Article

Fishing for phishers. Improving Internet users' sensitivity to visual deception cues to prevent electronic fraud

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Phishing is a form of electronic fraud in which attackers attempt to steal sensitive information by posing as a legitimate entity. To maintain the attack unnoticed, phishers typically use fake sites that accurately mimic real ones. However, there are usually subtle visual discrepancies between these spoof sites and their legitimate counterparts that may help Internet users to identify their deceptive nature. Among all the potential visual cues, we choose to focus on typography, because it is often hard for phishers to use exactly the same font as in the original website. Thus, Experiment 1 assessed the effectiveness of visual discrimination training to help people detect typographical discrepancies between fake and legitimate websites. Results showed higher sensitivity to differences when undergraduate students were previously trained with easier versions of the discrimination task (i.e., involving more noticeable differences in typography) than when they were trained with the difficult target discrimination from the start (easy-to-hard effect). These results were replicated with a broader and more representative sample of anonymous Internet users in Experiment 2. Implications for the design of strategies to prevent electronic fraud are discussed.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Despite being persuaded to click on the link, users still have an option to avoid being phished. The resulting websites sometimes present typographical errors and visual discrepancies related to the typeface, design layout, or logos [51]. So users, if paying attention, could spot misspellings, grammatical errors, inconsistency between mobile and desktop versions, and perhaps deprecated logos. ...
... Most of them were college graduates (60.1%), followed by high school graduates (28.3%), post graduates (10.4%) and only 2% participants with less than a high school education. Age-wise, 45.7% were in the [35][36][37][38][39][40][41][42][43][44] bracket, 24.3% in [25][26][27][28][29][30][31][32][33][34], 13.9% in [45][46][47][48][49][50][51][52][53][54], 9.8% in [55][56][57][58][59][60][61][62][63][64], and 6.4% in [18][19][20][21][22][23][24]. Asked about their QR code usage, 32.4% reported using QR codes "regularly," 56.1% "only when QR codes were preffered" type of information exchange, and 11.6% said "only when QR codes were required. ...
... Most of them were college graduates (58.1%), followed by high school graduates (32.3%), post graduates (8.9%) and only 0.1% participants with less than a high school education. Age-wise, 44.4% were in the [35][36][37][38][39][40][41][42][43][44] bracket, 24.2% in [25][26][27][28][29][30][31][32][33][34], 12.9% in [45][46][47][48][49][50][51][52][53][54], 15.3% in [55][56][57][58][59][60][61][62][63][64], and 3.2% in [18][19][20][21][22][23][24]. Table 5 shows the distribution of the user preferences with the average QAS score and standard deviation for each choice. ...
... Despite being persuaded to click on the link, users still have an option to avoid being phished. The resulting websites sometimes present typographical errors and visual discrepancies related to the typeface, design layout, or logos [51]. So users, if paying attention, could spot misspellings, grammatical errors, inconsistency between mobile and desktop versions, and perhaps deprecated logos. ...
... Most of them were college graduates (60.1%), followed by high school graduates (28.3%), post graduates (10.4%) and only 2% participants with less than a high school education. Age-wise, 45.7% were in the [35][36][37][38][39][40][41][42][43][44] bracket, 24.3% in [25][26][27][28][29][30][31][32][33][34], 13.9% in [45][46][47][48][49][50][51][52][53][54], 9.8% in [55][56][57][58][59][60][61][62][63][64], and 6.4% in [18][19][20][21][22][23][24]. Asked about their QR code usage, 32.4% reported using QR codes "regularly," 56.1% "only when QR codes were preffered" type of information exchange, and 11.6% said "only when QR codes were required. ...
... Most of them were college graduates (58.1%), followed by high school graduates (32.3%), post graduates (8.9%) and only 0.1% participants with less than a high school education. Age-wise, 44.4% were in the [35][36][37][38][39][40][41][42][43][44] bracket, 24.2% in [25][26][27][28][29][30][31][32][33][34], 12.9% in [45][46][47][48][49][50][51][52][53][54], 15.3% in [55][56][57][58][59][60][61][62][63][64], and 3.2% in [18][19][20][21][22][23][24]. Table 5 shows the distribution of the user preferences with the average QAS score and standard deviation for each choice. ...
Full-text available
Preprint
The COVID-19 pandemic enabled "quishing", or phishing with malicious QR codes, as they became a convenient go-between for sharing URLs, including malicious ones. To explore the quishing phenomenon, we conducted a 173-participant study where we used a COVID-19 digital passport sign-up trial with a malicious QR code as a pretext. We found that 67 % of the participants were happy to sign-up with their Google or Facebook credentials, 18.5% to create a new account, and only 14.5% to skip on the sign-up. Convenience was the single most cited factor for the willingness to yield participants' credentials. Reluctance of linking personal accounts with new services was the reason for creating a new account or skipping the registration. We also developed a Quishing Awareness Scale (QAS) and found a significant relationship between participants' QR code behavior and their sign-up choices: the ones choosing to sign-up with Facebook scored the lowest while the one choosing to skip the highest on average. We used our results to propose quishing awareness training guidelines and develop and test usable security indicators for warning users about the threat of quishing.
... The negative nature of these online activities can damage and distort adolescents' mental development (Kor et al., 2014;Arora, 2016;Lazuras et al., 2017). Many previous studies have indicated that cyberbullying, Internet pornography, and Internet fraud may negatively affect multiple aspects of adolescents' mental health and behavioral problems (Kor et al., 2014;AlBuhairan et al., 2017;Allen et al., 2017;Lazuras et al., 2017;Moreno-Fernández et al., 2017;Savage and Tokunaga, 2017). ...
... As a relatively new form of crime, Internet fraud affects the daily lives of numerous people. Internet fraud can occur in multiple forms (Aleem and Antwi-Boasiako, 2011;Vahdati and Yasini, 2015;Arora, 2016;Moreno-Fernández et al., 2017), such as advance fee fraud schemes, credit or debit card fraud, spoofing and phishing, spam, and Internet auction fraud. Among these, Internet auction fraud is the most ubiquitous type of Internet fraud (Aleem and Antwi-Boasiako, 2011;Vahdati and Yasini, 2015;Arora, 2016). ...
... Although Internet fraud has become a matter of global interest and importance and gained much attention from scholars, little research has been conducted, and literature is sparse. A large proportion of existing research that has explored the effects of Internet fraud has often only discussed financial losses and the factors affecting Internet fraud (Aleem and Antwi-Boasiako, 2011;Vahdati and Yasini, 2015;Arora, 2016;Moreno-Fernández et al., 2017). To our knowledge, no empirical study has directly examined the relationship between Internet fraud and PIU. ...
Full-text available
Article
Although numerous studies have examined the factors influencing problematic Internet use (PIU), few studies have investigated the interactions between inappropriate physical and mental health (e.g., cyberbullying, Internet pornography, and Internet fraud) as factors facilitating PIU and examined the moderating effect of community bond. Thus, this study analyzed the moderating role of community bond in the relationship between cyberbullying, Internet pornography, Internet fraud, and PIU. Using a cross-sectional survey, adolescents were surveyed through self-report questionnaires. A total of 5,211 responses were received from participant students at 60 senior high schools in Taiwan. Statistical analyses were performed using structural equation modeling. The results indicated that cyberbullying, Internet pornography, Internet fraud, and community bond have significant positive effects on PIU. Community bond has a significant moderating effect in the relationship between cyberbullying, Internet fraud, and the PIU of adolescents. Parental Internet attitude and behavior were found to significantly moderate the relationship between inappropriate physical and mental health, community bond, and PIU. The results suggest that public health and education policies should focus more on adolescents who require additional assistance. Furthermore, school policies could be more informed in regard to relevant psychosocial variables and patterns of Internet use. Finally, this study may serve as a reference for parents, schools, and government education authorities.
... Multiple Comparisons Problem: We noticed that several papers, e.g., [61], [217], [222], [224]- [226], [232]- [234], [238], [241], [242], [246], [247], [249], [263], made their statistically significant conclusion by running multiple tests on a single dependent variable. Multiple comparisons problem causes incorrect rejection of null hypothesis, if not accompanied by p-value adjustment (increases type 1 error) [267]. ...
... Lab Student [61], [204], [211]- [218] [153], [219]- [225], [226] a , [227] a [228]- [233], [234] a Employee [235] a Unrestricted [203], [236], [237] a [238], [239], [240] a , [241] a [242], [243], [244] a Real Student [245] [202], [246], [247] [201], [248]- [251] Employee [252] [253]- [255] [10], [256], [257] Unrestricted [217], [258]- [260] [213], [261]- [266] a Studies that only asked participants about their vulnerability (Q/A) instead of showing them the email/website [220], [221], [228], [246], [251], [259] [10], [201], [223], [231], [248], [255], [257] 3 [202], [256], [ No 6 [10], [230], [238], [249], [250], [258] 3 [242], [260], [263] Webpage Yes 5 [204], [239], [245], [253], [261] No 4 [203], [212], [236], [264] 3 [211], [213], [216] 3 [61], [217], [218] 1 [214] Yes Email Yes 1 [232] in [211] and [214] used Functional Magnetic Resonance Imaging (fMRI) and Electroencephalogram (EEG) to measure brain's electrical activity and an eye-tracker to have a better understanding of users' decision-making process. They used both existing phishing websites (by downloading and hosting them on their own network) and manually created ones. ...
... Lab Student [61], [204], [211]- [218] [153], [219]- [225], [226] a , [227] a [228]- [233], [234] a Employee [235] a Unrestricted [203], [236], [237] a [238], [239], [240] a , [241] a [242], [243], [244] a Real Student [245] [202], [246], [247] [201], [248]- [251] Employee [252] [253]- [255] [10], [256], [257] Unrestricted [217], [258]- [260] [213], [261]- [266] a Studies that only asked participants about their vulnerability (Q/A) instead of showing them the email/website [220], [221], [228], [246], [251], [259] [10], [201], [223], [231], [248], [255], [257] 3 [202], [256], [ No 6 [10], [230], [238], [249], [250], [258] 3 [242], [260], [263] Webpage Yes 5 [204], [239], [245], [253], [261] No 4 [203], [212], [236], [264] 3 [211], [213], [216] 3 [61], [217], [218] 1 [214] Yes Email Yes 1 [232] in [211] and [214] used Functional Magnetic Resonance Imaging (fMRI) and Electroencephalogram (EEG) to measure brain's electrical activity and an eye-tracker to have a better understanding of users' decision-making process. They used both existing phishing websites (by downloading and hosting them on their own network) and manually created ones. ...
Preprint
Phishing and spear-phishing are typical examples of masquerade attacks since trust is built up through impersonation for the attack to succeed. Given the prevalence of these attacks, considerable research has been conducted on these problems along multiple dimensions. We reexamine the existing research on phishing and spear-phishing from the perspective of the unique needs of the security domain, which we call security challenges: real-time detection, active attacker, dataset quality and base-rate fallacy. We explain these challenges and then survey the existing phishing/spear phishing solutions in their light. This viewpoint consolidates the literature and illuminates several opportunities for improving existing solutions. We organize the existing literature based on detection techniques for different attack vectors (e.g., URLs, websites, emails) along with studies on user awareness. For detection techniques, we examine properties of the dataset, feature extraction, detection algorithms used, and performance evaluation metrics. This work can help guide the development of more effective defenses for phishing, spear-phishing, and email masquerade attacks of the future, as well as provide a framework for a thorough evaluation and comparison.
... Technical measures, such as spam filters, spell checking software, monitoring spoofed website domains,… all have their own merits. However, they remain reactive as they are ultimately conceived as a response to certain methods (Jakobsson, 2016;Moreno-Fernández, Blanco, Garaizar, & Matute, 2017). Perpetrators can adapt to these measures, which is illustrated by their continuously growing level of sophistication. ...
... Online trainings, contextual learning 1 , embedded training 2 and interactive games 3 have all been shown to be effective in improving user's security (Sheng, Holbrook, Kumaragur, Cranor, & Downs, 2010). People are trained for example on recognizing certain linguistic characteristics (Tabron, 2016) or on visceral discrimination tactics (Moreno-Fernández, Blanco, Garaizar, & Matute, 2017). These trainings are key to close the 'knowingdoing gap' to which we referred earlier. ...
... These trainings are key to close the 'knowingdoing gap' to which we referred earlier. Awareness raising leads to a better understanding of the phenomenon, but not necessarily to an increased application of this knowledge to one's particular situation (Moreno-Fernández, Blanco, Garaizar, & Matute, 2017). A combination of both awareness raising and training seems to have the most benefits (Cross, Richards, & Smith, 2016;Europol, 2016;Bullée J.-W. , Montoya, Junger, & Hartel, 2016). ...
Full-text available
Article
The 13 th toolbox in the series published by the EUCPN Secretariat focusses on the main theme of the Bulgarian Presidency: fraud with a special focus on phone scams. As fraud covers a whole range of topics, we decided to narrow down our focus to individual fraud. This entails frauds committed against individuals by individuals or criminal organisations. Increasingly, this type of fraud has become a profitable and cross-border enterprise, some scholars even call these offenders 'scampreneurs'. Consequently, this type of crime deserves an EU-wide approach. This is also made apparent in the policy paper which is written in tandem with this toolbox. This toolbox consists of three parts. The first tries to lay out the current intelligence picture on individual fraud. We discuss interesting good practices in the second part and also posit some recommendations on how to prevent phone scams. These good practices are listed in the third part. An executive summary is also provided to the reader.
... It is seen by other researchers as a science that uses social interaction as a way to persuade individuals or an organisation to act on a request using a computer related entity [5]. Reviewing other past work on human behaviour, [6] related the inability of participants to pay attention to security indicators of websites even after gaining little awareness. Such and much older works of [7] have shown phishing success due to human behaviours which has inevitably put man as the weakest link to the security chain. ...
... More include using image hyperlink to mask a fraudulent site, image mimicking windows, windows masking, placing rogue window on top of a legitimate window and website deceptive looks and feel that could constitutes tone of language, misspellings and typeface. Phishers tend to use typefaces that mimic original typeface of a website among other features [6], [7]. Dhamja et al. acknowledged that, protective indicators do not hinder users from being phished from above mentioned deception methods used by attackers particularly when users lack attention in noticing security indicator and lack attention to the absence of these security indicators. ...
... The rapid development of the Internet provides complete facilities and easiness for its users, especially for a medium of communication and data transmission. If you look at the existed data, along with the development of the internet and applications that require the internet, the number of crimes in the world of information systems is also increasing [1]. Identity Theft Resource Centre (ITRC) revealed there were 668 cases of cybercrime occurring with a total number of lost data 22,408,258 started from January to July 2018 [2]. ...
... An application product is categorized or called "usable" if it meets the criteria of useful, efficient, effective, satisfying, learnable, and accessible System Usability Scale (SUS) is an effective and reliable usability testing package for use in a various products and applications [11]. This SUS test has 10 questions using Likert scale of 1 to 5. Each question with an odd number (1,3,5,7,9) is a positive question, while an evennumbered question (2,4,6,8,10) is a negative question. ...
Full-text available
Article
Identity Theft Resource Centre revealed there were 668 cases of cybercrime occurring with a total number of lost data 22,408,258 started from January to July 2018. It indicates that there was a vulnerability in the defences from attacks carried out through the internet. Thus, the world of information systems should also be accompanied by a high level of security. The stages of system development were started from the analysis of system requirements, the design of the UML, implementation, and testing. The testing process into two-phase. Firstly, system output testing in the form of stego image with various criteria, namely imperceptible, fidelity, recovery, robustness, and histogram. Secondly, system feasibility testing using the SUS method. Based on the results, it revealed that the merging of the blowfish cryptographic method and the end of file steganography was not very effective because, based on the output testing with robustness criteria; it was proven that the message inserted into the image was damaged during extraction. The changes in the size of the original cover with the resulted stego image had increased file size with a ratio of 1: 5.5, meaning that each created stego image was five times the size of the original image.
... However, while it has been shown that security education training campaigns have indeed had an impact on user awareness of security threats, this has not produced the desired results as users who consider themselves to be aware of security threats have not demonstrated actual awareness ( Caldwell, 2016 ). Furthermore, when faced with phishing, users may be preoccupied with other activities and thus not motivated to consider the security aspects associated with the threat ( Moreno-Fernández et al., 2017 ). As such, to save time and effort, users may resort to various "cognitive shortcuts" when attempting to make decisions about the authenticity of a message ( Vishwanath et al., 2011 ). ...
... This can be effectively achieved by impersonating trustworthy or reputable sources such as a financial institution, government agency or the victim's own employer organisation. Phishers also make use of visual cues by replicating corporate logos and slogans of organisations to increase the users' trust in the message ( Moreno-Fernández et al., 2017 ). The content and arguments in the body of the message can also effectively trigger human emotions (e.g. ...
Article
Today, the traditional approach used to conduct phishing attacks through email and spoofed websites has evolved to include social network sites (SNSs). This is because phishers are able to use similar methods to entice social network users to click on malicious links masquerading as fake news, controversial videos and other opportunities thought to be attractive or beneficial to the victim. SNSs are a phisher's “market” as they offer phishers a wide range of targets and take advantage of opportunities that exploit the behavioural vulnerabilities of their users. As such, it is important to further investigate aspects affecting behaviour when users are presented with phishing. Based on the literature studied, this research presents a theoretical model to address phishing susceptibility on SNSs. Using data collected from 215 respondents, the study examined the mediating role that information processing plays with regard to user susceptibility to social network phishing based on their personality traits, thereby identifying user characteristics that may be more susceptible than others to phishing on SNSs. The results from the structural equation modeling (SEM) analysis revealed that conscientious users were found to have a negative influence on heuristic processing, and are thus less susceptible to phishing on SNSs. The study also confirmed that heuristic processing increases susceptibility to phishing, thus supporting prior studies in this area. This research contributes to the information security discipline as it is one of the first to examine the effect of the relationship between the Big Five personality model and the heuristic-systematic model of information processing.
... Multiple Comparisons Problem: We noticed that several papers, e.g., [216], [218], [222], [224]- [226], [232]- [234], [238], [241], [242], [246], [247], [249], [263], made their statistically significant conclusion by running multiple tests on a single dependent variable. Multiple comparisons problem causes incorrect rejection of null hypothesis, if not accompanied by p-value adjustment (increases type 1 error) [267]. ...
... Another missing study is a comparison between conducting the same experiment in the lab or in a real-world situation. There is only one study in which the experiment was conducted in both real and lab environment [216]. Researchers first ran the experiment in the lab to have more control, and then, to increase confidence and power (by increasing the number of participants), they did the experiment in a real scenario. ...
Article
Phishing and spear phishing are typical examples of masquerade attacks since trust is built up through impersonation for the attack to succeed. Given the prevalence of these attacks, considerable research has been conducted on these problems along multiple dimensions. We reexamine the existing research on phishing and spear phishing from the perspective of the unique needs of the security domain, which we call security challenges: real-time detection, active attacker, dataset quality and base-rate fallacy. We explain these challenges and then survey the existing phishing/spear phishing solutions in their light. This viewpoint consolidates the literature and illuminates several opportunities for improving existing solutions. We organize the existing literature based on detection techniques for different attack vectors (e.g., URLs, websites, emails) along with studies on user awareness. For detection techniques we examine properties of the dataset, feature extraction, detection algorithms used, and performance evaluation metrics. This work can help guide the development of more effective defenses for phishing, spear phishing and email masquerade attacks of the future, as well as provide a framework for a thorough evaluation and comparison.
... Since phishing attacks usually take advantages of users" careless behaviors or ignorance on using networking tools, it is a hard problem to be permanently resolved [2]. Aiming at mitigating the threat of phishing attacks, many approaches are proposed to train and educate end users to recognize and detect phishing URLs [3] [4]. These approaches take effect to some extent by periodically sending messages to warn end users with potential phishing threats. ...
... (2) for i=1 to n do (3) for j =1 to m do (4) Calculates P(Ax=positive and y=positive) and P(Bx=negative and y=negative) for all features (5) Calculates FVV values for each feature by equation (1) and stores them in an orderly table; (6) end for; (7) end for; (8) for i=1 to m do (9) if the FVV value of a feature > (according to equation (2)) (10) ...
Article
Phishing attack is now a big threat to people’s daily life and networking environment. Through disguising illegal URLs as legitimate ones, attackers can induce users to visit the phishing URLs to get private information and other benefits. Effective methods of detecting phishing websites are urgently needed to alleviate the threats posed by phishing attacks. As the active learning capability from massive data sets, the neural network is widely used to detect phishing attacks. However, in the stage of training data sets, many useless and small influence features will trap the neural network model into the problem of over-fitting. This problem usually causes the trained model that cannot effectively detect the phishing websites. In order to alleviate this problem, this paper proposes OFS-NN, an effective phishing websites detection model based on optimal feature selection method and neural network. In the proposed OFS-NN, a new index (FVV, Feature Validity Value) is firstly introduced to evaluate the impact of sensitive features on phishing websites detection. Then, based on the new FVV index, an algorithm is designed to select optimal features from the phishing websites. This algorithm is able to alleviate the over-fitting problem of the underlying neural network to a large extent. The selected optimal features are used to train the underlying neural network and, finally, an optimal classifier is constructed to detect the phishing websites. The experimental results show that the OFS-NN model is accurate and stable in detecting many types of the phishing websites.
... To address fraud's financial, health, and psychological impact (Button, Lewis, & Tapley, 2014), on millions of people across the globe, several researchers have developed conceptual models or analyzed existing data sets to reach a better understanding of the phenomena. Jones et al. (2015; see also Moreno-Fernandez et al., 2017) have suggested that three factors underlie individuals' willingness to respond to an MMS solicitation: (i) persuasive techniques employed by the sender, (ii) information processing of the user, and (iii) 'userX,' that is, the human-computer interaction or consumer/solicitation context. The authors' intuition resonates well with Simon's (1990, p. 7) intuition that decision-making is 'shaped by scissors whose blades are the structure of task environments and the computational capabilities of the actor.' ...
Full-text available
Article
Mass marketing scams (MMSs) impact millions of people with financial losses in the billions. Understanding what types of MMSs work is key to reducing the compliance rate. Inspired by Simon’s work, we designed an experiment to examine how four different types of MMSs impact interest in and intention to respond to solicitations. We first conducted a cluster analysis on 215 actual MMS solicitations. The analysis revealed four distinct types of solicitations: negative-cold, one-reward letters, high emotionality, high scarcity letters where the prize is mentioned often, very colorful multi-prize letters, and low emotionality, low scarcity cold letters. In a second experiment, 281 participants (recruited on MTurk) were randomly assigned to read one of the four types of solicitations. Our data revealed differences in intention to respond by sending money. Furthermore, younger (vs. older) individuals indicated a higher interest in the solicitation and higher intention to send in money and rated the solicitations as significantly more beneficial and less risky. Finally, perceptions of risks and benefits were the main driving force behind compliance beyond interest and intention to comply. In line with Simon’s ideas, our study highlights the need to examine both the environment (the types of solicitations) and the decision-maker.
... Papers evaluating instructor-led lectures A20: [26], A21: [49], A22: [11], A23: [51], A24: [24], A25: [9], A26: [50] Situation aware Papers evaluating training delivered in a situation where it is usable A27: [29] General 1 Evaluates the impact of progression in difficulty of material A28: [33] General 2 Evaluated how a variety of simultaneous methods affected phishing resilience in an organization Table 1. List of included papers and initial categorization ...
Chapter
The human aspect of cybersecurity continues to present challenges to researchers and practitioners worldwide. While measures are being taken to improve the situation, a vast majority of security incidents can be attributed to user behavior. Security and Awareness Training (SAT) has been available for several decades and is commonly given as a suggestion for improving the cybersecurity behavior of end-users. However, attackers continue to exploit the human factor suggesting that current SAT methods are not enough. Researchers argue that providing knowledge alone is not enough, and some researchers suggest that many currently used SAT methods are, in fact, not empirically evaluated. This paper aims to examine how SAT has been evaluated in recent research using a structured literature review. The result is an overview of evaluation methods which describes what results that can be obtained using them. The study further suggests that SAT methods should be evaluated using a variety of methods since different methods will inevitably provide different results. The presented results can be used as a guide for future research projects seeking to develop or evaluate methods for SAT.
... 3. then, we will repeat step 1 and 2 and build more and more trees until we are satisfied ISSN: 2005-4238 IJAST Copyright ⓒ 2020 SERSC with the resultant number of trees. 4. As we go in the classification end of the algorithm. ...
Full-text available
Article
The internet was a great resource to everybody in 21st century. after the deveolpment of the internet the criminal elements also updated to the information age. the criminal elements have been responsible to the biggest data breaches in the history of the internet. the forces are using several methods to infiltrate the common people information and data. one of the main method is using phishing methods by using the malicious websites. these locales have been created. In order to stop these crimes and protect the civilians from visiting these malicious websites we propose a machine learning based protection system. The Websites are catogorised into 3 types Benign, spam and Malicious the ML system will classify the websites into three categories and our system will investigates the UNIFORM RESOURCE LOCATOR(URL) without getting to the core of the malignant web locales. it will kill the run-time inactivity of the websites we keep the clients and general public safe. by using the Machine-Learning Techniques, our program occomplishes best execution on slimplification The inclusion contrasted and boycutting the general internet. Index Terms-Machine Learning, Random forest algorithm, Natural language processing.
... The data visualization and experiment results of CPU consumption are depicted in Figure 5. In this experiment, our proposed Anti-Phisher Extension (APE) is compared with similar types of phishing detection approaches, such as phishing for Phishers (FP) [14], Phishing Tweet Detection (PTD) [15], and Remove-Replace Feature Selection (RRFS) [16]. As illustrated in Figure 5, our proposed approach (APE) uses the minimal % CPU consumption as compared to other contending approaches. ...
Full-text available
Conference Paper
Phishing sends malicious links or attachments through emails that can perform various functions, including capturing the victim's login credentials or account information. These emails harm the victims, cause money loss, and identity theft. In this paper, we contribute to solving the phishing problem by developing an extension for the Google Chrome web browser. In the development of this feature, we used JavaScript PL. To be able to identify and prevent the fishing attack, a combination of Blacklisting and semantic analysis methods was used. Furthermore, a database for phishing sites is generated, and the text, links, images, and other data on-site are analyzed for pattern recognition. Finally, our proposed solution was tested and compared to existing approaches. The results validate that our proposed method is capable of handling the phishing issue substantially.
... • Analyzing users' reasoning to understand the relationship between their knowledge and their detection ability. Unlike results in [44], we observe that participants are better at distinguishing legitimate and phishing attacks as they pay attention to more clues. ...
Conference Paper
Why do "classical" attacks such as phishing, IRS scams, etc., still succeed? How do attackers increase their chances of success? How do people reason about scams and frauds they face daily? More research is needed on these questions, which is the focus of this paper. We take a well-known attack, viz. company representative fraud, and study several parameters that bear on its effectiveness with a between-subjects study. We also study the effectiveness of a coherent language generation technique in producing phishing emails. We give ample room for the participants to demonstrate their reasoning and strategies. Unfortunately, our experiment indicates that participants are inadequately prepared for dealing with even the company representative fraud. Participants also could not differentiate between offers written by human or generated semi-automatically. Moreover, our results show attackers can easily increase their success rate by adding some basic information about the sender, so defenders should focus more on such attacks. We also observed that participants who paid attention to more clues were better in distinguishing legitimate messages from phishing, hence training regimes should check for reasoning strategies, not just who did not click on a link or download an attachment. Thus, insights from our work can help defenders in developing better strategies to evaluate their defenses and also in devising more effective training strategies.
... Many of these databases contain valuable information (e.g., personal and financial details) making them a frequent target of hackers. Some hackers, for example, may maliciously inject code within vulnerable web applications to hoax users and redirect them towards phishing sites [7] [8]. ...
... Jones, Towse, and Race [5] reviewed a disparate literature and articulated three different (potentially interrelated) theoretical psychological influences on email judgments. Firstly, the persuasiveness of the email message, such as its familiarity and the subtlety of fraud cues [6,7,8]. Secondly, the cognitive processing deployed in making legitimacy judgments, for example a reliance on more rational processing predicts lower trust in emails [9]. ...
Full-text available
Article
Decisions that we make about email legitimacy can result in a pernicious threat to security of both individuals and organisations. Yet user response to phishing emails is far from uniform; some respond while others do not. What is the source of this diversity in decision-making? From a psychological perspective, we consider cognitive and situational influences that might explain why certain users are more susceptible than others. Alongside an email judgment task employed as a proxy for fraud susceptibility, 224 participants completed a range of cognitive tasks. In addition, we manipulated time pressure for email legitimacy judgments. We identify cognitive reflection and sensation seeking as significant, albeit modest, predic-tors of susceptibility. Further to this, participants asked to make quicker responses made more judgment errors. We conclude there are cognitive signatures that partially contribute to email fraud susceptibility, with implications for efforts to limit online security breaches and train secure behaviors.
... As previous research has found (Junger et al., 2017), priming and warnings are not also effective to prevent social engineering attacks and so work is urgently needed on how to improve cyber security educational websites. Developers need to be mindful that their cites need to cater for a range of different types of users, using effective messaging and visualisations (Moreno-Fernández et al., 2017). Moreover, given that impulsive individuals are more susceptible to becoming scammed, information needs to be concise, easily accessible, engaging and actionable. ...
Article
Purpose This paper develops a theoretical framework to predict susceptibility to cyber-fraud victimhood. Design/methodology/approach A survey was constructed to examine whether personality, socio-demographic characteristics, and online routine activities predicted one-off and repeat victimhood of cyber-fraud. Overall, 11,780 participants completed a survey (one-off victims, N = 728; repeat victims = 329). Findings The final saturated model revealed that psychological and socio-demographic characteristics and online routine activities should be considered when predicting victimhood. Consistent with the hypotheses, victims of cyber-frauds were more likely to: be older, score high on impulsivity measures of urgency and sensation seeking, score high on addictive measures, engage in more frequent routine activities that place them at great risk of becoming scammed. There was little distinction between one-off and repeat victims of cyber-frauds. Originality/value This work uniquely combines psychological, socio-demographic and online behaviours to develop a comprehensive theoretical framework to predict susceptibility to cyber-frauds. Importantly, the work here challenges the current utility of government websites to protect users from becoming scammed and provides insights into methods that might be employed to protect users from becoming scammed.
... If a user enters his/her data, phishers will access the private information. Certain websites such as PayPal, EBay, and online banks are common targets of phishing activities [5]. ...
Article
Phishing websites are fake ones that are developed by ill-intentioned people to imitate real and legal websites. Most of these types of web pages have high visual similarities to hustle the victims. The victims of phishing websites may give their bank accounts, passwords, credit card numbers, and other important information to the designers and owners of phishing websites. The increasing number of phishing websites has become a great challenge in e-business in general and in electronic banking specifically. In the present study, a novel framework based on model-based clustering is introduced to fight against phishing websites. First, a model is developed out of those websites that already have been identified as phishing websites as well as real websites that belong to the original owners. Then each new website is compared with the model and categorized into one of the model clusters by a probability. The analyses reveal that the proposed algorithm has high accuracy.
... The problem for the fraudster stays however: he needs to move the victim into a mindset where he engages in an exploitive interaction (Burgard & Schlembach, 2013). Mostly, social engineering of the victim takes place in order to achieve this (Moreno-Fernández, Blanco, Garaizar, & Matute, 2017). ...
Full-text available
Article
This paper is written by the EUCPN Secretariat following the topic of the Estonian Presidency of the Network, which is Cyber Safety. It gives a theoretical insight in what Cyber Safety is. Furthermore, we take interest in what the exact object is of cybercrime and have a deeper look into two European policy priorities, namely cyber-attacks and payment fraud. Moreover, these priorities are the subject of the European Crime Prevention award. The goal of this paper is to add to the digital awareness of local policy-makers and practitioners on a theoretical level. A toolbox will follow with legislative measures, existing policies and best practices on this topic.
Article
Innovations are taking up new roles in all fields. It still has a crucial role in Internet technology, as the ease with which the Internet is available everywhere and accessible from any device has resulted in a slew of cyber-attacks., A prevalent scenario during and before a pandemic is phishing, which is accomplished by smartly altering the URL as a legitimate one and then redirecting the user to other sites and extracting personal information. The benchmark URL datasets used for the study considering an equal balance between phishing/ malicious URLs and benign/ legitimate URLs. URLs are parsed in this procedure to extract valuable elements that aid in the identification of URL phishing. Our research emphasized using different machine learning boosting algorithms such as Extreme Gradient Boosting, Light Gradient Boosting, Adaptive Boosting, and Gradient Boosting and have achieved an accuracy of more than 98% for most of the algorithms considered.
Article
Several previous studies have investigated user susceptibility to phishing attacks. A thorough meta-analysis or systematic review is required to gain a better understanding of these findings and to assess the strength of evidence for phishing susceptibility of a subpopulation, e.g., older users. We aim to determine whether an effect exists; another aim is to determine whether the effect is positive or negative and to obtain a single summary estimate of the effect. OBJECTIVES: We systematically review the results of previous user studies on phishing susceptibility and conduct a meta-analysis. METHOD: We searched four online databases for English studies on phishing. We included all user studies in phishing detection and prevention, whether they proposed new training techniques or analyzed users' vulnerability. FINDINGS: A careful analysis reveals some discrepancies between the findings. More than half of the studies that analyzed the effect of age reported no statistically significant relationship between age and users' performance. Some studies reported older people performed better while some reported the opposite. A similar finding holds for the gender difference. The meta-analysis shows: 1) a significant relationship between participants' age and their susceptibility 2) females are more susceptible than males 3) users training significantly improves their detection ability.
Chapter
Security systems are often the target of cyber-criminals and professional hackers, but often they fail in hiding all traces of the attack, thereby leaving critical evidence that could lead to identifying and arresting the criminal. However, hacking skills vary from one hacker to another depending on the hacker's personal traits, behavior, and intellectual tendencies. The aim of this study is to develop a proposed descriptive model of the behavioral patterns and motives of hackers based on programmable psychological theories, modeled using object-oriented programming models. The study proposes a descriptive model of an inverse algorithm that simulates Holland's Theory of Behavioral Patterns. Findings show that this descriptive model is applicable to be produced as a code map for the human resources of an investigative nature.
Preprint
Several previous studies have investigated user susceptibility to phishing attacks. A thorough meta-analysis or systematic review is required to gain a better understanding of these findings and to assess the strength of evidence for phishing susceptibility of a subpopulation, e.g., older users. We aim to determine whether an effect exists; another aim is to determine whether the effect is positive or negative and to obtain a single summary estimate of the effect. OBJECTIVES: We systematically review the results of previous user studies on phishing susceptibility and conduct a meta-analysis. METHOD: We searched four online databases for English studies on phishing. We included all user studies in phishing detection and prevention, whether they proposed new training techniques or analyzed users' vulnerability. FINDINGS: A careful analysis reveals some discrepancies between the findings. More than half of the studies that analyzed the effect of age reported no statistically significant relationship between age and users' performance. Some studies reported older people performed better while some reported the opposite. A similar finding holds for the gender difference. The meta-analysis shows: 1) a significant relationship between participants' age and their susceptibility 2) females are more susceptible than males 3) users training significantly improves their detection ability
Conference Paper
Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users' awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures-administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme's deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months.
Full-text available
Conference Paper
The Deloitte's report (2015) on cybersecurity trends states that emerging technologies, coupled with a shifting threat profile, are challenging organizations to deal more and more with sophisticated "bad actors" that are motivated, skilled, and adaptable [1]. There is little doubt that cybercrime is growing more rapidly than cybersecurity measures are able to deal with and businesses and governments have never been more at risk from cyberattacks. In this paper, we ask the question, 'what are some of the robust data governance practices that can be put in place to forestall cybercrime?' We also asked the question, 'are there some research papers that have been published to address this concern? We then took a deep into extant literature to find out. Furthermore, we proposed a cybercrime mitigation framework using robust data governance. Our literature synthesis revealed that there is little research that investigated the concept of data governance and cybercrime together, which leads us to propose research hypotheses for a future quantitative research.
Article
Phishing is a form of social engineering crime uses to deceive victims by directing them to a fraudulent website where their private and confidential information are collected for further illegal actions. Phishing attacks have now targeted users at Online Social Networks (OSN)s such as Twitter, Facebook, Myspace, etc. which traditionally, targeting email users. Twitter has become so prevalent to phishers to spread phishing attacks nowadays due to its vast information dissemination and difficult to be detected unlike email. As such, the effectiveness of security alert to prompt Twitter users for the tweet containing phishing Uniform Resource Locator (URL) in real-time is crucial. Many solutions have been proposed but their effectiveness are inadequate and doubtful. In this paper, we propose an effective security alert mechanism making use of a classification model derived from a supervised machine learning technique of Random Forest (RF) and the identified 11 best classification features yielded 94.75% accuracy higher than 94.56% yielded by other researchers who used more than 11 features trained on the same dataset collected from Twitter. To determine its effectiveness, we used 200 phishing URLs collected from Twitter and PhishTank respectively. From our experiment, we are able to justify that such proposed security alert mechanism managed to prompt 97.50% effectively the security alert to Twitter users in real-time.
Article
Security systems are often the target of cyber-criminals and professional hackers, but often they fail in hiding all traces of the attack, thereby leaving critical evidence that could lead to identifying and arresting the criminal. However, hacking skills vary from one hacker to another depending on the hacker's personal traits, behavior, and intellectual tendencies. The aim of this study is to develop a proposed descriptive model of the behavioral patterns and motives of hackers based on programmable psychological theories, modeled using object-oriented programming models. The study proposes a descriptive model of an inverse algorithm that simulates Holland's Theory of Behavioral Patterns. Findings show that this descriptive model is applicable to be produced as a code map for the human resources of an investigative nature.
Chapter
Phishing is the act of sending e-mails pretending to be from genuine financial organizations and requesting private info such as username and password. Information security awareness of phishing attacks becomes the first line of data protection defence. Human factors are recognized as the main factors in addressing the issue of information security in online banking. Thus, identifying the issues and factors that influence information security awareness of phishing attacks are important. A preliminary investigation involving nine (9) professionals and academics using online banking has been conducted to obtain better understanding of the critical factors that may influence the information security awareness of phishing attacks. In-depth interview method is selected in this study. Thematic coding was conducted to characterise the themes and assess the factors found to be most influential. Results from the in-depth interviews with customers experienced in online banking showed that there are six (6) main themes may influence the degree to which information security may be learned. Security concerns, security attentiveness, user competency, computer knowledge, gender as well as the number of years of PC usage are the themes addressed by the key informants. These factors influence information security awareness of phishing attacks from the perspective of bank customers. In this investigation, we expect that the rate of phishing depends on six (6) principal factors likely to be prey to malicious phishers. This can be considered as the correlation between the background of the bank customers and their understanding in deploying online banking safety.
Chapter
The internet provides an ever-expanding, valuable resource for entertainment, communication, and commerce. However, this comes with the simultaneous advancement and sophistication of cyber-attacks, which have serious implications on both a personal and commercial level, as well as within the criminal justice system. Psychologically, such attacks o er an intriguing, under-exploited arena for the understand- ing of the decision-making processes leading to online fraud victimisation. In this chapter, the authors focus on approaches taken to understand response behaviour surrounding phishing emails. The chapter outlines how approaches from industry and academic research might work together to more e ectively understand and potentially tackle the persistent threat of email fraud. In doing this, the authors address alternative methodological approaches taken to understand susceptibility, key insights drawn from each, how useful these are in working towards preventative security measures, and the usability of each ap- proach. It is hoped that these can contribute to collaborative solutions.
Full-text available
Article
Objective: We use signal detection theory to measure vulnerability to phishing attacks, including variation in performance across task conditions. Background: Phishing attacks are difficult to prevent with technology alone, as long as technology is operated by people. Those responsible for managing security risks must understand user decision making in order to create and evaluate potential solutions. Method: Using a scenario-based online task, we performed two experiments comparing performance on two tasks: detection, deciding whether an e-mail is phishing, and behavior, deciding what to do with an e-mail. In Experiment 1, we manipulated the order of the tasks and notification of the phishing base rate. In Experiment 2, we varied which task participants performed. Results: In both experiments, despite exhibiting cautious behavior, participants’ limited detection ability left them vulnerable to phishing attacks. Greater sensitivity was positively correlated with confidence. Greater willingness to treat e-mails as legitimate was negatively correlated with perceived consequences from their actions and positively correlated with confidence. These patterns were robust across experimental conditions. Conclusion: Phishing-related decisions are sensitive to individuals’ detection ability, response bias, confidence, and perception of consequences. Performance differs when people evaluate messages or respond to them but not when their task varies in other ways. Application: Based on these results, potential interventions include providing users with feedback on their abilities and information about the consequences of phishing, perhaps targeting those with the worst performance. Signal detection methods offer system operators quantitative assessments of the impacts of interventions and their residual vulnerability.
Full-text available
Article
Phishing is an act of technology-based deception that targets individuals to obtain information. To minimize the number of phishing attacks, factors that influence the ability to identify phishing attempts must be examined. The present study aimed to determine how individual differences relate to performance on a phishing task. Undergraduate students completed a questionnaire designed to assess impulsivity, trust, personality characteristics, and Internet/security habits. Participants performed an email task where they had to discriminate between legitimate emails and phishing attempts. Researchers assessed performance in terms of correctly identifying all email types (overall accuracy) as well as accuracy in identifying phishing emails (phishing accuracy). Results indicated that overall and phishing accuracy each possessed unique trust, personality, and impulsivity predictors, but shared one significant behavioral predictor. These results present distinct predictors of phishing susceptibility that should be incorporated in the development of anti-phishing technology and training.
Full-text available
Article
We review the existing literature on the psychology of email fraud, and attempt to integrate the small but burgeoning set of research findings. We show that research has adopted a variety of methodologies and taken a number of conceptual positions in the attempt to throw light on decisions about emails that may be in best-case scenarios, sub-optimal, or in the worst-case scenarios, catastrophic. We point to the potential from cognitive science and social psychology to inform the field, and we attempt to identify the opportunities and limitations from researcher’s design decisions. The study of email decision-making is an important topic in its own right, but also has the potential to inform about general cognitive processes too.
Full-text available
Article
Positive beliefs about the validity and reliability of website information are important for users and the success of a site. Users may use these beliefs in making judgments about the veracity of the informational content that they encounter on the Internet. This research examined several components associated with Web sites that could affect credibility beliefs about Web site information: domain suffixes (e.g., .com, .edu), quality seals, and organizations/domain names. Two studies were carried out involving a total of 433 participants. One had 247 participants (171 undergraduates and 76 non-student adults) and the other had 186 participants (89 undergraduates and 97 non-students). Results indicated that participants who reported spending greater time on the Internet showed significantly higher trust ratings on several components than those who reported spending less time on the Internet. Participants had difficulty discriminating between actual and fictitious quality seals and organization/domain names, with several fictitious ones judged as or more trustworthy than actual ones.
Full-text available
Article
Sampling strategies have critical implications for the validity of a researcher's conclusions. Despite this, sampling is frequently ignored in research methods textbooks, during the research design process, and in the reporting of our journals. This lack of guidance often leads reviewers and journal editors to consider sampling using simple rules of thumb, which leads to the unnecessary and counterproductive characterization of sampling strategies as universally "good" or "bad." Such oversimplification slows the progress of our science by considering legitimate data sources to be categorically unacceptable. Instead, we argue that sampling is better understood in methodological terms of range restriction and omitted variables bias. This considered approach has far-reaching implications, because in I/O psychology, as in most social sciences, virtually all of our samples are convenience samples. Organizational samples are not gold standard research sources; instead, they are merely a specific type of convenience sample with their own positive and negative implications for validity. This fact does not condemn our science but instead highlights the need for more careful consideration of how and when a finding may generalize based upon the particular mix of validity-related affordances provided by each sample source that might be used to investigate a particular research question. We call for researchers to explore such considerations cautiously and explicitly in both the publication and review of research.
Full-text available
Article
Purpose The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings. Design/methodology/approach This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory. Findings The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail. Research limitations/implications This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University students and therefore the conclusions are not necessarily representative of the general population of e‐mail users. Practical implications The outcomes of this research would assist management in their endeavours to improve computer user behaviour and, as a result, help to mitigate risks to their organisational information systems. Originality/value The literature review indicates that this paper addresses a genuine gap in the research.
Full-text available
Article
With the increasing sophistication and ubiquity of the Internet, behavioral research is on the cusp of a revolution that will do for population sampling what the computer did for stimulus control and measurement. It remains a common assumption, however, that data from self-selected Web samples must involve a trade-off between participant numbers and data quality. Concerns about data quality are heightened for performance-based cognitive and perceptual measures, particularly those that are timed or that involve complex stimuli. In experiments run with uncompensated, anonymous participants whose motivation for participation is unknown, reduced conscientiousness or lack of focus could produce results that would be difficult to interpret due to decreased overall performance, increased variability of performance, or increased measurement noise. Here, we addressed the question of data quality across a range of cognitive and perceptual tests. For three key performance metrics-mean performance, performance variance, and internal reliability-the results from self-selected Web samples did not differ systematically from those obtained from traditionally recruited and/or lab-tested samples. These findings demonstrate that collecting data from uncompensated, anonymous, unsupervised, self-selected participants need not reduce data quality, even for demanding cognitive and perceptual experiments.
Full-text available
Article
Phishing is a form of online fraud that aims to steal a user's sensitive information, such as online banking passwords or credit card numbers. The victim is tricked into entering such information on a web page that is crafted by the attacker so that it mimics a legitimate page. Recent statistics about the increasing number of phishing attacks suggest that this security problem still deserves significant attention. In this paper, we present a novel technique to visually compare a suspected phishing page with the legitimate one. The goal is to determine whether the two pages are suspi-ciously similar. We identify and consider three page features that play a key role in making a phishing page look simi-lar to a legitimate one. These features are text pieces and their style, images embedded in the page, and the overall visual appearance of the page as rendered by the browser. To verify the feasibility of our approach, we performed an experimental evaluation using a dataset composed of 41 real-world phishing pages, along with their corresponding legit-imate targets. Our experimental results are satisfactory in terms of false positives and false negatives.
Full-text available
Article
We discuss the importance of understanding psychological aspects of phishing, and review some recent findings. Given these findings, we critique some commonly used security prac-tices and suggest and review alternatives, including educational approaches. We suggest a few techniques that can be used to assess and remedy threats remotely, without requiring any user involvement. We conclude by discussing some approaches to anticipate the next wave of threats, based both on psychological and technical insights.
Full-text available
Article
Speech perception abilities are modified by linguistic experience to maximize sensitivity to acoustic contrasts that are important for one’s linguistic community, while reducing sensitivity to other acoustic cues. Although some of these changes may be irreversible, in other cases adults may learn to perceive non-native speech sounds in a linguistically meaningful manner with limited perceptual training. The present study investigates the possibility of using a technique based on perceptual fading to train Canadian francophone adults to distinguish the voiced and voiceless “th” sounds of English: Ið/, as in “the,” versus Iθ/, as in “theta.” Following a pretest to measure identification and discrimination performance with both natural and synthetic speech tokens, 10 subjects were trained using synthetic stimuli. Approximately 90 min of this training improved performance with both natural and synthetic tokens relative to that of untrained control subjects. The results suggest that there is a much higher degree of plasticity in these acoustic/linguistic categories than would be inferred from the normal performance of Canadian francophones who learn English as adults. The nature of the training technique is discussed in relation to other training paradigms.
Full-text available
Article
Signal detection theory (SDT) may be applied to any area of psychology in which two different types of stimuli must be discriminated. We describe several of these areas and the advantages that can be realized through the application of SDT. Three of the most popular tasks used to study discriminability are then discussed, together with the measures that SDT prescribes for quantifying performance in these tasks. Mathematical formulae for the measures are presented, as are methods for calculating the measures with lookup tables, computer software specifically developed for SDT applications, and general purpose computer software (including spreadsheets and statistical analysis software).
Full-text available
Conference Paper
Security toolbars in a web browser show security-related information about a website to help users detect phishing attacks. Because the toolbars are designed for humans to use, they should be evaluated for usability - that is, whether these toolbars really prevent users from being tricked into providing personal information. We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars' warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be. Author Keywords
Full-text available
Conference Paper
Phishers are fraudsters that mimic legitimate websites to steal user's credenfitial information and exploit that information for identity theft and other criminal activities. Various anti-phishing techniques attempt to mitigate such attacks. Domain highlighting is one such approach recently incorporated by several popular web browsers. The idea is simple: the domain name of an address is highlighted in the address bar, so that users can inspect it to determine a web site's legitimacy. Our research asks a basic question: how well does domain highlighting work? To answer this, we showed 22 participants 16 web pages typical of those targeted for phishing attacks, where participants had to determine the page's legitimacy. In the first round, they judged the page's legitimacy by whatever means they chose. In the second round, they were directed specifically to look at the address bar. We found that participants fell into 3 types in terms of how they determined the legitimacy of a web page; while domain highlighting was somewhat effective for one user type, it was much less effective for others. We conclude that domain highlighting, while providing some benefit, cannot be relied upon as the sole method to prevent phishing attacks.
Full-text available
Conference Paper
In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti- phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.
Full-text available
Conference Paper
PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users' willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18--25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.
Full-text available
Conference Paper
In this paper we describe the design and evaluation of Anti- Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.
Full-text available
Conference Paper
An approach to detection of phishing webpages based on visual similarity is proposed, which can be utilized as a part of an enterprise solution for anti-phishing. A legitimate webpage owner can use this approach to search the Web for suspicious webpages which are visually similar to the true webpage. A webpage is reported as a phishing suspect if the visual similarity is higher than its corresponding preset threshold. Preliminary experiments show that the approach can successfully detect those phishing webpages for online use.
Full-text available
Article
Positive beliefs about the validity and reliability of website information are importantfor users and the success of a site. Users may use these beliefs in making judgments about the veracity of the informational content that they encounter on the Internet. This research examined several components associated with Web sites that could affect credibility beliefs about Web site information: domain suffixes (e.g., com, edu), quality seals, and organizations/domain names. Two studies were carried out involving a total of433 participants. One had 247 participants (171 undergraduates and 76 non-student adults) and the other had 186 participants (89 undergraduates and 97 non-students). Results indicated that participants who reported spending greater time on the Internet showed significantly higher trust ratings on several components than those who reported spending less time on the Internet Participants had difficulty discriminating between actual and fictitious quality seals and organization/domain names, with several fictitious ones judged as or more trustworthy than actual ones.
Full-text available
Article
Computing veterans remember an old habit of crossing zeros (?) in program listings to avoid confusing them with the letter O, in order to make sure the operator would type the program correctly into the computer. This habit, once necessary, has long been rendered obsolete by the increased availability of editing tools. However, the underlying problem of character resemblance is still there. Today it seems we may have to acquire a similar habit, this time to address an issue much more threatening than mere typos: security. Let us begin with a short recourse to history. On April 7, 2000 an anonymous site published a bogus story intimating that the company PairGain Technologies (NASDAQ:PAIR) was about to be acquired for approximately twice its market value. The site employed the look and feel of the Bloomberg news service, and thus appeared quite authentic to unsuspecting users. To disseminate the "news", a message containing a link to the story was simultaneously posted to the Yahoo message board dedicated to PairGain. The link referred to the phony site by its numerical IP address rather than by name, and thus obscured its true identity. Many readers were convinced by the Bloomberg look and feel, and accepted the story at face value despite its suspicious address. As a result, PairGain stock first jumped 31%, and then fell drastically, incurring severe losses to investors. Attacks like this are relatively easy to detect. A stronger variant of this hoax might have used a domain named bl00mberg. com, (with zeros replacing o's), but even the latter is easily distinguishable from the real thing. However, forthcoming Internet technologies have the potential to make such attacks much more elusive and devastating. A new initiative, promoted by a number of Internet standards bodies including IETF and IANA, allows one to register domain names in national alphabets. This way, for example, Russian news site "gazeta. ru" ("gazeta" means "newspaper" in Russian) might register a more appealing " . ". Far from buzzword compliance, the initiative caters to the genuine needs of non-English-speaking Internet users,, who currently find it difficult to access Web sites otherwise. Several alternative implementations are currently being considered, and we can expect the standardization process to be completed soon. The benefits of this initiative are indisputable. Yet the very idea of such an infrastructure is compromised by the peculiarities of world alphabets. Revisiting our newspaper example, one can observe that Russian letters ",,, " are indistinguishable in writing from their English counterparts. Some of the letters (such as "a") are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter "p" is actually pronounced like "r", but the glyphs of the two letters are identical. As it happens, Russian is not the only such language; other Cyrillic languages may cause similar collisions. With the proposed infrastructure in place, numerous English domain names may be homographed-maliciously misspelled by substitution of non-Latin letters. For example, the Bloomberg attack could have been crafted much more skillfully, by registering a domain name bloomberg. com, where the letters "o" and/or "e" have been faked with Russian substitutes. Without adequate safety mechanisms, this scheme can easily mislead even the most cautious reader. 1 Incidentally, this domain has actually been registered. 2 According to Global Reach's report, the English-speaking population of the Internet was about 62% in 1998, and is forecasted to be as low as 37% by the end of 2002.
Full-text available
Article
Phishing is a form of electronic identity theft in which a combination of social engineering and Web site spoofing techniques is used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing Web site attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing Web site attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed.
Full-text available
Article
Phishing attacks exploit users' inability to distinguish legitimate websites from fake ones. Strategies for combating phishing include: prevention and detection of phishing scams, tools to help users identify phishing web sites, and training users not to fall for phish. While a great deal of effort has been devoted to the first two approaches, little research has been done in the area of training users. Some research even suggests that users cannot be educated. However, previous studies have not evaluated the quality of the training materials used in their user studies or considered ways of designing more effective training materials. In this paper we present the results of a user study we conducted to test the effectiveness of existing online training materials that teach people how to protect themselves from phishing attacks. We found that these training materials are surprisingly effective when users actually read them. We then analyze the training materials using principles from learning sciences, and provide some suggestions on how to improve training materials based on those principles.
Book
Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to respond to this situation and compare adequate versus inadequate countermeasures.
Article
The overarching goal is to convey the concept of science of security and the contributions that a scientifically based, human factors approach can make to this interdisciplinary field. Rather than a piecemeal approach to solving cybersecurity problems as they arise, the U.S. government is mounting a systematic effort to develop an approach grounded in science. Because humans play a central role in security measures, research on security-related decisions and actions grounded in principles of human information-processing and decision-making is crucial to this interdisciplinary effort. We describe the science of security and the role that human factors can play in it, and use two examples of research in cybersecurity-detection of phishing attacks and selection of mobile applications-to illustrate the contribution of a scientific, human factors approach. In these research areas, we show that systematic information-processing analyses of the decisions that users make and the actions they take provide a basis for integrating the human component of security science. Human factors specialists should utilize their foundation in the science of applied information processing and decision making to contribute to the science of cybersecurity. © 2015, Human Factors and Ergonomics Society.
Article
We have conducted a user study to assess whether improved browser security indicators and increased awareness of phishing have led to users' improved ability to protect themselves against such attacks. Participants were shown a series of websites and asked to identify the phishing websites. We use eye tracking to obtain objective quantitative data on which visual cues draw users' attention as they determine the legitimacy of websites. Our results show that users successfully detected only 53% of phishing websites even when primed to identify them and that they generally spend very little time gazing at security indicators compared to website content when making assessments. However, we found that gaze time on browser chrome elements does correlate to increased ability to detect phishing. Interestingly, users' general technical proficiency does not correlate with improved detection scores.
Article
Rats received two stages of Pavlovian discrimination training with two flavor stimuli: a compound consisting of saccharin mixed with 0.15 M lithium chloride (LiCl), and the saccharin alone. The concentration of the saccharin solution (i.e., the common element shared by the stimuli to be discriminated) was relatively high in Stage 2 (1.2%). Groups differed in the pre-training that they received in Stage 1. Group Progressive (PROG) was pretrained in easier versions of the discrimination of Stage 2. The difficulty of these discriminations was gradually increased by progressively increasing the initial concentration of saccharin (0.15%). Group PROG learned the hardest discrimination faster than a control group (HARD) that was trained in this discrimination in both Stages 1 and 2 (Experiment 1). We also observed that the enhancement of learning observed in Group PROG was less than that observed after continuous pre-training with the easiest version of the discrimination (Group CONT; Experiment 2). We discuss the implications of these results in relation to other previous demonstrations of the easy-to-hard effect.
Purpose – Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and the industry. The purpose of this study is to examine the available phishing literatures and phishing countermeasures, to determine how research has evolved and advanced in terms of quantity, content and publication outlets. In addition to that, this paper aims to identify the important trends in phishing and its countermeasures and provides a view of the research gap that is still prevailing in this field of study. Design/methodology/approach – This paper is a comprehensive literature review prepared after analysing 16 doctoral theses and 358 papers in this field of research. The papers were analyzed based on their research focus, empirical basis on phishing and proposed countermeasures. Findings – The findings reveal that the current anti‐phishing approaches that have seen significant deployments over the internet can be classified into eight categories. Also, the different approaches proposed so far are all preventive in nature. A Phisher will mainly target the innocent consumers who happen to be the weakest link in the security chain and it was found through various usability studies that neither server‐side security indicators nor client‐side toolbars and warnings are successful in preventing vulnerable users from being deceived. Originality/value – Educating the internet users about phishing, as well as the implementation and proper application of anti‐phishing measures, are critical steps in protecting the identities of online consumers against phishing attacks. Further research is required to evaluate the effectiveness of the available countermeasures against fresh phishing attacks. Also there is the need to find out the factors which influence internet user's ability to correctly identify phishing websites.
Article
In an experimental design, we tested whether written warnings can reduce the amount of identity information exposure online. A psychological attack on information privacy that has been shown to be effective in previous research was launched. This attack took advantage of the fact that people respond to certain types of requests in a relatively automatic, or mindless, fashion. The experiment manipulated the word that was used in the alert header: "warning", "caution", or "hazard". All warnings proved to be effective in reducing disclosure, but "hazard" proved to be most effective. Also warnings were more effective in reducing disclosure of driver's license numbers than email addresses. The discussion (a) provides tentative conclusions why these patterns were obtained, (b) suggests how to design warnings in cyber-environments, and (c) addresses future possibilities for research on this topic.
Article
Research on internet-based studies has generally supported their benefits. However, that research sometimes did not directly compare internet-based to traditional delivery, often used non-experimental methods and small samples, and has not used an entirely unknown effect for the comparison to completely rule out demand characteristics. Our lab experiment (N = 180), in which participants were supervised by an experimenter, demonstrated previously unexamined effects. Both the frighteningness and disgustingness of insects made people want to kill them, and females wanted to kill the insects more than males did. There were also some interesting patterns of interaction with gender, but they were not statistically significant. However, an unsupervised, but larger, web-based experiment (N = 1301) produced the same significant main effects as the lab study, and the same patterns of interaction that had occurred at a non-significant level in the lab study occurred at a statistically significant level in the web-based study. These results add support to the finding that although web-based studies may incur risks by being unsupervised, such as some participants not being genuinely motivated to follow the instructions correctly, the risks are compensated for by the much larger sample size afforded by the web-based approach.
Article
Phishing is a severe threat to online users, especially since attackers improve in impersonating other websites [1]. With websites looking visually the same, users are fooled more easily. However, the close visual similarity can also be used to counteract phishing. We present a framework that uses visual website similarity: (1) to detect possible phishing websites and (2) to create better warnings for such attacks. We report first results together with the three step process planned for the project. We expect the detection results to be comparable to previously published work which would allow for new kinds of phishing warnings with better coverage, less false positives and explicit user recommendations how to avoid these critical situation.
Article
The present study of eyelid conditioning shows that rabbits pretrained on an easy auditory discrimination (Easy Group) performed better on a difficult test of discrimination than subjects pretrained on the test stimuli themselves (Difficult Group). All discriminative stimuli were compounds that contained isolatable incidental stimuli, i.e., the same cues occurred on reinforced and nonreinforced trials. In final testing subjects of the Easy Group responded less to compounds presumably containing only incidental cues than did subjects of the Difficult Group. The present paper notes the importance of obtaining these results in a classical rather than in an instrumental conditioning situation.
Article
Purpose-Despite the inereasing use offormative measurement models in literature, little is known about potential consequences for substantive theory testing. Against this background, the aims of this chapter are (1) to highlight some problems that may arise when formative instead of reflective measures are used to test even simple theoretical models wlth covarianced-based methodologies, (2) to illustrate some approaches that might help overcome these problems, (3) to pinpoint potential interpreta­ tion difficulties of the results involving re-specijied measurement models. and (4) to stimulate discussion on the implications for theory development when models are tested with formative measures. Methodologyjapproach-Potential consequences offormative measure­ ment modelsfor theory testing are highlighted using an empirical study on consumer animosity as an illustrative example and applying covarianced­ based structural equations modeling procedures for estimation purposes.
Article
Training that uses exaggerated versions of a stimulus discrimination (fading) has sometimes been found to enhance category learning, mostly in studies involving animals and impaired populations. However, little is known about whether and when fading facilitates learning for typical individuals. This issue was explored in 7 experiments. In Experiments 1 and 2, observers discriminated stimuli based on a single sensory continuum (time duration and line length, respectively). Adaptive fading dramatically improved performance in training (unsurprisingly) but did not enhance learning as assessed in a final test. The same was true for nonadaptive linear fading (Experiment 3). However, when variation in length (predicting category membership) was embedded among other (category-irrelevant) variation, fading dramatically enhanced not only performance in training but also learning as assessed in a final test (Experiments 4 and 5). Fading also helped learners to acquire a color saturation discrimination amid category-irrelevant variation in hue and brightness, although this learning proved transitory after feedback was withdrawn (Experiment 7). Theoretical implications are discussed, and we argue that fading should have practical utility in naturalistic category learning tasks, which involve extremely high dimensional stimuli and many irrelevant dimensions. (PsycINFO Database Record (c) 2013 APA, all rights reserved).
Article
Octopuses taught by a new training procedure mastered a simultaneous shape discrimination of moderate difficulty. 3 predictions from a theory about switching in different analyzing mechanisms were tested. (a) Ss 1st trained to discriminate shapes having a large difference along a dimension subsequently performed better with shapes having a small difference than did Ss trained from the outset on the latter shapes. (b) Performance of Ss originally trained on the difficult discrimination showed marked improvement when transfer tests without opportunity for relearning were given with easier discrimination. (c) Asymptotes of performance of Ss trained by the simultaneous and successive methods were the same on the easier discrimination, but Ss trained by the successive method performed better on the difficult discrimination. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
In each of 2 experiments on discriminative learning in free-flying honeybees ( Apis mellifera), performance in a difficult problem was found to be facilitated by prior training in an easier problem. In Experiment 1, animals that were trained to detect a strong anomaly in the ambient geomagnetic field performed better when the intensity of the anomaly was reduced than did control animals that were trained from the onset with the weaker anomaly. In Experiment 2, animals that were trained to detect a 20-μl drop of sucrose solution and then a 10-μl drop of the same solution performed better when the size of the drop was reduced to 5 μl than did control animals trained from the onset with the 5-μl drop. These results are of interest because they add transfer along a continuum to a growing list of vertebrate learning phenomena found in honeybees and because of their bearing on a developing theory of discriminative learning in honeybees. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Basis of the analysis is a previous experiment with rats which showed that a gradual transition group was best in terms of performance, with the abrupt transition group next, and the hard discrimination group as poorest. The discussion makes apparent that to account for the results of this experiment considerable modifications must be made in the assumptions concerning generalization gradients and their interactions as they are formulated in Hullian theory. Whether or not a consistent set of statements about generalization gradients can be found that will account for this experiment and other studies in discrimination has yet to be shown. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Book
Detection Theory is an introduction to one of the most important tools for analysis of data where choices must be made and performance is not perfect. Originally developed for evaluation of electronic detection, detection theory was adopted by psychologists as a way to understand sensory decision making, then embraced by students of human memory. It has since been utilized in areas as diverse as animal behavior and X-ray diagnosis. This book covers the basic principles of detection theory, with separate initial chapters on measuring detection and evaluating decision criteria. Some other features include: complete tools for application, including flowcharts, tables, pointers, and software;. student-friendly language;. complete coverage of content area, including both one-dimensional and multidimensional models;. separate, systematic coverage of sensitivity and response bias measurement;. integrated treatment of threshold and nonparametric approaches;. an organized, tutorial level introduction to multidimensional detection theory;. popular discrimination paradigms presented as applications of multidimensional detection theory; and. a new chapter on ideal observers and an updated chapter on adaptive threshold measurement. This up-to-date summary of signal detection theory is both a self-contained reference work for users and a readable text for graduate students and other researchers learning the material either in courses or on their own. © 2005 by Lawrence Erlbaum Associates, Inc. All rights reserved.
Article
Training can improve perceptual sensitivities. We examined whether the temporal dynamics and the incidental versus intentional nature of training are important. Within the context of a birdsong rate discrimination task, we examined whether the sequencing of pretesting exposure to the stimuli mattered. Easy-to-hard (progressive) sequencing of stimuli during preexposure led to a more accurate performance with the critical difficult contrast and greater generalization to new contrasts in the task, compared with equally variable training in either a random or an antiprogressive order. This greater accuracy was also evident when participants experienced the progressively sequenced stimuli in a different incidental learning task that did not involve direct auditory training. The results clearly show the importance of temporal dynamics (sequencing) in learning and show that the progressive training advantages cannot be fully explained by direct associations between stimulus features and the corresponding responses. The current findings are consistent with a hierarchical account of perceptual learning, among other possibilities, but not with explanations that focus on stimulus variability. (PsycINFO Database Record (c) 2012 APA, all rights reserved).
Article
Most demonstrations of the validity of Internet-based research methods are based on replications of well-known experimental phenomena on the Internet. However, in order to test whether the lack of control over the experimental conditions usually found in Internet studies has an effect on the quality of data, it would be more interesting to show that the Internet cannot only be used to replicate common and well-documented effects, but also less-known experimental findings or elusive phenomena that tend to occur only in very specific conditions. The present experiment explores one such effect, namely augmentation in associative learning, and shows that it can be readily found in the laboratory and on the Internet.
Conference Paper
The credibility of web sites is becoming an increasingly important area to understand. To expand knowledge in this domain, we conducted an online study that investigated how different elements of Web sites affect people's perception of credibility. Over 1400 people participated in this study, both from the U.S. and Europe, evaluating 51 different Web site elements. The data showed which elements boost and which elements hurt perceptions of Web credibility. Through analysis we found these elements fell into one of seven factors. In order of impact, the five types of elements that increased credibility perceptions were “real-world feel”, “ease of use”, “expertise”, “trustworthiness”, and “tailoring”. The two types of elements that hurt credibility were “commercial implications&rdquo ;and “amateurism”. This large-scale study lays the groundwork for further research into the elements that affect Web credibility. The results also suggest implications for designing credible Web sites.
Conference Paper
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
Conference Paper
Web browsers support secure online transactions, and provide visual feedback mechanisms to inform the user about security. These mechanisms have had little evaluation to determine how easily they are noticed and how effectively they are used. This paper describes a preliminary study conducted to determine which elements are noted, which are ignored, and how easily they are found. We collected eyetracker data to study user's attention to browser security, and gathered additional subjective data through questionnaires. Our results demonstrated that while the lock icon is commonly viewed, its interactive capability is essentially ignored. We also found that certificate information is rarely used, and that people stop looking for security information after they have signed into a site. These initial results provide insights into how browser security cues might be improved.
Conference Paper
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme.We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields.Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a "skin" that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user's browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match.We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.
Conference Paper
Many secure systems rely on a "human in the loop" to perform security-critical functions. However, humans often fail in their security roles. Whenever possible, secure system designers should find ways of keeping humans out of the loop. However, there are some tasks for which feasible or cost effective alternatives to humans are not available. In these cases secure system designers should engineer their systems to support the humans in the loop and maximize their chances of performing their security- critical functions successfully. We propose a framework for reasoning about the human in the loop that provides a systematic approach to identifying potential causes for human failure. This framework can be used by system designers to identify problem areas before a system is built and proactively address deficiencies. System operators can also use this framework to analyze the root cause of security failures that have been attributed to "human error." We provide examples to illustrate the applicability of this framework to a variety of secure systems design problems, including anti-phishing warnings and password policies. "Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)" -- C. Kaufman, R. Perlman, and M. Speciner, 2002 (20)