I'd remove the negativity from the start. Putting "This is a test, you have failed it" right in front of folks is an instant turn-off, and might lead people away from your page instead of to the helpful content below.
More bullet points. There's not a whole lot of text there now, but anything you can do to get the message across with fewer words is a win, especially when dealing with non-technical folks.
Under "look at the address bar", you have:
A common phishing trick is to have a domain like amazon.com.not.ru, which steals your credentials when you try to log in. The actual domain in this example is "not.ru," but people often only check to see if the string "amazon.com" is anywhere in the address bar.
I'd change that to not use the word "string" since non-tech-folks don't parse that very well, and maybe include screenshots of an address bar containing the real Amazon.com and a phishing site disguised as Amazon.
Edit: I used the "you fail" message because I think it makes people more likely to remember it. I wanted to say something like "your credit card has been stolen. kthxbye." but that would have caused some false alarms.
It's hard to have a memorable message without it causing offense or panic.
Also on my TODO: add a counter for those who put 16 digits in the credit card field.
Extra edit: nfriendly: Thanks for the styling suggestion.
"If asked for your password, do not give it out. Real websites will never ask you for your password. (Login forms excepted, of course.)"
This is confusing, in my opinion. It's hard to explain the difference between a login form and a page asking for your password, so it's probably worth just leaving this out. Any phisher worth his salt makes the page asking for a password look like a login form anyway.
Could you perhaps write some Javascript to check the check digit and submit just whether it was correct or not? Then you could have some stats on how many people are gullible vs. just curious.
You know what, this is a phisher's dream. Even if we could trust this website for not saving the data, the connection is a regular non-secure connection, so all somebody would have to do is catch some open wireless connections or similar.
Another way this could be a good scheme is if people trust it and start sending it as a way to educate people, and when it starts getting momentum, it is changed and does start recording numbers.
I'm not convinced that this will help so much here. Assuming that victims won't be checking for SSL, getting someone to an insecure copy of the site will do. I don't see how this would be your problem, though.
I havent particularly been following it, but is there any real solution to phishing? with punycode domains and arbitrary tld's, along with characters that look the same in a lot of fonts, l and I, people need a cs degree to figure out if they are being phished.
I guess paypal and a small number of verified payment processors, (or real online banking) are about the only option.
Single-use credit card numbers (and one-time passwords) would help a ton. Multifactor authentication of any kind would also be good. The problem with all of these ideas is that they're harder to use than fixed CC numbers and passwords.
I do like the convenience of being able to memorize a password or CC number though.
Yes, and it's very simple. Don't type anything important unless you also typed the URL into the address bar. Plenty of real mail from reputable, very phishable, sites actually say exactly this in their real emails-to-customers sometimes.
I'd remove the negativity from the start. Putting "This is a test, you have failed it" right in front of folks is an instant turn-off, and might lead people away from your page instead of to the helpful content below.
More bullet points. There's not a whole lot of text there now, but anything you can do to get the message across with fewer words is a win, especially when dealing with non-technical folks.
Under "look at the address bar", you have: A common phishing trick is to have a domain like amazon.com.not.ru, which steals your credentials when you try to log in. The actual domain in this example is "not.ru," but people often only check to see if the string "amazon.com" is anywhere in the address bar.
I'd change that to not use the word "string" since non-tech-folks don't parse that very well, and maybe include screenshots of an address bar containing the real Amazon.com and a phishing site disguised as Amazon.
Still though, good idea!