Learn by doing: Phishing and other online tests

As a tech-savvy person in a family that mostly consists of low level Internet users – and especially because of my line of work – I’m often tasked with helping them when their computers become riddled with malware.

I have realized long ago that a little security awareness teaching could, in the long run, minimize my need to be involved in this repetitive and frustrating task – not to mention minimize the dangers my family puts itself by picking up malware left and right. But, I must admit that I’ve had middling success with that plan.

Granted, I’m probably not a great educator, but I believe one of the biggest problem lays in the fact they lack some of the absolute basics on how computers and the Internet operate, and I simply haven’t got enough time to tackle all this before I even start addressing the concrete stuff of how to keep safe online.

Keeping this and the fact that their eyes simply glaze over at the mention of anything even remotely technical, it was imperative that I find shortcuts that would allow me to get certain points across in a short time.

One of these shortcuts were online tests that let you test your ability to spot fake emails, webpages or software. After all, repetition IS the best teacher.

When the idea first came to me, I thought the Internet was rife with them, but I was wrong. So, I had to take the time to dig around and make a collection of links to present to my “pupils.”

Learning how to spot phishing emails and websites

Phishing tests were relatively easy to find, but unfortunately there aren’t many of them.

By far the most popular is MailFrontier’s (renamed as SonicWALL Phishing IQ Test when SonicWALL acquired MailFrontier in 2006).

It’s easy to see why. Once you go over the test and see the results, you are able to see the “warning signs” for each email (click on the screenshot to enlarge it):

The explanations are simple and directly applied to each mail. Still, there is one downside: the email examples are always the same each time you take the test.

There are also a number of old MailFrontier’s tests still available on the Internet, and they can provide a little variety. Some are aimed specifically at German and UK users. Unfortunately, some of them don’t offer explanations on why the email is a phish or legitimate.

OpenDNS’ phishing quiz is also a favorite for the same reasons SonicWALL’s is:

But, it has also the same drawback: the examples do not change if you retake the test.

Websense’s Operation SpearPhish is short, but the main downside is that the explanations are simply too complex to be helpful for low level Internet users:

Netriplex did it better.

Wombat Security Technologies have a free demo round of their popular Anti-Phishing Phil and Anti-Phishing Phyllis online training games. Registration is required, but takes just a minute, and you’re off:


Before each round of the game, you have to learn a specific piece of knowledge on how to spot phishing emails, then that knowledge is tested. Unfortunately, only one round of each game is available for free.

While they are not quizzes, I must mention eBay’s phishing tutorial and VISA’s Phishing Attacks page, which both explain and (more importantly) demonstrate tell-tale signs in spoofed emails. Also, the Anti-Phishing Working Group offers a handy infographic on how to spot phishing attempts.

Finally, I must add that the spam folder of my “pupils” email accounts offered a good variety of phishing and scammy emails as examples for teaching and testing them, although this is something that, unlike with the tests, they definitely couldn’t practice on their own.

Learning how to spot rogue software

Microsoft has recently made available a Real vs. Rogue Security Software challenge that users can take and gauge their ability to spot fake AVs:

The test mixes it up a bit, serving different and random screenshots of fake and real AV. Still, specific details as to what to look for could have been nice. As it is, you’ll get the final score, be told where you judged wrong or right, and a description of the fake software and what it does.

Unfortunately, there are no other online tests similar to this one (or at least I couldn’t find any). The best you can do to show someone examples of fake AV, their tell-tale signs and behavior collected in one place and easy to peruse is to try this Fortinet blog post.

All in all, I’m sorry that there aren’t more quizzes such as these available for free for home users. After all, isn’t it in the best interest of all of us to keep as many users as possible safe(er)?

More about

Don't miss