Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. In embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies tested users immediately after training and demonstrated that embedded training improved users ’ ability to identify phishing emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to identify other types of phishing emails. We also compared the effectiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experiments, we found that: (a) users learn more effectively when the training materials are presented after users fall for the attack (embedded) than when the same training materials are sent by email (non-embedded); (b) users retain and transfer more knowledge after embedded training than after nonembedded training; and (c) users with higher Cognitive Reflection Test (CRT) scores are more likely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.

Prior laboratory studies have shown that PhishGuru, an embedded training system, is an effective way to teach users to identify phishing scams. PhishGuru users are sent simulated phishing attacks and trained after they fall for the attacks. In this current study, we extend the PhishGuru methodology to train users about spear phishing and test it in a real world setting with employees of a Portuguese company. Our results demonstrate that the findings of PhishGuru laboratory studies do indeed hold up in a real world deployment. Specifically, the results from the field study showed that a large percentage of people who clicked on links in simulated emails proceeded to give some form of personal information to fake phishing websites, and that participants who received PhishGuru training were significantly less likely to fall for subsequent simulated phishing attacks one week later. This paper presents some additional new findings. First, people trained with spear phishing training material did not make better decisions in identifying spear phishing emails compared to people trained with generic training material. Second, we observed that PhishGuru training could be effective in training other people in the organization who did not receive training messages directly from the system. Third, we also observed that employees in technical jobs were not different from employees with nontechnical jobs in identifying phishing emails before and after the training. We conclude with some lessons that we learned in conducting the real world study.

In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several antiphishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users ’ tendency to enter information into phishing webpages by 40 % percent; however, some of the educational materials we tested also slightly decreased participants ’ tendency to click on legitimate links.

Phishers are fraudsters that mimic legitimate websites to steal user’s credential information and exploit that information for identity theft and other criminal activities. Various anti-phishing techniques attempt to mitigate such attacks. Domain highlighting is one such approach recently incorporated by several popular web browsers. The idea is simple: the domain name of an address is highlighted in the address bar, so that users can inspect it to determine a web site’s legitimacy. Our research asks a basic question: how well does domain highlighting work? To answer this, we showed 22 participants 16 web pages typical of those targeted for phishing attacks, where participants had to determine the page’s legitimacy. In the first round, they judged the page’s legitimacy by whatever means they chose. In the second round, they were directed specifically to look at the address bar. We found that participants fell into 3 types in terms of how they determined the legitimacy of a web page; while domain highlighting was somewhat effective for one user type, it was much less effective for others. We conclude that domain highlighting, while providing some benefit, cannot be relied upon as the sole method to prevent phishing attacks.

Phishing is a kind of social engineering attack in which criminals use spoofed emails to trick people into sharing sensitive information or installing malware on their computers. Victims perceive these emails as associated with a trusted brand, while in

Phishers are fr raudsters that mimic legitim mate websites to steal user’s credential inf formation an nd exploit th hat innformation for identity theft t and other cri iminal activitie es. Various anti-ph hishing techniques attempt to mitigate such attacks. Domai in highlighting g is one such ap pproach recent tly inncorporated by several popu ular web brows sers. The idea is simple: the dom main name of an address is highlighted in th he address bar, so that users can inspect it to determine a web site’s legitimac cy. Our researc ch asks a basi ic question: ho ow well does dom main highlightin ng work? To answer this, we showed 22 pa articipants 16 web pages typical of tho ose taargeted for ph hishing attack ks, where part ticipants had to determine the page’s legitim macy. In the first round, they juudged the pa age’s legitimac cy by whatev ver means they chose. In the se econd round, they were directed specifical lly to look at the address bar. We found that participants fell innto 3 types in terms of how they determine ed the legitimac cy of a web page e; while domai in highlighting g was somewh hat effective for on ne user type, it was much less effective for others. We conclude that domain high hlighting, whi ile providing some benefit, cann not be relied upon as the so ole method to prev vent phishing at ttacks. ACM Classification Keyword ds H5.2. Informat tion interfaces and presentat tion (e.g., HCI):

The Internet is a lucrative medium for criminals targeting Internet users. Most common Internet attacks require some form of user interaction such as clicking on an exploit link. Hence, the problem at hand is not only a technical one, but it also has a strong human aspect. Although the security community has proposed many technical solutions to common attacks, the behavior of users when they face current threats, and the way they evaluate the security implications of their actions remain largely unexplored. In this paper we describe an online experiment platform we built for testing the behavior of users when they are confronted with prevalent, concrete attack scenarios such as reflected cross-site scripting, session fixation, and file sharing scams. We conducted experiments with 164 Internet users with diverse backgrounds. Our findings suggest that many non-technical users can exhibit performance comparable to security experts at averting relatively simple threats that they are frequently exposed to in everyday life. They can do so solely by following their intuition, without actually perceiving the severity of the threat. However, when facing more sophisticated attacks, these non-technical users often rely on misleading cues such as the “size ” and “length” of artifacts (e.g., URLs), and hence, fail to protect themselves. We also show that trick banners that are common in file sharing websites and shortened URLs have high success rates of deceiving non-technical users, thus posing a severe security risk. 1.

contributed articles doi:10.1145/2063176.2063197 Looking past the systems people use, they target the people using the systems.

Internet users are targets for ever-advancing phishing- and other attacks. The risks are, for example, to disclose credit card information or passwords to unauthorized instances. One approach to help users with insecure situations is provided by MoodyBoard, which uses ambient information to highlight potential risks. In this paper, we present findings from an evaluation of this system. Two user studies were conducted in order to find out whether an ambient security tool can protect users during sensitive tasks. We designed a pilot study to find out whether users understand the warnings and a security study to see if it helps to protect users from phishing attacks. Results show that MoodyBoard users behaved significantly more secure.