Don't open that email! How to reduce the threat of phishing

There are two best practices when it comes to avoiding the harmful effects of a phishing attack: email filtering and user education. Wombat Security Technologies, a spin-off from the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory, offers very innovative – and very effective – solutions in both areas.

Do you think of phishing as a consumer problem and not a concern for enterprise networks? If you said yes, you'd better think again. According to the Verizon 2010 Data Breach Investigations report, the use of social tactics as a means to initiate a data breach is on the rise. Social tactics employ deception, manipulation or intimidation to exploit the human element, or users, of information assets. Phishing is still one of the leading social tactics used to gain illicit access to a network or the information stored on that network.

We might laugh about some of the obviously bogus phishing emails, such as the ones from a deposed Nigerian prince with millions of dollars in assets he needs help to claim. But consider this: Social networks such as Facebook and LinkedIn provide phishers with some very explicit personal information that can be used to gain a person's confidence and deceive him into believing that a phishing email is actually legitimate. If a person sees relevant personal information in an email subject line or message, he is much more likely to open the email or follow the embedded links. Before he realizes it, the user can become the victim of a drive-by download of malware, or he might offer up sensitive information that can be used to penetrate his organization's network.

STUDY: Phishing scams dupe the most active online users

In fact, Facebook is in the top three brands that are fraudulently represented in phishing emails, according to the phish tracking service PhishTank. This comes at a time when many employees routinely use Facebook at work and view the service as a trusted source of information from friends and associates.

There are two best practices when it comes to avoiding the harmful effects of a phishing attack:

1. Use filtering technologies to attempt to keep the deceptive emails out of your users' inboxes.

2. Educate your users on how to defend themselves by not falling for the deception.

In the 2003-2004 timeframe, the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory (CMU CUPS) launched the world's largest research project on phishing attacks. Based on the research findings, CUPS developed filtering technology and training services that utilize scientific learning principles. In 2008, the university created a spin-off company, Wombat Security Technologies, to bring these products to market. Today, Wombat offers some very effective solutions that greatly reduce the likelihood of end users falling victim to phishing attacks.

CUPS Director Lorrie Faith Cranor is also the chief scientist and co-founder of Wombat. Cranor says phishing plays on human vulnerabilities and is not strictly a technological problem. "Although we have shown that we can teach people to protect themselves from phishers, even those educated users must remain vigilant and may require periodic retraining to keep up with phishers' evolving tactics," according to Cranor. Wombat's product PhishGuru provides end user training through simulated attacks and effective training delivered at the ultimate teachable moment: during the fake attack.

PhishGuru is a SaaS application that allows an IT administrator to craft a fake email phishing campaign. The email is sent to a select group of end users, or even to a single individual. When a person falls for the attack by performing some action suggested by the bogus message, he is presented with on-the-spot training. For example, if the email instructs the user to click on a hyperlink, that action will yield a pop-up message that tells the user of his mistake and counsels him on the proper action he should have taken. From a learning science principle, there's no more effective way to teach a person what behavior you want him to adopt. This approach to training can reduce the likelihood of someone falling for a real phishing attack by 50-70%.

Wombat recommends that companies launch two to three campaigns over a four to six month period for vulnerable users. After three campaigns and the corresponding training, fewer than 10% of users are going to fall for an attack -- down from 25-40% before the campaigns.

Wombat also offers training games and other modules that complement the bogus emails. The games teach people the practical knowledge they need in order to defend themselves, but in a fun and engaging way. Who doesn't like a good video game?

Using an interactive game format, Anti-Phishing Phil teaches users how to parse a URL to detect if it's potentially harmful or not. For instance, just because a URL contains the word "Amazon" doesn't mean the link is for Users earn game points by showing they know the difference between an innocuous URL and one that could spell trouble. The game reinforces the principles that users should learn. You can play a short round of Anti-Phishing Phil at

Anti-Phishing Phyllis teaches users to recognize 39 different traps in fraudulent emails, such as malicious attachments, offers for monetary incentives, and pressure to "act now to avoid account termination." Within a 10 minute game, the user views sample emails, makes decisions about them, and garners immediate feedback to identify the traps. Analytics tell the IT administrator what traps individuals tend to fall for so that additional targeted training can be delivered. Give Phyllis a try at

Wombat also offers a phishing email filter that uses advanced machine learning techniques to catch phishing emails (including spear-phishing). Unlike other anti-phishing solutions that rely on blacklists and email signatures, PhishPatrol builds heuristics that work from the very start of new attacks. Extensive evaluation of PhishPatrol has shown that it consistently catches more phish than the best email spam filters and has far fewer false positives. PhishPatrol integrates into a variety of environments and complements a company's existing filters.

In very innovative and effective ways, Wombat Security Technologies addresses the two best practices of avoiding falling victim to phishing attacks: user education and email filtering. Use them together to reduce your risk.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at

About Essential Solutions Corp: Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Cisco: Facebook security more important as email spam levels drop

Phishing attacks spiked in late 2010

Social networking security threats taken too lightly

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in