Scientific American Magazine, December 2008
This article analyzes why phishing works and the best methods that can be undertaken to protect consumers.
By utilizing more targeted and effective methods of preventing phishing, internet users can more easily and safely conduct online activity.
Phishing is a form of online crime that lures users into giving up personal information through the use of emails imitating legitimate sites. Users can be harmed by either clicking on the links in the emails which imbeds malware onto their computers, or by disclosing important personal information such as credit card numbers.
Phishing is often successful because it exploits human vulnerability. By studying the factors that make people fall for this type of attack, better methods of prevention and user training can be developed.
A series of experiments were performed to determine how different types of user training affected how those users responded to future phishing attacks. The study revealed that security emails and training were ineffective in preventing users from falling for future phishing attacks.
Several types of interactive programs were created to assist users in retaining information on how not to fall for phishing.
With one program, users were sent fake phishing emails, and if they fell for the email they were kindly instructed by a cartoon “PhishGuru” where they went wrong and how to stay safe in the future.
In another program, users played a game in which they played the role of a young fish that is trying to find worms to eat. Each worm has a url that can be inspected to see if it is safe to eat or if it has a hook. When players guess wrong an instructor fish corrects them.
Under both of the interactive programs, user retention and success at identifying future phishing attacks was dramatically increased.
As newer and better methods of phishing prevention are put into place, cyber-criminals continue to develop newer and better ways of phishing. Thus, the combined efforts of law enforcement, computer security experts, and users are needed to permanently reduce the success of phishing.