Gmail’s new anti-phishing defense

  • Article

A couple of weeks ago, Gmail released a new feature to boost its anti-phishing capabilities. Whenever you receive a message that you haven’t heard from before, they will show you the full email address:

image

Normally, you would just see the sender’s name.  The way this works is that if you get an email from, say, the Bank of America, the Bank of America would be in the sender’s name and that’s it (so long as the sender can be verified by DKIM or SPF).  Gmail is displaying the P2 From address:

“Bank of America” <info@bankofamerica.com>

The part in between the quotes is the sender’s name while the part between the angle brackets is the sender’s email address.  This is attempts to combat phishing when a spammer sends you a mail purportedly from the Bank of America but a spoofed from address:

“Bank of America” <noreply@bank.america.phishy.com>

By showing you the full email address, Gmail hopes that some users will notice that the domain looks funny and will be suspicious of the sender even in the event that the spam filters don’t catch the message.

I’m not sure how effective the feature will be.  I would guess that if most users are like me, they won’t bother reading about the feature (I didn’t until I did a Bing search for “Google anti-phishing”).  Then, in their inboxes, they’ll notice that sometimes Gmail shows you the sender and sometimes it doesn’t.  They’ll wonder why but won’t really notice for the most part, and won’t bother to look up why.

Will this keep people from falling for phishing?  A really obvious spam email like ask32@rdc.ru might arouse suspicion, but noreplay@bank.america.rdc.com might not. 

People fall for phishing scams for a couple of reasons:

  1. Their emotions of fear (of not having money) are triggered with interferes with their ability to think logically.
  2. They lack the proper education to recognize phishing scams.

Google’s feature attempts to partially address point (2) – if a user has more information then they will be less likely to fall for scams.  But information on its own isn’t that useful.  Unless people know what to do with that information it won’t help because emotions are not logical at high levels of affect (that feeling of goodness or badness we get in response to all of life’s situations) and arousal.

What does help mitigate negative affect is education; it does this by keeping the emotional state at a lower level of arousal.  At low and medium states of arousal, emotions act in an advisory role.  At high levels, they can cause us to act in our own best interest.  Education helps dampen their effect by causing us to attribute the phishing scam to a non-authoritative source.  In other words, if you recognize a scam, you won’t fall for it because your emotions do not interfere with the logical part of your brain.

How could Google make this feature better?  In their explanation of the feature, they should have an explanation of what phishing is and how they are working to combat it.  They do say the following:

For example, if someone fakes a message from a sender that you trust, like your bank, you can use this information to see that the message is not really from your trusted sender.

That’s a good start, but we can improve it:  A bank will be trusted whereas a phisher will send fake emails and they will ask you to click a link to fill out your information.  If you see the email address, it is probably not from your bank.  Don’t worry, report the message as spam.  If you’ve clicked the link and filled it out, call your bank and tell them what you’ve done.  And so forth. 

It’s nice to see Google do stuff like this, and I’m sure that they are open to making stuff like this better.