Appendix N
Transcript from think aloud study
P302
P302: The e-mail address is HR_dept33433; it doesn’t sound very official. It’s @yahoo rather than at a company address. The e-mail, CV isn’t capitalised, but that might not be too big a thing. “My shortlist” doesn’t sound very professional. No spelling mistakes that I can see though, but the e-mail address is dodgy. I’m going to put it at a 2 because it’s not definitely phishing, but it looks dodgy.
The e-mail address is not particularly easy to understand. It’s unlikely you’d use the, “I am writing you,” if he was born in London. It’s American. “___[0:02:50]” is strange phraseology, bad grammar. It does improve, grammar and spelling etc. Definitely phishing because, well, for one, it’s very strange to not know the full name of the person you think of trustworthy enough to leave your entire fortune to.
, I’m not sure who “igrasp” is, but it’s more ___[0:04:34] than the first one. You can paste it into your browser. The two web links are different, for different things. It could just be if you had an account with something called igrasp, I guess.
Verifiedbyvisa.com sounds very legitimate. It has at least a logo. But banks don’t ask you to just click on links and reactivate your credit card and it’s highly unlikely. So although the e-mail was legitimate, what they’re asking doesn’t sound legitimate, so 2.
So it’s paypal.co.uk, sounds a legitimate e-mail. That is the PayPal logo. They know the card number so if you find that’s correct, we’ll be able to work from somewhere that could mean they’re more legitimate. They’re not asking for a PIN and it’s a likely thing for PayPal to need. The reply stuff sounds genuine. I’d say 5.
___[0:08:24] natwest.com sounds fairly legitimate. That’s the Natwest logo. That’s the current account number, which I assume it is and they have that information. It talks about online security, so I’d say a five.
Gucci, Cartier, Rolex, ___[0:09:33]. Yes, that sounds very dodgy, the name of the people doesn’t link to the actual e-mail address. They’re all desirable luxury brands, put together. It doesn’t look very visual. It’s definitely phishing.
The name is Philippe Jean; the e-mail is ___[0:10:21], that kind of links. I suppose it depends whether you know a Philippe Jean, if you don’t, definitely phishing. If you do, it could be, but still, never trust an e-mail directly asking for money, so two, three.
eBay administration, admin@ebay, well, I mean eBay but eBayz.com doesn’t sound as legitimate. That’s the eBay logo. I suppose it depends whether the user agreement section online actually does say that. The link does say ebay.com, but obviously that might not be where they’re taking you. That is all the copyright things. Three, four… four.
___[0:14:04], [ 0:14:05]. Okay, I don’t know about that. It’s not directly asking for information or money. I’d say five, it looks very legitimate, I mean obviously the link could take you anywhere.
DDF.193@ ___[0:15:01] .com really, really doesn’t sound legitimate; though that is the correct tracking number, that’s impressive they know that, or disturbing. Yes, the FedEx situation is believable, the FedEx logo, but yes, the e-mail just doesn’t look – so two.
___[0:15:51] USextra.co.uk, if that’s where the actual e-mail address has come from rather than just the name of it, looks fairly legitimate. That’s a very basic e-mail and the link is incredibly long. That’s the correct IP address. That said, just confirming password things are normally all quite basic. Four.
barclaysonlinesupport@vnet. I wonder what vnet is, it sounds a bit dodgy, but Barclays online sounds right enough. Barclays logo, it doesn’t have a name. No descriptions of your name, but other than that, legitimate situation. I’m using legitimate too much. Three.
The name and e-mail address match. The fact that they have a Doddle account is very dodgy, the fact that it’s from a person at the college, rather than a company or business where you might have an account. I would say definitely phishing, one.
___[0:18:28] .co.uk, fairly legitimate, as far as the e-mail address makes sense, but the hyperlink is going to myface.com, which really, really doesn’t sound right. It has no logos or company styling or that you’d associate with an e-mail from a big company, so definitely phishing.
PlusNet Sport, , I suppose that sounds right. Yes, I assume that’s your username. No logos and stuff, but fairly basic. It says McAfee ___[0:19:44] downloads in the link, or the link name, so they at least bothered to get that right, if ___ wrong. Five. It looks quite legitimate to me.
, so it’s got the easyroommate.com. The link is titled 2uk08 and true, it does say “___[0:21:07] scam,” so this person is ___ there, if it is one. Four.
, that’s a fairly sensible sounding e-mail address. The HSBC logo, does it look like that or is that an old one? It shows no kind of, “This account,” what your account number is and what your name is, so a two, phishing to me.
It’s tiny, so it’s not very considerate if they did decide that. ___[0:22:26] co.uk is a fairly sensible sounding e-mail address. Invoice number, registered name. It doesn’t have any branding, but it looks fine to me. Five.
Again, tiny, not very considerate. ___[0:23:37] fairly sensible, ___, case number, service tag, so that helps and sounds better. Dell logo. Five. That looks pretty good to me.
I haven’t heard of ___[0:24:43], but I have mail.com, matches, sounds sensible. The e-mail address is okay. The attachments are strange, show attachments, that’s a bit dodgy, but it sounds a realistic situation, normal e-mail, Google branding. Four.
The ___[0:26:53] doesn’t match Natwest, so that’s dodgy. It does have Natwest branding though. I didn’t really know online accounts did expire, I’m not sure if they do. ___ I’d say definitely phishing.
___[0:27:33] not Amazon, so that’s strange. It does have Amazon branding, it’s in Amazon font, layout etc., so the e-mail looks really right. So yes, this e-mail looks fine, just the e-mail address isn’t correct, so two.
Dropbox, dropbox.com makes sense, so that’s right. It says your name and has Dropbox branding and the e-mail address sounds fine. I’d say it’s probably legitimate, fine.
, well, the name of the account sounds right, , really doesn’t match the e-mail address. That’s the seller, so I don’t know about that. There’s a lot of information, kind of like mail. I’ve never bought anything off eBay so I don’t really know what it would look like, or paid via PayPal like that. Four, considering I thought that was weird. Maybe it’s the seller, that makes sense.
, fairly sensible, e.paypal is a bit weird, but yes, branding looks nice. There’s the name, there’s details like, “Trouble reading this,” “Copyright,” I don’t think it’s a spoof e-mail. It sounds slightly too eager to owe you ___[0:30:57] number, really suspicious. Four.
Customer care e-mail, mail@wsystems sounds sensible, branding is correct. It sounds a realistic situation. But if they’re saying an attacker hacked into their network, you’re going to be slightly suspicious of anything going on right now, so four.
___[0:32:14] makes sense as an e-mail address. That the images don’t process is a bit weird. It doesn’t really have that many links so unless you are going to [save all 0:32:42]. Cancel the transaction is not working, that’s something you’re going to definitely click on the link for, but the fact the images don’t come through is a bit weird, but you know, computers are computers I guess. Four.
Facebookmail.com doesn’t sound ___[0:33:24], not sure about that one. It does say Facebook mail, but then doesn’t everyone have Facebook mail? It does have a name. Four.
Virgin Mobile sounds sensible, yes. That there isn’t a name for the attachment is weird and that there is an attachment and they don’t say what it is is also strange. There’s no particular rush for you clicking on the links though. There’s no branding, which is weird, so I think four.
___[0:34:44] name and e-mail don’t match. I don’t actually know what they’re talking about, but yes. If it’s an American company it makes sense that they spelt ___ that way, but if it’s not, it doesn’t. “If you already authenticated your account,” looks bad; a two, it sounds very fishy. No branding.
___[0:36:14], two Es in finance is a bit weird, but @direct.gov.uk is sensible sounding I guess, not personal though. It does have correct branding though, well, not up to date branding, but if it was in 2012 it might have been, I guess. Three, pretty sure it’s phishing.
___[0:37:17] .co.uk, maybe ___ survey I guess. No branding. I don’t recognise it as a survey thing, like SurveyMonkey or something, but that doesn’t mean it can’t be one I suppose. The fact there isn’t branding is weird. Three. They would be shouting about the winning thing more.
The e-mail didn’t load. Oh no, it has now. DFT, the name and e-mail address don’t match, the e-mail address doesn’t sound right. It has a logo. It’s not personalised. .gov.uk, yes, the situation in which you don’t upload your details within two weeks of receiving this and having to take a fresh driving test is completely ridiculous, so definitely phishing.
@Lancaster.ac.uk, it’s a Lancaster address, it makes sense. “Dear student…” yes, no particular reason why that would be personalised in this situation, SurveyMonkey, I recognise that as a survey company. FCUG survey 13 makes sense. I’d say five.
P303
P303: Blah, blah, blah… ___[00:00:11]…
[Silence 00:00:11 - 00:00:37].
“Lung cancer”… I would ___, especially for…
“Confidence… [To hand 00:01:01]”.
[Silence 00:01:01 - 00:01:40].
Okay so… Phishing, because [everybody can go].
“Important customer information”.
[Silence 00:02:01 - 00:02:41].
I think it’s legitimate because there’s the logo of the company. Yes, I think it’s legitimate.
[Silence 00:03:08 - 00:03:24].
I’m not sure about this one, but it seems like… “We will expire in three days.” Why can your password be expired? I’ve never heard this before. “Upgrade your webmail”. The email address seems not very common; I would ___[00:03:57] to them.
Paypal.uk…
[Silence 00:04:08 - 00:04:50].
Yes, I think it’s definitely legitimate.
[Silence 00:04:54 - 00:05:07].
“Write the first and last name if you are concerned about a security attack”. Yes I think it’s definitely legitimate because there is the logo of the company.
[Silence 00:05:39 - 00:07:00].
I’m not sure about this one, because the ___ everyone can ___, so it would be two or three.
[Silence 00:07:17 - 00:07:35].
I think it would be two.
I think it is definitely legitimate because… “Verify your address”. “Now we require your postal code”.
Well, the address is abnormal because it’s .
[Silence 00:08:15 - 00:08:38].
___ the [contact number] ___.
[Silence 00:08:43 - 00:09:16].
“Student Finance England”.
[Silence 00:09:18 - 00:09:37].
“SL student key”. I think it’s definitely phishing. Yes because the address is abnormal, [my face 00:10:05].
[Silence 00:10:05 - 00:10:32].
I think it’s definitely phishing because the logo is not correct and… “[chefsbusybusiness.co.uk]”. Yes and customer business ___.
The email address if wrong because e, b, y is set after EBay, and the email of EBay members would be someone’s first name.
[Silence 00:11:33 - 00:12:35].
“___”. Yes I don’t know if they would suspend my account because… ___[00:12:46 - 00:12:56].
[Silence 00:12:56 – 00:13:10].
Yes I think there is no connection between legal liability and financial loss and the update of personal records and online experience.
I think this one is legitimate because the address is directgov.uk.
[Silence 00:13:59 - 00:14:21].
Yes, I think it is legitimate.
___.com.
[Silence 00:14:29 - 00:15:05].
Five, if I have just signed up to the website. Or four. “Please do not reply to this email”. Yes, four.
[Silence 00:15:33 - 00:15:52].
Why is it an attachment? ___. “Because we are the same [lettings firm]”.
[Silence 00:16:12 - 00:16:29].
I think it is two. It could be. Or with that ___ one.
Why is it after 20th October but it’s not? But you already have [mobile bill].
I won’t definitely finish it.
[Silence 00:17:17 - 00:18:29].
I think it is definitely legitimate because it doesn’t ask me to click on any address and just the information of the payment that I have made, so yes, definitely legitimate.
[Silence 00:18:58 - 00:19:30].
Yes, I think this one is legitimate because they say, “Your latest statement for account” ending 801, so they know your account number. Definitely legitimate.
I think this one is legitimate. “[Phone caller green 00:20:15]”. Yes, there was ___ should be ___ not phone caller green. Definitely phishing.
[Silence 00:20:36 - 00:20:53].
Definitely phishing because “___ award. Get ready for…” Yes, definitely phishing.
[Silence 00:21:06 - 00:21:59].
I would say five. Or four. Five, because the emails seem alright. The address is a little bit weird.
[Silence 00:22:17 – 00:22:46].
I’m not sure. I think it could be more detailed. ___ big companies I would say.
“Create a new password”. ___[00:23:12], I’m not sure.
[Silence 00:23:14 - 00:23:36].
I would say five. ___. I would say six. Five. Six. Because the address seems weird, but it’s facebookmail.com. Facebookmail.com, facebookmail.com. Two. Four.
[Silence 00:24:26 - 00:24:57].
[Set meals], put into. I would say definitely phishing because the ___ may not, my name is ___, and here you’re saying, “Hello”. This email could be sent to anyone.