Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not even going to get to the point of wondering whether every component is faked or not, since my thought process will stop at "I'm not going to ever enter credentials into a site I got to from a random link in an email". Which seems to me to be a far better policy than trying to figure out whether a particular site I got to from a random link in an email is faked or not.


Nobody is demanding you do. But if you go around claimng people "got phished", then you should be sure.

I've also entered fake credentials into a clearly faked login form to see what'd happen. Would it redirect me to the right site? Just claim the information was wrong? Send me to a mock up of the intranet I was trying to access? You can call it bad policy if you want (although you don't know about my precautions), but it doesn't mean I was phished.


What it does mean, though, is the person who sent the email now knows, at the minimum:

1. Someone receives and reads the email sent to this email address.

2. That person is willing to enter data into a form.

This is 2 pieces of information the person didn’t have before, and it can be used in further phishing attempts in a variety of ways.

It doesn’t mean you were fooled, but that’s only half the story.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: