Ponnurangam Kumaraguru
Alessandro Acquisti
Lorrie Faith Cranor
Jason Hong
ABSTRACT
Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an embedded training email system that teaches people about phishing during their normal use of email. We conducted lab experiments contrasting the effectiveness of standard security notices about phishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also derived sound design principles for embedded training systems.
- Anderson, J. R., A. T. Corbett, K. Koedinger and R. Pelletier. 1995. Cognitive tutors: Lessons learned. The Journal of Learning Sciences, 4, pp. 167--207.Google Scholar
Cross Ref
- Anderson, J. R., M. R. Lynne and Herbert A. Simon. 1996. Situated Learning and Education. Educational Researcher. Vo. 25, No. 4, pp. 5--11.Google ScholarCross Ref
- Anti-Phishing Working Group. Phishing Activity Trends Report. 2006. http://www.antiphishing.org/reports/apwg_report_jan_2006.pdf.Google Scholar
- Anti-Phishing Working group. http://www.antiphishing.org/. Retrieved on Sept 20, 2006.Google Scholar
- Betrancourt, M. and A. Bisseret. 1998. Integrating textual and pictorial information via pop-up windows: an experimental study. Behaviour and Information Technology. Volume 17, Number 5, pp. 263--273(11).Google Scholar
- Clark, R. C. and E. M. Richard. 2002. E-Learning and the science of instruction: proven guidelines for consumers and designers of multimedia learning. Pfeiffer, San Francisco, USA. Google ScholarDigital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590. DOI= http://doi.acm.org/10.1145/1124772.1124861. Google ScholarDigital Library
- Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06-08, 2005). SOUPS '05, vol. 93. ACM Press, New York, NY, 77--88. DOI= http://doi.acm.org/10.1145/1073001.1073009. Google ScholarDigital Library
- Drake, C. E., J. J. Oliver and E. J. Koontz. MailFrontier. Anatomy of a Phishing Email. Retrieved Feb 27, 2006, http://www.mailfrontier.com/docs/MF_Phish_Anatomy.pdf.Google Scholar
- Downs, J. S., Holbrook, M. B., and Cranor, L. F. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12-14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90. DOI= http://doi.acm.org/10.1145/1143120.1143131. Google ScholarDigital Library
- eBay. Spoof Email Tutorial. Retrieved December 30, 2006. http://pages.ebay.com/education/spooftutorial/Google Scholar
- eBay Toolbar. Retrieved December 30, 2006. http://pages.ebay.com/ebay_toolbar/Google Scholar
- Erhel, S. and E. Jamet. 2006. Using pop-up windows to improve multimedia learning. Journal of Computer Assisted Learning, Volume 22, Number 2. pp. 137--147.Google ScholarCross Ref
- Federal Trade Commission. An E-Card for You game. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.Google Scholar
- Federal Trade Commission. Phishing Alerts. Retrieved December 30, 2006. http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htmGoogle Scholar
- Ferguson, A. J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. http://www.educause.edu/ir/library/pdf/eqm0517.pdf.Google Scholar
- Fette, I., N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails. June 2006. ISRI Technical report, CMU-ISRI-06-112. http://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-112.pdf.Google ScholarCross Ref
- Jagatic, T.,N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. To appear in the Communications of the ACM. Retrieved March 7, 2006, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf.Google Scholar
- Jakobsson, M. and Ratkiewicz, J. 2006. Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In Proceedings of the 15th international Conference on World Wide Web (Edinburgh, Scotland, May 23-26, 2006). WWW '06. ACM Press, New York, NY, 513--522. DOI= http://doi.acm.org/10.1145/1135777.1135853 Google ScholarDigital Library
- James, L. 2005. Phishing Exposed. Syngress, Canada. Google ScholarDigital Library
- Kumaraguru, P., A. Acquisti and L. Cranor. 2006. Trust modeling for online transactions: A phishing scenario. Proceedings of Privacy Security Trust, Oct 30-Nov 1, 2006, Ontario, Canada. Google ScholarDigital Library
- Lininger, R. and R. Dean. 2005. Phishing: Cutting the Identity Theft Line. Wiley, publishing Inc. Indianapolis, Indiana, USA. Google ScholarDigital Library
- Mail Frontier. Phishing IQ. http://survey.mailfrontier.com/survey/quiztest.html. Retrieved Sept 20, 2006.Google Scholar
- Mayer, R.E. Multimedia Learning. 2001. New York Cambridge University Press. Google ScholarCross Ref
- Mayer, R.E. and R. B. Anderson. 1991 Animations Need Narrations: An Experimental Test of a Dual Coding Hypothesis. Journal of Educational Psychology. Volume 83, Number 4. pp. 484--490.Google ScholarCross Ref
- Microsoft. Consumer Awareness Page on Phishing. Retrieved September 10, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.Google Scholar
- Miller, R. C. and M. Wu. 2005. Fighting Phishing at the User Interface, In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use. O'Reilly.Google Scholar
- Netcraft. Retrieved September 10, 2006. http://news.netcraft.com/Google Scholar
- New York State Office of Cyber Security & Critical Infrastructure Coordination. 2005. Gone Phishing& A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.Google Scholar
- Richmond, R. Hackers set up attacks on home PCs, financial firms: study. Retrieved September 25, 2006. http://www.marketwatch.com/News/Story/Story.aspx?dist=newsfinder&siteid=google&guid=%7B92615073-95B6-452E-A3B9-569BEACF91E8%7D&keyword=Google Scholar
- Robila, S. A., J. James and W. Ragucci. 2006. Don't be a phish: steps in user education. ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science education. pp 237--241. New York, NY, USA. Google ScholarDigital Library
- Schmeck, R. R. (Ed) 1988. Learning styles and strategies. New York: Plenum Press.Google Scholar
- Schneier, B. 2000. Semantic Attacks: The Third Wave of Network Attacks. Crypto-Gram Newsletter. Retrieved Sep 2, 2006, http://www.schneier.com/crypto-gram-0010.html#1.Google Scholar
- SpamAssasin. Retrieved September 10, 2006. http://spamassassin.apache.org/Google Scholar
- SpoofGuard. Retrieved September 10, 2006, http://crypto.stanford.edu/SpoofGuard/Google Scholar
- SpoofStick. Retrieved September 10, 2006. http://www.spoofstick.com/Google Scholar
- SquirrelMail. Retrieved September 10, 2006. http://www.squirrelmail.org/Google Scholar
- Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 -- 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 601--610. DOI=http://doi.acm.org/10.1145/1124772.1124863. Google ScholarDigital Library
- Ye, Z. and Sean S. Trusted Paths for Browsers. 2002. Proceedings of the 11th USENIX Security Symposium. pp. 263--279. USENIX Association. Berkeley, CA, USA. Google ScholarDigital Library
- Zhang, Y., S. Egelman, L. Cranor, and J. Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February--2 March, 2007.Google Scholar
Index Terms
- Protecting people from phishing: the design and evaluation of an embedded training email system
Recommendations
Learning to detect phishing emails
WWW '07: Proceedings of the 16th international conference on World Wide WebEach month, more attacks are launched with the aim of making web users believe that they are communicating with a trusted entity for the purpose of stealing account information, logon credentials, and identity information in general. This attack method, ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityPhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summitEducational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education ...
Comments