Dr. Dobb's | Fighting Phish | October 02, 2007

Fighting Phish

Research indicates that those who have been duped are well-suited for spotting future fraud

October 02, 2007
URL:http://www.drdobbs.com/security/fighting-phish/202200218

Carnegie Mellon University researchers are suggesting that people who fall for phishing attacks -- being lured by spoof email into visiting a counterfeit website -- are also people who are ready to be educated about such fraud.

In a laboratory study, the researchers found that when they sent their own spoof email to users and tricked them into visiting an educational website, those people tended to learn and retain the lesson about how to spot phishing sites. Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. Lorrie Cranor, associate research professor of computer science, said phishing often is successful because many people ignore educational materials that otherwise might help them recognize such frauds.

Ponnurangam Kumaraguru, a graduate student in the Carnegie Mellon School of Computer Science's Institute for Software Research, will present the study results on October 5 at the Anti-Phishing Working Group's (APWG) eCrime Researchers Summit in Pittsburgh. The summit, sponsored by the APWG and hosted by Carnegie Mellon CyLab, includes leading industrial and academic practitioners in the field of electronic crime research.

In the "phish fighting" study, three groups of 14 volunteers participated in role-playing exercises where they processed email, which included a mix of phishing, spam, and legitimate email. Those in the "embedded training" group, who were given antiphishing educational materials after they had fallen for a phishing email, spent more than twice as much time studying the materials than those who were presented the materials without first being tricked. Those who were presented the materials without being tricked were no better at identifying phishing emails than those who received no antiphishing educational materials. A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups -- 64 percent of phishing emails identified by the embedded training group versus 7 percent identified by the other two groups.

Cranor, director of the Carnegie Mellon Usable Privacy and Security Lab, said additional testing will be necessary to confirm these results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves.

In addition to Cranor and Kumaraguru, the study team included faculty members Jason Hong and Alessandro Acquisti and graduate students Yong Rhee, Steve Sheng and Sharique Hasan. Their paper is available at the eCrime Researchers Summit website.