Does Anti-Phishing Training Work?

Phishing attacks exploit users’ inability to distinguish legitimate websites from fake ones. Strategies for combating phishing include the prevention and detection of phishing scams, tools to help users identify phishing websites, and training users not to fall for phish. While a great deal of effort has been devoted to the first two approaches, less research has been done in the area of training users. Some research even suggests that users cannot be educated. However, previous studies have not evaluated the quality of the training materials used in their user studies. In this paper we present the results of a user study we conducted to test the effectiveness of existing online training materials that teach people how to protect themselves from phishing attacks, and an analysis of those materials through the lenses of principles derived from learning science. We show that existing training materials are surprisingly effective when users actually read them. Their effectiveness can be attributed not just to their ability to raise users’ awareness of the phishing problem and make them regard unknown web sites with suspicion, but also to their ability to teach users how to identify fraudulent web sites. We then present our analysis of the training materials based on principles from learning sciences, and provide some suggestions on how to improve training materials based on those principles.