Go IU students!

A couple of students at my alma mater's School of Informatics used a simple social engineering technique to study identity theft. They gathered information from publicly available web sites to send emails to fellow IU students. The email had a forged From address to make students believe a friend had sent it. It also had a link to a page on an IU server that prompted the student for their username and password. Due to the nature of the study, informed consent could not be given and the students conducting the study worked closely with the Human Subjects Committee for approval. Some "participants" are very upset at having been duped, but I have one question for them: Would you rather be duped by grad students conducting a study (and not actually collecting any personal information) or by unethical hackers actually committing identity theft? Bravo, Informatics students!