Stefan A. Robila
Abstract
Phishing, e-mails sent out by hackers to lure unsuspecting victims into giving up confidential information, has been the cause of countless security breaches and has experienced in the last year an increase in frequency and diversity. While regular phishing attacks are easily thwarted, designing the attack to include user context information could potentially increase the user's vulnerability. To prevent this, phishing education needs to be considered. In this paper we provide an overview of phishing education, focusing on context aware attacks and introduce a new strategy for educating users by combining phishing IQ tests and class discussions. The technique encompasses displaying both legitimate and fraudulent e-mails to users and having them identify the phishing attempts from the authentic e-mails. Proper implementation of this system helps teach users what to look for in e-mails, and how to protect their confidential information from being caught in the nets of phishers. The strategy was applied in Introduction to Computing courses as part of the computer security component. Class assessment indicates an increased level of awareness and better recognition of attacks.
- CNN. com, "A convicted hacker debunks some myths." http://www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/index.html 2005, accessed 01/06/06Google Scholar
- Duntemann J., Degunking Your Email, Spam, And Viruses. Scottsdale, Arizona: Paraglyph Press, 2004Google Scholar
- Merwe A, Loock M., and Dabrowski M. "Characteristics and responsibilities involved in a Phishing attack." Proc. ACM WISCT 05, 92, 249--254, 2005 Google ScholarDigital Library
- http://en.wikipedia.org/wiki/Phishing, accessed 30 Nov 2005Google Scholar
- Roberts, Paul F. "Cyber-looters Capitalize on Katrina." eWeek. 12 Sept. 2005: 11--12Google Scholar
- MailFrontier Phishing IQ, "Paypal Tsunami" example, http://www.mailfrontier.com/quiztest2/S2img/Q22_tsunami.gif, accessed 3 Nov. 2005.Google Scholar
- Kerstein P.L., "How Can We Stop Phishing and Pharming Scams?" http://www.csoonline.com/talkback/071905.html, accessed 27 Nov 2005Google Scholar
- Richardson T., "Brits Fall Prey to Phishing." The Register. http://www.theregister.co.uk/2005/05/03/aol_phishing/, accessed 27 Nov 2005Google Scholar
- Sunday Morning Herald, "Phishing Spreads in Europe", http://www.smh.com.au/articles/2004/05/10/1084041315645.html, accessed 5 Jan 2006Google Scholar
- Anti-Phishing Working Group, October 2005 Report, http://antiphishing.org/apwg_phishing_activity_report_oct_05.pdf, accessed 27 Nov 2005Google Scholar
- Jakobsson M., Modeling and Preventing Phishing Attacks. Phishing Panel in Financial Cryptography '05. Google ScholarDigital Library
- Anti-Phishing Working Group, http://www.antiphishing.org/, accessed 27 Nov 2005Google Scholar
- Better Business Bureau, http://www.bbbonline.org/idtheft/phishing_cond.asp, accessed 4 Jan 2006Google Scholar
- Microsoft, Consumer Awareness Page on Phishing http://www.microsoft.com/athome/security/email/phishing.mspx, accessed 6 Jan 2006Google Scholar
- Emigh A., Online Identity Theft: Phishing Technology, Chokepoints, and Countermeasures. Radix Labs. 3 Oct, 2005.Google Scholar
- Jagatic T., Johnson N., Jakobsson M., and Menczer F., "Social Phishing", Communications of ACM, to appear, http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf, accessed 3 Jan 2006 Google ScholarDigital Library
- Mail Frontier. Phishing IQ, http://www.mailfrontier.com, accessed 3 Nov 2005Google Scholar
- Horgan D.,."The Phishing Phleet" Courant.com. http://blogs.courant.com/travel_columnists_horgan/2005/11/the_phishing_ph.html, accessed 2 Dec 2005Google Scholar
- Brandt A., "Phishing Anxiety May Make You Miss Messages" PCWORLD. October 2005: 34Google Scholar
- IU Phishing Research, http://www.indiana.edu/~phishing/, accessed 6 Jan 2006Google Scholar
- CNETNews.com, "Browser Phishing Flaw Could Hook Users", http://news.zdnet.com/2100-1009_22-5484315.html, accessed 15 Dec 2005Google Scholar
- Werner, Laurie. "Redefining Computer Literacy in the Age of Ubiquitous Computing." Proc. ACM SIGITE 05, 95--99, 2005 Google ScholarDigital Library
- Anti-Phishing Working Group, "Phishing Activity Trends Report", http://www.antiphishing.org/reports/ apwg_report_DEC2005_FINAL.pdf, accessed 20 March 2006Google Scholar
- Korea Internet Security Center, "Korea Phishing Activity Trends Report", http://www.antiphishing.org/reports/ 200601_KoreaPhishingReport_Jan2006.pdf, accessed 20 March 2006Google Scholar
Index Terms
- Don't be a phish: steps in user education
Recommendations
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityPhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...
Teaching Johnny not to fall for phish
Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the ...
Don't be a phish: steps in user education
ITICSE '06: Proceedings of the 11th annual SIGCSE conference on Innovation and technology in computer science educationPhishing, e-mails sent out by hackers to lure unsuspecting victims into giving up confidential information, has been the cause of countless security breaches and has experienced in the last year an increase in frequency and diversity. While regular ...
Comments