Antiphishing education requires real-world techniques

Carnegie Mellon University research suggests users ignore antiphishing material

Current Job Listings

Early results from Carnegie Mellon University research show that getting e-mail users to pay attention to antiphishing education may require stealing techniques from phishers themselves.

Carnegie Mellon University (CMU) is conducting research into why phishing attacks work, and has learned that a little bit of education regarding online fraud goes a long way.

Early findings of the research, which was presented at the Anti-Phishing Working Group’s eCrime Researchers Summit in Pittsburgh last week hosted by CMU’s CyLab, shows that phishers are often successful because e-mail users ignore information that could help them recognize fraud.

In one study, three groups of 14 participants each received e-mail messages that included spam and phishing attacks as well as legitimate mail. Two of the groups were presented with educational material about how to prevent being phished; but only one group received the material after having fallen for the phishing e-mails and entered personal information into a fraudulent Web site. According to researchers, that group spent twice as much time studying the material as those participants who hadn’t been phished.

The group that was given educational materials but hadn’t been phished were no better at spotting phishing attacks that the third group, which received no educational materials at all, researchers say.

When researchers ran through the exercise one week later, 64% of the phishing attacks sent to participants who had been phished were correctly identified as such, whereas only 7% of the phishing e-mails were correctly identified by the other two groups.

More research must be conducted to confirm these initial results, says Lorrie Cranor, associate research professor of computer science at CMU. But based on the initial findings, it appears that using some phishing techniques in a controlled environment may be an effective way to educate users.

The research paper, presented at the summit by Ponnurangam Kumaraguru, a graduate student in CMU’s School of Computer Science’s Institute for Software Research, can be found here.

Phishing has been a hot topic among CMU researchers and students of late. Last month scientists there developed an online game called Anti-Phishing Phil, featuring an animated fish designed to help teach users to spot fraud.

Learn more about this topic

Can you spot a phish? Play Carnegie Mellon’s game and see

09/25/07

Can you spot a phish? Play Carnegie Mellon’s game and see

10/05/07

Microsoft plays 'Detective' to determine phishing frequency

02/07/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT