Abstract
Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
German Phishing Video: https://www.youtube.com/watch?v=XeslAkZIuwY&t=9s English Phishing Video: https://www.youtube.com/watch?v=F4y2wzYpIKw.
- 2.
To avoid confusion we used https in all our phishing examples.
- 3.
The study was carried out in Germany which meant we focused on domains with two terms e.g. amazon.de and we did not consider other conventions followed by countries like the U.K. with three terms, e.g. amazon.co.uk.
- 4.
Due to the fact that we used a quiz-like evaluation, we could present half-half although, in a realistic setting, half of people’s messages would not usually be phish.
- 5.
- 6.
The number we used in the message was randomly chosen, but realistic.
References
Anti-Phishing Working Group: Phishing Activity Trends Report, 4th Quater 2016 (2016). https://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf. Accessed 18 May 2017
Arachchilage, N.A.G., Cole, M.: Design a mobile game for home computer users to prevent from “phishing attacks”. In: i-Society 2011: International Conference on Information Society, pp. 485–489. IEEE, London (2011)
Asudeh, O., Wright, M.: Poster: phishing website detection with a multiphase framework to find visual similarity. In: CCS 2016, pp. 1790–1792. ACM (2016)
Baslyman, M., Chiasson, S.: “Smells Phishy?”: an educational game about online phishing scams. In: eCrime 2016: APWG Symposium on Electronic Crime Research, pp. 1–11. IEEE, Toronto (2016)
Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11851-2_14
Canova, G., et al.: Learn to spot phishing URLs with the Android NoPhish App. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) WISE 2015. IAICT, vol. 453, pp. 87–100. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18500-2_8
Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. Internet Society, USEC (2015)
Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE S & P 12(1), 28–38 (2014)
Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014). https://doi.org/10.1109/MSP.2013.106
Dodge, R., Coronges, K., Rovira, E.: Empirical benefits of training to phishing susceptibility. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 457–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_37
Dong, X., Clark, J.A., Jacob, J.: Modelling user-phishing interaction. In: Human System Interactions, pp. 627–632. IEEE (2008)
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: SOUPS, pp. 79–90. ACM, Pittsburgh (2006)
Hale, M., Gamble, R.: Toward increasing awareness of suspicious content through game play. In: SERVICES 2014, pp. 113–120. IEEE (2014)
Hale, M.L., Gamble, R.F., Gamble, P.: CyberPhishing: a game-based platform for phishing awareness testing. In: Hawai’i International Conference on System Sciences, pp. 5260–5269. IEEE, Kauai (2015)
Han, X., Kheir, N., Balzarotti, D.: PhishEye: live monitoring of sandboxed phishing kits. In: CCS 2016, pp. 1402–1413. ACM (2016)
Helser, S.: Fit: Identity theft education: study of text-based versus game-based learning. In: ISTAS 2015, pp. 1–4. IEEE, Dublin (2015)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.-K.: What instills trust? A qualitative study of phishing. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 356–361. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_32
Jansson, K., von Solms, R.: Phishing for phishing awareness. Behav. Inf. Technol. 32(6), 584–593 (2013)
Kauer, M., Pfeiffer, T., Volkamer, M., Theuerling, H., Bruder, R.: It is not about the design – it is about the content! Making warnings more efficient by communicating risks appropriately. In: Sicherheit, vol. 195. GI (2012)
Kawakami, M., Yasuda, H., Sasaki, R.: Development of an E-learning content-making system for information security (elsec) and its application to anti-phishing education. International Conference on E-Education. E-Business, E-Management and E-Learning, pp. 7–11. IEEE, Sanya (2010)
Kumaraguru, P., et al.: School of Phish: a real-world evaluation of anti-phishing training. In: SOUPS, p. 3. ACM (2009)
Kumaraguru, P., et al.: Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: APWG: eCrime, pp. 70–81. ACM (2007)
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Lessons from a real world evaluation of anti-phishing training. In: APWG: eCrime, pp. 1–12. IEEE (2008)
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. TOIT 10(2), 7 (2010)
Kunz, A., Volkamer, M., Stockhardt, S., Palberg, S., Lottermann, T., Piegert, E.: NoPhish: evaluation of a web application that teaches people being aware of phishing attacks. Informatik (2016)
Lastdrager, E., Gallardo, I.C., Hartel, P.H., Junger, M.: How effective is anti-phishing training for children? In: SOUPS, pp. 229–239 (2017)
Neumann, S., Reinheimer, B., Volkamer, M.: Don’t be deceived: the message might be fake. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) TrustBus 2017. LNCS, vol. 10442, pp. 199–214. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64483-7_13
Oliveira, D., et al.: Dissecting spear phishing emails for older vs. young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: CHI 2017, pp. 6412–6424. ACM (2017)
Scott, M.J., Ghinea, G., Arachchilage, N.A.G.: Assessing the role of conceptual knowledge in an anti-phishing educational game. In: ICALT, p. 218. IEEE (2014)
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: CHI, pp. 373–382. ACM (2010)
Sheng, S., et al.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: SOUPS, pp. 88–99. ACM (2007)
Stockhardt, S., et al.: Teaching phishing-security: which way is best? In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 135–149. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_10
Sun, J.C.Y., Kuo, C.Y., Hou, H.T., Yu-Yan, L.: Exploring learners’ sequential behavioral patterns, flow experience, and learning performance in an anti-phishing educational game. J. Educ. Technol. Soc. 20(1), 45 (2017)
Sun, J.C.Y., Yeh, K.P.C.: The effects of attention monitoring with EEG biofeedback on university students’ attention and self-efficacy: the case of anti-phishing instructional materials. Comput. Educ. 106, 73–82 (2017)
Tseng, S.S., Chen, K.Y., Lee, T.J., Weng, J.F.: Automatic content generation for anti-phishing education game. In: ICECE, pp. 6390–6394. IEEE (2011)
Verizon: Verizon’s. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ (2017). Accessed 18 May 2017
Volkamer, M., Stockhardt, S., Bartsch, S., Kauer, M.: Adopting the CMU/APWG anti-phishing landing page idea for germany. In: 2013 Third Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 46–52. IEEE (2013)
Volkamer, M., Renaud, K., Gerber, P.: Spot the phish by checking the pruned URL. Inf. Comput. Secur. 24, 372–385 (2016)
Volkamer, M., Renaud, K., Reinheimer, B.: TORPEDO: TOoltip-poweRed phishing email DetectiOn. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 161–175. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_12
Volkamer, M., Renaud, K., Reinheimer, B., Kunz, A.: User experiences of TORPEDO: TOoltip-powered phishing email detection. Comput. Secur. 71, 100–113 (2017)
Wen, Z.A., Li, Y., Wade, R., Huang, J., Wang, A.: What.Hack: learn phishing email defence the fun way. In: CHI EA 2017, pp. 234–237. ACM (2017)
Wombat Security Technologies: State of the Phish: Effectively Reducing Phishing and Malware Infections (2016). http://pittsburgh.issa.org/ISSA%20Pittsburgh%20Wombat%20Security%20May%206%202016.pdf. Accessed 18 May 2017
Yang, C.C., Tseng, S.S., Lee, T.J., Weng, J.F., Chen, K.: Building an anti-phishing game to enhance network security literacy learning. In: ICALT, pp. 121–123 (2012)
Zielinska, O.A., Tembe, R., Hong, K.W., Ge, X., Murphy-Hill, E., Mayhorn, C.B.: One phish, two phish, how to avoid the internet phish. Hum. Factors Ergon. Soc. 58(1), 1466–1470 (2014)
Acknowledgements
This work was supported by the German Federal Ministry of Education and Research (BMBF) within the Competence Center for Applied Security Technology (KASTEL) and within the Center for Research in Security and Privacy (CRISP). Thanks to Alexander Lehmann for creating the video; for more of his security and privacy related videos see: https://www.youtube.com/user/alexanderlehmann.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Volkamer, M. et al. (2018). Developing and Evaluating a Five Minute Phishing Awareness Video. In: Furnell, S., Mouratidis, H., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2018. Lecture Notes in Computer Science(), vol 11033. Springer, Cham. https://doi.org/10.1007/978-3-319-98385-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-98385-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98384-4
Online ISBN: 978-3-319-98385-1
eBook Packages: Computer ScienceComputer Science (R0)