by pretending to be from a reputable known source, is surprisingly effective, despite attempts by numerous organisations (particularly banks) to educate users about this issue. Recently, the University of Manchester, where I’ve been a student for nearly five years, was hit by a barrage of emails pretending to be from IT Services (the department which runs most of the University’s email, amongst other things) which encouraged students and staff to reply with their username and password. Unbelievably for an organisation which supposedly consists of intelligent people who are working towards obtaining one of the highest qualifications in the country, more than seventy people replied with their login details. As a result, millions of spam messages were sent from University accounts, causing some major mail providers, including Hotmail, to block all incoming mail from manchester.ac.uk addresses and their subdomains.
Phishing relies upon the fact that it doesn’t matter if only one in ten thousand people are completely lacking in common sense (given the University’s size, it’s probably actually more like one in five thousand)—spam enough of them and you’ll eventually get some hits. It amazes me that people still fall for this trick, because to me it seems so painstakingly obvious that a bank would never ask for information such as your PIN, but it would appear that the message has still not got through to everyone.