QUIZ: Can You Tell Legitimate Emails from Phishing Scams?

Can you tell the difference between an email that was genuinely meant for you and a scam meant to trick you into clicking a nefarious link or downloading a dangerous attachment?

According to a new study published in the academic journal Human Factors by researchers Casey Inez Canfield, Baruch Fischhoff and Alex Davis at Carnegie Mellon University, the average person struggles to identify the differences between legitimate emails and phishing scams.

Phishing is the practice of tricking internet users into sharing user names, passwords, bank account information and other sensitive materials unwillingly, which are typically carried out using misleading emails. Many of these attempts are captured by common junk mail filters, but others make it through this defense.

"Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems," Canfield said in a press release.

Take the authors' quiz to test your ability to detect phishing scams.

The study's participants were shown a series of 38 sample emails, some of which were phishing scams, while others were innocuous. On average, people could only identify the phishing emails about half the time.

Here's an example of a phishing email this reporter received, purportedly from PayPal:

If I were to follow the link and enter my personal information, identity thieves could use it to profit off my gullibility while wreaking havoc on my life.

But there are clues that this email is not legitimate, and certainly not from PayPal. First, it came to my work email, which I have never connected to the online payments company. Most importantly, by checking the sender's address, I can see that it came from cservicesz@banggood.com — which is clearly not a PayPal address. Finally, if you look at the fine print at the bottom of the email, the phone number listed is not formatted correctly.

Be warned, though: some scammers may be more convincing.

Do you think you can tell the difference? The authors of the study created a brief online quiz to see if users could tell the difference between real emails and phishing scams. It's harder than you think.

"Some users were able to identify a vast majority of the phishing emails, but only because they were biased to think everything was a phishing attack," Canfield said of the study participants. "So they didn't necessarily have a high ability to tell the difference between phishing and legitimate emails."

If you think you have no problem telling the difference, be warned: Participants confident in their ability to differentiate the real emails from the scams did not always have the best success rates.

"When making decisions about phishing emails, people were more cautious when they were unconfident and perceived very negative consequences of opening a phishing email," Canfield noted. "Unfortunately, they were often overconfident so they would still fall for phishing attacks."

However, even if they wouldn't say they believed a given email was a scam, many of the participants were still cautious enough to avoid clicking on it, just in case. They avoided clicking on around 75 percent of the phishing links. This caution in the study is a good sign, suggesting people may be informed enough to avoid scams, even if they end up being unnecessarily cautious around emails from friendly senders.

The authors believe it's best to stress the dangers of phishing attacks in public information campaigns, because the people who were more aware of the potential negative consequences of becoming a victim were more likely to operate with extra caution.

What are some techniques for detecting phishing scams? The following tips can help:

• Avoid responding to or clicking links from a sender you don't know, especially if it's a business you don't already have a relationship with.
• Double-check the sender's address and confirm that it matches the organization they say they're with. Many government agencies will have .gov web addresses; be suspicious of anyone claiming to be from the government without an official address.
• Anti-virus and anti-malware software can be very useful in preventing some phishing attempts.
• Do a web search of any company that contacts you if you're unfamiliar with it. Check to see if other people have reported scams under that name. Some scammers will refer to official-sounding institutions such as "TrustedBank," which do not exist.
• If you suspect an email from a company or agency might be illicit or unauthorized, call the company on the phone to verify the message's authenticity.
• If you are the victim of a phishing attack, you can report it here.

For more information about phishing and how to protect yourself, visit the U.S. Securities and Exchange Commission's website.

Find the study here>>

Photo credit: Marcie Casas via Flickr