I was one of Josh's guinea pigs for his experiment, so I got to see how easy phishing email can bypass email security controls. There obviously wasn't much chance I would get duped by the invite: I knew that my interviewing Bill Gates on the spot at a computer conference when I was in my 20s wasn't enough to get me into his social networking inner circle. But what if Perrymon's rather convincing spoofed LinkedIn invite had come from someone I did know, and had spelled LinkedIn with a lowercase "n"?
I would easily have fallen for it.
Now that's social engineering at its best, right? You bet. There's no patch for a good social engineering attack. But what worries me is that while Perrymon's message had the look and feel of a legit LinkedIn invitation message, it still had the capitalization issue and Bill Gates' name in it -- a couple of things you'd think might appear spammy to a filter. But then again, Russian-language email messages occasionally slip through and land in my inbox, too. So I guess I'm not surprised that the experiment worked on my end.
Still, it was a good exercise to experience firsthand, especially when Perrymon showed me the results of the data he was able to gather about me when I willingly clicked on the link in the email -- my operating system, browser version, IP address, etc. Nope, nothing Bill Gates would be interested in.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading