To add some missing context to this: -I’m part of the EA community and have been for several years. To the extent that you need a community member to blame for this, it is me. When doing this, I was operating under the belief that the community would be judging me personally, which is why I openly admitted to doing this on Facebook.
-I would have known about Petrov Day anyway regardless of Chris’ message.
-Phishing attacks can often have in excess of 80% success rate. If you had received this, you would have likely entered the codes as well, even though everyone thinks that they wouldn’t. Which is just one of the reasons why it doesn’t make sense to punish recipients for making this kind of mistake.
-The campaign wasn’t targeted at Chris, it was sent to lots of users. Retrospectively, I should have excluded Chris from the list of users. (I really regret not doing this, and I would like to apologise to Chris for this.)
Source please on the 80% success rate of many phishing attacks? This is at least an order of magnitude more than I would have predicted, it blows my mind!
43% of UK SMEs have experienced a phishing attempt through impersonation of staff in the last 12 months. Of those impersonation phishing attempts, it was discovered that two-thirds (66%) had suffered a successful attack, according to CybSafe.
66% is still way more than I expect, but there’s no verifiable source. (Looks like CybSafe has incentive to exaggerate the numbers.) And it’s not clear whether this is “66% of phishing attempts were successful” or “of organizations targeted, 66% suffered at least one successful attack”. Certainly it doesn’t support “you would have likely entered the codes as well”.
Yeah. If 80% is the true success rate I would not expect the world to look the way it does. I would expect such attacks to be incredibly rampant and somewhere near the front of everyone’s minds, at least in the sense of when you get a call from an unknown number you think it’s quite likely that it’s something unsolicited.
Phishing attacks can often have in excess of 80% success rate. If you had received this, you would have likely entered the codes as well, even though everyone thinks that they wouldn’t. Which is just one of the reasons why it doesn’t make sense to punish recipients for making this kind of mistake.
Seconding Daniel’s request for a source. But also, to clarify, does your attempt here count as one phishing attack in total, or one per message you sent?
If it’s one per message, then 80% is double-plus-super-higher-than-predicted. But if it’s one in total, then “you would have likely entered the codes as well” needs further justification. I said in the other thread that I wasn’t super confident I wouldn’t have fallen for it; but I don’t think it’s actively likely that I would have done, even taking your claim into account.
To the extent that you need a community member to blame for this, it is me. When doing this, I was operating under the belief that the community would be judging me personally
As a note, to the extent that you’re trying to actively shoulder the blame here (rather than simply describing where you think it falls), this isn’t a call you get to make. I’m not saying here that Chris does deserve blame; just that to the extent he does, you can’t take that away from him onto yourself.
And… having this expectation seems like kind of the same sort of thing that went wrong with the admins’ messaging? Like, on a high level you could describe what led to the site blowing up as: “the admins expected people to feel one way about a thing, and acted on that expectation, but some people felt a different way, and acted in ways that surprised the admins”. Similarly, you may have expected us to feel one way about your actions, such that we judge you personally; but if some of us feel a different way, and judge differently, well...
You said you wanted this to be a learning opportunity for the community, and I think (despite varying levels of annoyance) we’re overall taking it as such. To the extent that it’s a learning opportunity for you as well, I hope you take it as such.
“The campaign wasn’t targeted at Chris, it was sent to lots of users. Retrospectively, I should have excluded Chris from the list of users. (I really regret not doing this, and I would like to apologise to Chris for this.)”—I don’t know why you wouldn’t consider me fair game. You really don’t need to apologise to me.
Suppose phishing attacks do have an 80%+ success rate. I have been the target of phishing attempts 10s of times, and never fallen for it (and I imagine this is not unusual on LW). This suggests the average LWer should not expect to fall victim to a phishing attempt with 80% probability even if that is the global average
To add some missing context to this:
-I’m part of the EA community and have been for several years. To the extent that you need a community member to blame for this, it is me. When doing this, I was operating under the belief that the community would be judging me personally, which is why I openly admitted to doing this on Facebook.
-I would have known about Petrov Day anyway regardless of Chris’ message.
-Phishing attacks can often have in excess of 80% success rate. If you had received this, you would have likely entered the codes as well, even though everyone thinks that they wouldn’t. Which is just one of the reasons why it doesn’t make sense to punish recipients for making this kind of mistake.
-The campaign wasn’t targeted at Chris, it was sent to lots of users. Retrospectively, I should have excluded Chris from the list of users. (I really regret not doing this, and I would like to apologise to Chris for this.)
Source please on the 80% success rate of many phishing attacks? This is at least an order of magnitude more than I would have predicted, it blows my mind!
Did a quick google. The only statistic I could find for how successful phishing attacks are is https://www.helpnetsecurity.com/2019/09/04/sme-phishing-attacks/:
66% is still way more than I expect, but there’s no verifiable source. (Looks like CybSafe has incentive to exaggerate the numbers.) And it’s not clear whether this is “66% of phishing attempts were successful” or “of organizations targeted, 66% suffered at least one successful attack”. Certainly it doesn’t support “you would have likely entered the codes as well”.
Strong-downvoted pdaa’s comment pending source.
Yeah. If 80% is the true success rate I would not expect the world to look the way it does. I would expect such attacks to be incredibly rampant and somewhere near the front of everyone’s minds, at least in the sense of when you get a call from an unknown number you think it’s quite likely that it’s something unsolicited.
Seconding Daniel’s request for a source. But also, to clarify, does your attempt here count as one phishing attack in total, or one per message you sent?
If it’s one per message, then 80% is double-plus-super-higher-than-predicted. But if it’s one in total, then “you would have likely entered the codes as well” needs further justification. I said in the other thread that I wasn’t super confident I wouldn’t have fallen for it; but I don’t think it’s actively likely that I would have done, even taking your claim into account.
As a note, to the extent that you’re trying to actively shoulder the blame here (rather than simply describing where you think it falls), this isn’t a call you get to make. I’m not saying here that Chris does deserve blame; just that to the extent he does, you can’t take that away from him onto yourself.
And… having this expectation seems like kind of the same sort of thing that went wrong with the admins’ messaging? Like, on a high level you could describe what led to the site blowing up as: “the admins expected people to feel one way about a thing, and acted on that expectation, but some people felt a different way, and acted in ways that surprised the admins”. Similarly, you may have expected us to feel one way about your actions, such that we judge you personally; but if some of us feel a different way, and judge differently, well...
You said you wanted this to be a learning opportunity for the community, and I think (despite varying levels of annoyance) we’re overall taking it as such. To the extent that it’s a learning opportunity for you as well, I hope you take it as such.
“The campaign wasn’t targeted at Chris, it was sent to lots of users. Retrospectively, I should have excluded Chris from the list of users. (I really regret not doing this, and I would like to apologise to Chris for this.)”—I don’t know why you wouldn’t consider me fair game. You really don’t need to apologise to me.
Was the parallel to the real Petrov’s false alarm intentional or unintentional?
I think it’s great that you did this. It made the game more real, and hopefully the rest of us learned something.
Suppose phishing attacks do have an 80%+ success rate. I have been the target of phishing attempts 10s of times, and never fallen for it (and I imagine this is not unusual on LW). This suggests the average LWer should not expect to fall victim to a phishing attempt with 80% probability even if that is the global average