[marbletiles]

Spotting a phishing form only seems like "basic instruction" to you because you're highly computer-literate. It's not; it involves understanding at least some of DNS and the difference between hosts, domains and TLDs, URLs, HTTPS, and not to mention certificates and their validity.

In your analogy, it's like saying "people shouldn't be allowed to use cars unless they can verify the hydraulic pressure in the master brake cylinder"

Which is wrong: manufacturers should (and did) install brakes warning lights. And we need to come up with better warnings for users. Blaming them for these sorts of problems is unacceptable.

[thomaslangston]

How to spot a phishing form:

1) Did you click a link from an email? 2) Does the page it redirect you to ask for your login info?

You may have received a phishing email. Are either true?

1) You expected this email because you were notified about it from another source e.g. website, support staff. 2) If you login to the website not via the suspicious link, the linked web page does not ask for your login.

If you answered yes, you probably don't have a phishing email.

[marbletiles]

"Login to the website not via the suspicious link" requires understanding what URLs are, how to isolate which part is "the website", how to edit them and how to enter them. The amount of people Googling for "log into Facebook" proves none of this is a given.

"You expected this email" is also not a hard test to pass in either academia or corporate settings, where users are generally besieged by unsolicted instructions to "Go here, do this, hurry up about it".

[mgkimsal]

Not huge blame, but browser makers are making it harder to understand what's going on what how to use the web - obfuscating the URL - taking off parts of it, sometimes hiding the entire URL bar altogether.

Similarly, 'cookies' are 'scary' - there's no visual indication in a browser of what's going on with cookies, what they are, what they hold - you have to dig deep in 'preferences' then 'advanced' or 'security'. Instead of easier to use tools, we get legislation around cookies. WTF?

Don't get me started on certificates...

[_Simon]

Users don't think like that. They generally don't know what redirect means, let alone recognise when it happens. I'll add that more and more attacks seem to come from trusted sources recently. This only goes to further the issue.

[DanBC]

#2 - Many people don't know what a redirect is. Many of them don't really know the difference between email and www. Some of them won't know there is a difference; it's all just clicky things.

Here are some regular people's experiences of scams.

(http://www.moneywise.co.uk/scams-rip-offs/scams/scam-watch-t...)

#1 - Yes, some scams are reasonably sophisticated.

(http://www.guardian.co.uk/money/2012/may/23/credit-card-user...)

[path411]

I make it simpler by simply telling anyone to never click any links out of an email.

[crististm]

Indeed. Links inside emails could be disabled by default. Email clients are already doing this to images. Why not block explicit links as well?