Cory Doctorow got tricked by a phisher and shares some insight into how phishing succeeds:
Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.
If I hadn’t reinstalled my phone’s OS the day before. If I hadn’t been late to the cafe. If I hadn’t been primed to hear from old friends wondering if some press mention was me, having just published a lot of new work. If I hadn’t been using a browser that didn’t fully expose URLs. If I hadn’t used the same password for Twitter as I use for lots of other services. If I’d been ten minutes later to the cafe, late enough to get multiple copies of the scam at once – for the want of a nail, and so on. […]
I don’t have a solution, but at least I have a better understanding of the problem. Falling victim to a scam isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.
I got tricked by a phisher in 2004 when that specific method was first getting popular (tricking people into giving up their passwords is as old as passwords themselves, but the spam ‘n spoof strategy now known as phishing seems to have started around then).
I was tricked by a PayPal phisher – I’d been having problems with my PayPal account and I got an e-mail that purported to be from PayPal urging me to login. The URL was something like “paypalcustomerservice.com” and the site looked just like PayPal’s. Lucky for me I accidentally typed the wrong password and realized it just as I was hitting enter. When I saw that I was logged into the site anyway, I realized that I’d been phished. I was lucky because the phishers only got a wrong password out of me, but I can see how even very savvy people can get fooled.