I was taught a month ago
To bide my time and take it slow
But then I learned just yesterday
To rush and never waste the day
Well I’m convinced the whole day long
That all I learn is always wrong
From Character Zero by Phish
Pretty much everybody realizes that phishing is not only a growing and painfully expensive problem - in 2006 phishing enjoyed a whopping 70% success rate on social networks – it’s also a demonically difficult attack to prevent and mitigate. We’ve tried detecting and preventing phishing scams by using filters to detect and delete suspicious emails at the server. We’ve tried finding and shutting down suspicious sites that have domain names similar to trusted sites. We’ve even tried using domain keys and Sender Policy Framework (SPF) to verify the DNS domain of the email server and to reject forged addresses in the SMTP mail from address. We’ve built tons of tools to provide visual indicators that help users identify potential phishing scams such as anti-phishing toolbars that display colored icons to indicate the degree of danger of a website, and others that provide risk ratings, information about the age and physical location of a web site. All designed to inform users about potentially fraudulent sites. We’ve even tried legislative remedies such as the CAN-SPAM Act of 2003 in the US and the Fraud Act 2006 in the UK. But after all that, the only really effective weapon we have is user training.
But here’s the rub – users are just not motivated to learn about security. They just want to get their jobs done and socialize with their friends on FaceBook. Until they get pwned. Then it’s our problem. Yep that user education stuff is not easy. In fact it’s so difficult that it prompted Martin Overton, a U.K.-based security specialist at IBM to say “User education is a complete waste of time. It is about as much use as nailing jelly to a wall.” In public and on the record. Recently I came across a presentation by Ponnurangam Kumaraguru (PK) from the School of Computer Science at Carnegie Mellon University where he and his colleagues seriously studied this problem of user education about phishing. Sort of like a Defence Against the Dark Arts class for web users. The fruit of their labors, PhishGuru, which turns out to be more like Finding Nemo than Harry Potter, is a surprisingly effective effort. PhishGuru which has been monetized through Wombat Security Technologies offers cute comic strips and games that, while admittedly silly and derivative (“Phil” is totally like Nemo), are also quite effective.
PhishGuru™ comic strips can help you learn to protect yourself, your employees and your friends from phishing attacks.
Anti-phishing education can be as easy and fun as playing a game! In about 10 minutes you can learn the basics of how to spot phishing attacks. Try out our game, Anti-Phishing Phil™, the first two rounds are free online for anyone to play.
I tried Anti-Phishing Phil myself, thinking “I know this stuff cold (I’m a pro after all)” and was chastened to find that I didn’t get a perfect score. PhishGuru was nice about it though. The point is that the information was great, and presented in a fashion that my mom can understand and identify with. And be able to put into action. Stuff like how to really understand the parts of a URL. I was impressed. So I read the paper on which this is all based: Teaching Johnny Not to Fall for Phish which concludes thusly:
In this paper we have presented the results of a user study that evaluated the effectiveness of existing online anti-phishing training materials. We demonstrated that – contrary to popular wisdom – anti-phishing user education can be effective: users get significantly better at identifying phishing websites when they actually read training materials. We also showed the different strategies that users adopt to recognize phishing sites, and how those strategies evolve due to the training. We also presented an analysis of existing training materials using learning science principles, and derived recommendations to develop further training materials in the context of phishing.
We have not tested the relative importance of the learning science principles in the context of phishing education; we plan to do this as a future work. We also plan to test whether these principles can be generalized to educate users about other online security issues.
So if you’ve ever tried nailing jelly to a wall you’ll be interested in the study. If you just want some help trying to understand and avoid phishing scams check out PhishGuru. And tell your mom about it.
