skip to main content
research-article

Teaching Johnny not to fall for phish

Published:10 June 2010Publication History
Skip Abstract Section

Abstract

Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the phishing problem by prevention and detection of phishing emails and phishing Web sites, little research has been done in the area of training users to recognize those attacks. Our research focuses on educating users about phishing and helping them make better trust decisions. We identified a number of challenges for end-user security education in general and anti-phishing education in particular: users are not motivated to learn about security; for most users, security is a secondary task; it is difficult to teach people to identify security threats without also increasing their tendency to misjudge nonthreats as threats. Keeping these challenges in mind, we developed an email-based anti-phishing education system called “PhishGuru” and an online game called “Anti-Phishing Phil” that teaches users how to use cues in URLs to avoid falling for phishing attacks. We applied learning science instructional principles in the design of PhishGuru and Anti-Phishing Phil. In this article we present the results of PhishGuru and Anti-Phishing Phil user studies that demonstrate the effectiveness of these tools. Our results suggest that, while automated detection systems should be used as the first line of defense against phishing attacks, user education offers a complementary approach to help people better recognize fraudulent emails and websites.

References

  1. Abu-Nimeh, S., Nappa, D., Wang, X., and Nair, S. 2007. A comparison of machine learning techniques for phishing detection. e-Crime Researchers Summit, Anti-Phishing Working Group. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Account Guard. 2006. Account Guard. http://pages.ebay.com/ebay_toolbar/.Google ScholarGoogle Scholar
  3. Adams, A. and Sasse, M. A. 1999. Users are not the enemy. Comm. ACM 42, 12, 40--46. DOI=http://doi.acm.org/10.1145/322796.322806. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Aleven, V. and Koedinger, K. R. 2002. An effective metacognitive strategy: learning by doing and explaining with a computer-based cognitive tutor. Cogn. Sci. 26, 2, 147--179.Google ScholarGoogle ScholarCross RefCross Ref
  5. Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., and Roinestad, H. 2007. Phishing IQ tests measure fear, not ability. Usable Security Workshop (USEC'07). http://usablesecurity.org/papers/anandpara.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Anderson, J. R. 1993. Rules of the Mind. Lawrence Erlbaum Associates, Inc.Google ScholarGoogle Scholar
  7. Anderson, J. R., Corbett, A. T., Koedinger, K. R., and Pelletier, R. 1995. Cognitive tutors: Lessons learned. J. Learn. Sci. 4, 2, 167--207.Google ScholarGoogle ScholarCross RefCross Ref
  8. Anderson, J. R. and Simon, H. A. 1996. Situated learning and education. Educ. Resear. 25, 5--11.Google ScholarGoogle ScholarCross RefCross Ref
  9. Anti-Phishing Working Group. 2007. Anti-Phishing Working Group. http://www.antiphishing.org/.Google ScholarGoogle Scholar
  10. Bahrick, H. P. 1979. Maintenance of knowledge: Questions about memory we forgot to ask. J. Exper. Psych. 108, 3, 296--308.Google ScholarGoogle ScholarCross RefCross Ref
  11. Baker, R., Habgood, J., and Ainsworth, S. E. 2007. Modeling the acquistion of fluent skill in educational action games. Proceedings of the Conference on User Modeling, 17--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Barnett, S. M. and Ceci, S. J. 2002. When and where do we apply what we learn? a taxonomy for far transfer. Psych. Bull. 128, 612--637.Google ScholarGoogle ScholarCross RefCross Ref
  13. Bransford, J. D. and Schwartz, D. L. 2001. Rethinking transfer: A simple proposal with multiple implications. In Review of Research in Education, A. Iran-Nejad and P. D. Pearson., Eds. Vol. 24, American Educational Research Association (AERA), Washington, DC, 61--100.Google ScholarGoogle Scholar
  14. Burmester, G. M., Stottler, D., and Hart, J. L. 2005. Embedded training intelligent tutoring systems (ITS) for the future combat systems (FCS) command and control (C2) vehicle. Tech. rep., Defense Technical Information Center. http://www.stottlerhenke.com/papers/IITSEC-02-ITSFCS.pdf.Google ScholarGoogle Scholar
  15. Chandrasekaran, M., Narayanan, K., and Upadhyaya, S. 2006. Phishing email detection based on structural properties. Proceedings of the NYS Cyber Security Conference.Google ScholarGoogle Scholar
  16. Clark, R. C. 1989. Developing Technical Training: A Structured Approach for the Development of Classroom and Computer-Based Instructional Materials. Addison Wesley Publishing Company.Google ScholarGoogle Scholar
  17. Clark, R. C. and Mayer, R. E. 2002. E-Learning and the Science of Instruction: Proven Guidelines for Consumers and Designers of Multimedia Learning. John Wiley & Sons, Inc. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Committee on Developments in the Science of Learning and National Research Council. 2000. How People Learn: Bridging Research and Practice. National Academies Press.Google ScholarGoogle Scholar
  19. Corbett, A. T. and Anderson, J. R. 2001. Locus of feedback control in computer-based tutoring: impact on learning rate, achievement and attitudes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'01). ACM Press, New York, NY, 245--252. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Cordova, D. I. and Lepper, M. R. 1996. Intrinsic motivation and the process of learning: Beneficial effects of contextualization, personalization, and choice. J. Educ. Psych. 88, 4, 715--730.Google ScholarGoogle ScholarCross RefCross Ref
  21. Cranor, L. F. 2008. A framework for reasoning about the human in the loop. In Proceedings of the Conference on Usability, Psychology and Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Cranor, L. F. and Garfinkel, S. Aug, 2005. Security and Usability: Designing Secure Systems that People Can Use. O'Reilly, Sebastopol, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Dhamija, R. and Tygar, J. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS'05). ACM Press, New York, NY, 77--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. eBay. 2006. Spoof email tutorial. http://pages.ebay.com/education/spooftutorial.Google ScholarGoogle Scholar
  25. Eberts, R. E. 1997. Handbook of Human-Computer Interaction. Elsevier Science, 825--847.Google ScholarGoogle Scholar
  26. Egelman, S., Cranor, L. F., and Hong, J. 2007. You've been warned: An empirical study of the effectiveness of Web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'08). Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Emigh, A. 2005. Online identity theft: Phishing technology, chokepoints and countermeasures. Tech. rep., Radix Labs. October. http://www.antiphishing.org/Phishing-dhs-report.pdf.Google ScholarGoogle Scholar
  28. Evers, J. 2006. User education is pointless. http://news.com.com/2100-7350_3-6125213.html.Google ScholarGoogle Scholar
  29. Federal Trade Commission. 2006a. An e-card for you game. http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.Google ScholarGoogle Scholar
  30. Federal Trade Commission. 2006b. How not to get hooked by a phishing scam. Consumer alert news. http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm.Google ScholarGoogle Scholar
  31. Ferguson, A. J. 2005. Fostering e-mail security awareness: The west point carronade. EDUCASE Quart. 1. http://www.educause.edu/ir/library/pdf/eqm0517.pdf.Google ScholarGoogle Scholar
  32. Fette, I., Sadeh, N., and Tomasic, A. 2006. Learning to detect phishing emails. In Proceedings of the 16th International Conference on World Wide Web. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Florencio, D. and Herley, C. 2005. Stopping a phishing attack, even when the victims ignore warnings. Tech. rep., Microsoft.Google ScholarGoogle Scholar
  34. Fong, G. T. and Nisbett, R. E. 1991. Immediate and delayed transfer of training effects in statistical reasoning. J. Exper. Psych. 120, 34--45.Google ScholarGoogle ScholarCross RefCross Ref
  35. Gagne, R. M., Foster, H., and Crowley, M. E. 1948. The measurement of transfer of training. Psych. Bull. 45, 2, 97--130.Google ScholarGoogle ScholarCross RefCross Ref
  36. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. 2006. CSI/FBI computer crime and security survey. Report, Computer Security Institute.Google ScholarGoogle Scholar
  37. Gorling, S. 2006. The myth of user education. In Proceedings of the 16th Virus Bulletin International Conference.Google ScholarGoogle Scholar
  38. Hight, S. D. 2005. The importance of a security, education, training and awareness program. http://www.infosecwriters.com/text_resources/pdf/SETA_SHight.pdf.Google ScholarGoogle Scholar
  39. Jackson, C., Simon, D., Tan, D., and Barth, A. 2007. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the Usable Security Workshop (USEC'07). http://usablesecurity.org/papers/jackson.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Jagatic, T., Johnson, N., Jakobsson, M., and Menczer, F. 2007. Social phishing. Comm. ACM 50, 10, 94--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Jakobsson, M. 2007. The human factor in phishing. In Privacy & Security of Consumer Information. http://www.informatics.indiana.edu/markus/papers/aci.pdf.Google ScholarGoogle Scholar
  42. Jakobsson, M. and Myers, S., Eds. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. James, L. 2005. Phishing Exposed. Syngress Publishing, Canada. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Johnson, B. R. and Koedinger, K. R. 2002. Comparing instructional strategies for integrating conceptual and procedural knowledge. In Proceedings of the Annual Meeting of the North American Chapter of the International Group for the Psychology of Mathematics Education. Vol. 1--4. 969--978.Google ScholarGoogle Scholar
  45. Kirkley, J. R. and et al. 2003. Problem-based embedded training: An instructional methodology for embedded training using mixed and virtual reality technologies. In Proceedings of the Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC). http://www.iforces.org/downloads/problem-based.pdf.Google ScholarGoogle Scholar
  46. Koedinger, K. R. 2002. Toward evidence for instruction design principles: Examples from cognitive tutor math 6. Proocedings of the Annual Meeting of the Norh American Chapter of the International Group for the Psychology of Mathematics Education 1--4.Google ScholarGoogle Scholar
  47. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007a. Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'07). ACM Press, New York, NY, 905--914. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., and Hong, J. 2007b. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti-Phishing Working Group. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Lininger, R. and Vines, R. D. 2005. Phishing: Cutting the Identity Theft Line. IN. John Wiley and Sons. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Macmillan, N. A. and Creelman, C. D. 2004. Detection Theory: A User's Guide. Lawrence Erlbaum.Google ScholarGoogle ScholarCross RefCross Ref
  51. Mail Frontier. 2006. Mailfrontier phishing IQ test. http://survey.mailfrontier.com/survey/quiztest.html.Google ScholarGoogle Scholar
  52. Mandl, H. and Levin, J. R. 1989. Knowledge Acquisition from Text and Pictures. North-Holland.Google ScholarGoogle Scholar
  53. Mathan, S. A. and Koedinger, K. R. 2003. Artificial Intelligence in Education: Shaping the Future of Learning Through Intelligent Technolgis. IOS Press, 13--20.Google ScholarGoogle Scholar
  54. Mathan, S. A. and Koedinger, K. R. 2005. Fostering the intelligent novice: Learning from errors with metacognitive tutoring. Educ. Psych. 40, 4, 257--265.Google ScholarGoogle ScholarCross RefCross Ref
  55. Mayer, R. E. 2001. Multimedia Learning. Cambridge University Press, Cambidge, UK. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Mayer, R. E. and Anderson, R. B. 1992. The instructive animation: Helping students build connections between words and pictures in multimedia learning. J. Educ. Psych. 84, 4, 444--452.Google ScholarGoogle ScholarCross RefCross Ref
  57. McBride, C. M., Emmons, K. M., and Lipkus, I. M. 2003. Understanding the potential of teachable moments: the case of smoking cessation. Health Educ. Resear. 18, 2, 156--170.Google ScholarGoogle ScholarCross RefCross Ref
  58. Merrienboer, J. V., de Croock, M., and Jelsma, O. 1997. The transfer paradox: Effects of contextual interference on retention and transfer performance of a complex cognitive skill. Percept. Motor Skills 84, 784--786.Google ScholarGoogle ScholarCross RefCross Ref
  59. Microsoft Corporation. 2006. Consumer awareness page on phishing. http://www.microsoft.com/athome/security/email/phishing.mspx.Google ScholarGoogle Scholar
  60. Miller, R. C. and Wu, M. 2005. Fighting phishing at the user interface. In L. Cranor and S. Garfinkel Eds. Security and Usability: Designing Secure Systems that People Can Use. O'Reilly.Google ScholarGoogle Scholar
  61. Moreno, R. and Mayer, R. E. 1999. Cognitive principles of multimedia learning: The role of modality and contiguity. J. Educ. Psych. 91, 358--368.Google ScholarGoogle ScholarCross RefCross Ref
  62. MySecureCyberspace. 2007. Uniform resource locator (URL). http://www.mysecurecyberspace.com/encyclopedia/index/uniform-resource-locator-url-.html.Google ScholarGoogle Scholar
  63. Netcraft. 2006. Netcraf. http://toolbar.netcraft.com/.Google ScholarGoogle Scholar
  64. New York State Office of Cyber Security & Critical Infrastructure Coordination. 2005. Gone phishing&ldots;&ldots; a briefing on the anti-phishing exercise initiative for New York State government. Aggregate Exercise Results for public release.Google ScholarGoogle Scholar
  65. Nielsen, J. 2004. User education is not the answer to security problems. http://www.useit.com/alertbox/20041025.html.Google ScholarGoogle Scholar
  66. Robila, S. A. and Ragucci, J. W. 2006. Don't be a phish: steps in user education. In Proceedings of the 11th Annual SIGCSE Conference on Innovation and Technology in Computer Science Education (ITICSE'06). ACM Press, New York, NY, 237--241. DOI=http://doi.acm.org/10.1145/1140124.1140187. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Rubin, D. C. and Wenzel, A. E. 1996. One hundred years of forgetting: A quantitative description of retention. Psych. Rev. 103, 4, 734--760.Google ScholarGoogle ScholarCross RefCross Ref
  68. Salkind, N. J. 2006. Encyclopedia of Measurement and Statistics. Sage Publications.Google ScholarGoogle Scholar
  69. Schmidt, R. A. and Bjork, R. A. 1992. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psych. Sci. 3, 4, 207--217.Google ScholarGoogle ScholarCross RefCross Ref
  70. Schneier, B. 2000. Semantic attacks: The third wave of network attacks. Crypto-Gram Newsletter. http://www.schneier.com/crypto-gram-0010.html#1.Google ScholarGoogle Scholar
  71. Schwartz, D. L. and Bransford, J. D. 1998. A time for telling. Cogn. Instruc., 475--522.Google ScholarGoogle Scholar
  72. Sender Policy Framework. 2006. Sender Policy Framework. http://www.openspf.org/.Google ScholarGoogle Scholar
  73. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. 2007. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. Proceedings of the Symposium on Usable Privacy and Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., and Zhang, C. 2009. An empirical analysis of phishing blacklists. Proceedings of the 6th Conference on Email and Anti-Spam.Google ScholarGoogle Scholar
  75. Singley, M. and Anderson, J. R. 1989. The Transfer of Cognitive Skill. Harvard University Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. SpoofGuard. 2006. Spoofguard. http://crypto.stanford.edu/SpoofGuard/.Google ScholarGoogle Scholar
  77. SpoofStick. 2006. Spoofstick. http://www.spoofstick.com/.Google ScholarGoogle Scholar
  78. Whitten, A. 2004. Making security usable. Ph.D. thesis, Carnegie Mellon University.Google ScholarGoogle Scholar
  79. Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems (CHI), 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Yahoo. 2007. DomainKeys: Proving and Protecting Email Sender Identity. http://antispam.yahoo.com/domainkeys.Google ScholarGoogle Scholar
  81. Ye, Z. E. and Smith, S. 2002. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium. USENIX Association, Berkeley, CA, 263--279. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Zhang, Y., Egelman, S., Cranor, L., and Hong, J. 2007. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium. http://lorrie.cranor.org/pubs/ndss-phish-tools-final.pdf.Google ScholarGoogle Scholar

Index Terms

  1. Teaching Johnny not to fall for phish

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!