Phishing victims learn online security lesson

Phishing is often successful because many people ignore educational material that might otherwise help them

Surfers tricked by emails into visiting phishing sites are the most ready to learn lessons about online security, according to Carnegie Mellon University researchers.

Lorrie Cranor, associate research professor of computer science at Carnegie Mellon, said that phishing is often successful because many people ignore educational material that might otherwise help them recognise such frauds.

The researchers set up a laboratory study in which they fought "phire with phire".

When they sent their own spoof email to users and tricked them into visiting an educational website, those people tended to learn and retain more of the lesson about how to spot phishing sites.

Three groups of 14 volunteers participated in role-playing exercises in which they processed email, which included a mix of phishing, spam and legitimate email.

Those in the 'embedded training' group, who were given anti-phishing educational material after they had fallen for a phishing email, spent more than twice as much time studying the material than those who were presented the material without first being tricked.

Those who were presented the material without being tricked were no better at identifying phishing emails than those who received no anti-phishing educational material.

A week later, when the exercise was repeated, those in the embedded training group were significantly more successful in identifying phishing emails than those in the other two groups.

Some 64 per cent of phishing emails were identified by the embedded training group compared to seven per cent identified by the other two groups.

Cranor said that additional testing will be necessary to confirm the results. But the initial findings suggest that using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating users to protect themselves.

Ponnurangam Kumaraguru, a graduate student in the School of Computer Science's Institute for Software Research, will present the study results on 5 October at the Anti-Phishing Working Group's eCrime Researchers Summit in Pittsburgh.

The summit includes leading industrial and academic practitioners in the field of electronic crime research.