Phishing emails have gotten so convincing that even the experts can be taken in by a well-crafted fake.
That's what executives at Intel Security discovered when they circulated a version of their Email Phishing Quiz to 100 attendees at the RSA Internet security conference earlier this year.
The quiz displayed 10 real emails collected by analysts at McAfee Labs -- some of which were legitimate correspondences from major companies, and some of which were phishing emails that look amazingly believable -- and asked, real or ruse?
"Even if you're a security professional, it's hard to just look at these emails and say whether they're phishing or not. Every single one looks like a good email," said Gary Davis, vice president of global consumer marketing (a.k.a. Chief Consumer Security Evangelist) for McAfee, which is part of Intel Security.
On average, industry insiders were only able to pick out two-thirds of the fakes. A slim six percent of quiz-takers got all the questions right, and 17 percent got half or more wrong. Remember, this is their job.
(Would you fare any better? Take the quiz below to find out.)
Though email scams are a year-round concern, hackers ramp up their efforts around the holidays when anxious shoppers are furiously filling their shopping carts and wading through a sea of digital receipts, confirmations and shipping updates.
"Consumers are very distracted this time of year. They're rushed, they're clicking like crazy, getting notification emails from retailers and shipping confirmations. A good percentage of those are going to be phishing emails," Davis told CBS News.
Hackers use phishing scams to get you to click on links to sites they've created for the purpose of stealing sensitive information. They trick you into typing your name, address, login and passwords, or credit card information into fields on sites that look like they belong to real companies. Or, just clicking their link will load malware onto you device so they can steal that information themselves.
What makes phishing so insidious -- and effective -- is that scammers design their emails to look just like the ones you get from stores, banks, even friends and family. It can be difficult to tell a legitimate message from a dangerous decoy even when you're on high alert. And let's face it, it's hard to stay on high alert when you're focused on whether your gifts will make it in time for the holidays.
There are a few common things that can expose a fake email. Misspellings, poor formatting, or odd-looking sender email addresses or URLs might quickly tip you off that something is amiss.
Unfortunately, hackers are getting increasingly sophisticated and are not only more careful about making the email itself look right, but can also create email addresses and links that, even upon careful inspection, look legit.
"A couple years ago it was like shooting fish in a barrel," Davis said. "But hackers are constantly evolving their techniques to keep themselves as under the radar as possible."
With no hard and fast rule to go on, spotting a scam is, Davis admitted, "about the subtleties of it." Would your friend really send you an email like this? Would Best Buy really be selling iPhones for half off? "You have to take that extra second," he said, and ask: Does this smell phishy?
"If it comes from a friend, ask them if they sent it. If it's from Best Buy, go to the website and search for Apple iPhone offers."
To feel confident that you're not falling for fancy tricks, you could make it a rule to never click a link in an email -- ever.
"It's sad but that's literally the case," said Davis.
Think you've got what it takes to catch a phish? Take Intel Security's quiz here: