Teaching Johnny Not to Fall for Phish

ACM Transactions on Internet Technology (TOIT) 10(2) Article number ARTN 7 May 2010 http://doi.org/10.1145/1754393.1754396

18 Pages Posted: 6 Jan 2019 Last revised: 18 Nov 2021

See all articles by Ponnurangam Kumaraguru

Ponnurangam Kumaraguru

Indraprastha Institute of Information Technology

Steve Sheng

affiliation not provided to SSRN

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Lorrie Faith Cranor

Carnegie Mellon University - School of Computer Science and Carnegie Institute of Technology

Date Written: 2010

Abstract

Phishing attacks, in which criminals lure Internet users to websites that spoof legitimate websites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the phishing problem by prevention and detection of phishing emails and phishing websites, little research has been done in the area of training users to recognize those attacks. Our research focuses on educating users about phishing and helping them make better trust decisions. We identified a number of challenges for end-user security education in general and anti-phishing education in particular: users are not motivated to learn about security; for most users, security is a secondary task; it is difficult to teach people to identify security threats without also increasing their tendency to misjudge non-threats as threats. Keeping these challenges in mind, we developed an email-based anti-phishing education system called “PhishGuru” and an online game called “Anti-Phishing Phil” that teaches users how to use cues in URLs to avoid falling for phishing attacks. We applied learning science instructional principles in the design of PhishGuru and Anti-Phishing Phil. In this paper we present the results of PhishGuru and Anti-Phishing Phil user studies that demonstrate the effectiveness of these tools. Our results suggest that, while automated detection systems should be used as the first line of defense against phishing attacks, user education offers a complementary approach to help people better recognize fraudulent emails and websites.

Keywords: Operating Systems, Privacy, Security, Information Interfaces

Suggested Citation

Kumaraguru, Ponnurangam and Sheng, Steve and Acquisti, Alessandro and Cranor, Lorrie Faith, Teaching Johnny Not to Fall for Phish (2010). ACM Transactions on Internet Technology (TOIT) 10(2) Article number ARTN 7 May 2010 http://doi.org/10.1145/1754393.1754396, Available at SSRN: https://ssrn.com/abstract=3305354

Ponnurangam Kumaraguru

Indraprastha Institute of Information Technology ( email )

Okhla, Phase III
Near Govind Puri Metro Station
New Delhi, 110020
India

Steve Sheng

affiliation not provided to SSRN

Alessandro Acquisti (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States
412-268-9853 (Phone)
412-268-5339 (Fax)

Lorrie Faith Cranor

Carnegie Mellon University - School of Computer Science and Carnegie Institute of Technology ( email )

5000 Forbes Avenue
Pittsburgh, PA 15213
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
30
Abstract Views
418
PlumX Metrics