Chapter 5 Anti - Phishing Phil : A Case study in User education

Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites to trick people into giving up personal information. Victims perceive these emails as associated with a trusted brand, while in reality they are the work of con artists interested in identity theft [57]. These increasingly sophisticated attacks not only spoof email and web sites, but they can also spoof parts of a user's web browser [55]. Phishing is part of a larger class of attacks known as semantic attacks. Rather than taking advantage of system vulnerabilities, semantic attacks take advantage of the way humans interact with computers or interpret messages [123], exploiting differences between the system model and the user model [139]. In the phishing case, attacks exploit the fact that users tend to trust email messages and web sites based on superficial cues that actually provide little or no meaningful trust information [26, 55]. Automated systems can be used to identify some fraudulent email and web sites. However, these systems are not completely accurate in detecting phishing attacks. In a recent study, only one of the ten anti-phishing tools tested was able to correctly identify over 90% of phishing web sites, and that tool also incorrectly identified 42% of legitimate web sites as fraudulent [147]. It 96 Figure 5.1 Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked to examine the URL next to the worm he is about to eat and determine whether it is associated with a legitimate web site or a phishing site. Phils father (lower right corner) offers some advice. is also unlikely that any system will ever be completely accurate in detecting phishing attacks, especially when detection requires knowledge of contextual information. While it makes sense to use automated detection systems as one line of defense against semantic attacks, our philosophy is that there will still remain many kinds of trust decisions that users must make on their own, usually with limited or no assistance. The goal of our research is not to make trust decisions for users, but rather to develop a complementary approach to supportusers so that they can make better trust decisions. More specifically, one goal of our research is to find effective ways to train people to identify and avoid phishing web sites. In this paper we present the design, implementation, and evaluation of Anti-Phishing Phil, a …