Anti-Phishing Principles – Norfolk State University Socio-Cybersecurity

Protection Against Phishing through Training and Education

Training users to identify phish is an important component in the fight against phishing. Training has taken shape in two forms. The first is simply to provide anti-phishing information to users through e-mail and other media. The second is to give firsthand experience to users through games, simulated phish, cartoons, etc. Recent studies [7] seem to indicate that the latter—giving firsthand experience to users—might be more effective.

The game, Anti-Phishing Phil (the two pictures immediately below), which teaches people how to identify suspicious Web site addresses while providing the experience of being captured by a phisher, is such an example (http://www.ucl.ac.uk/cert/antiphishing/).

PhishGuru is another example. It delivers cartoon-based, anti-phishing information after a user has been deceived by simulated phishing messages.

PhishGuru Anti- Phishing Video

Anti-Phishing Technologies

Although user ability to identify phish is an important component in the battle against phishing, combining it with technology yields better results [7]. One of the techniques used to automatically identify phish is filtering. The objective of filtering is to identify (or flag) phishing attempts in e-mail or on Web pages. Filters are usually integrated into browsers or e-mail software. When a Web address is encountered the software compares it with a so-called “blacklist” of known phishing Web sites. It then takes appropriate actions, which usually include informing the user. The blacklist is updated periodically (for example, every 30 minutes) as new phishing sites become available. As with any blacklist, there is also a “whitelist” of known legitimate sites.

References

30 December 2008. 3 January 2009. <www.antiphishing.org>.
Bond, Mark. “Being an Ethical Warrior: How Labeling Theory Influences Police Officers and Their Patrol Perceptions.” Public Safety 6 February 2014.
Ciampa, Mark. Security+, Guide to Network Security Fundamentals Second Edition Update. Third. Boston: Thomson Course Technology, 2008.
Costa, Garrett, et al. Protocolv2Spec: Client specification for the Google Safe Browsing v2.1 protocol . 20 November 2007. Google. 6 January 2009. <http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec>.
Cranor, Lorrie Faith. How to Foil “Phishing” Scams. 3 December 2008. Scientific American. 5 January 2009. <http://www.sciam.com/sciammag/?contents=2008-12>.
Dulaney, Emmett. CompTIA Security +, Deluxe Study Guide, Exam SYO-201. Indianapolis, Indiana: Wiley Publishing, 2009.
Eitzen, D. Stanley, Maxine Bacca Zinn and Kelly Eitzen Smith. SOcial Problems. Boston: Pearson, 2014.
Fette, Ian, Norman Sadeh and Anthony Tomasic. “Learning to detect phishing emails.” Proceedings of the 16th international conference on World Wide Web. n.d.
Fitzpatrick, Joey. Phishing scam artists get personal on Facebook. 29 December 2008. 31 December 2008. <http://thechronicleherald.ca/Columnists/1098083.html>.
Mozilla. Phishing and Malware Protection. 2005-2009. Mozilla. 6 January 2009. <http://www.mozilla.com/en-US/firefox/phishing-protection/>.
Pfleeger, Charles P. Security in Computing. Fourth Edition. Upper Saddle River: Prentice Hall, 2007.
Phishing Activity Trends Report. April-June 2008. 3 January 2009. <http://www.antiphishing.org/reports/apwg_report_Q2_2008.pdf>.
Phishing Protection: Design Documentation. 5 March 2008. MediaWiki. 6 January 2009. <https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation>.
Recognize phishing scams and fraudulent e-mail. 15 October 2008. Microsoft. 29 December 2008. <http://www.microsoft.com/protect/yourself/phishing/identify.mspx>.
Shelly, Gary B., Thomas J. Cashman and Misty E. Vermaat. Computer Literacy and Applications. United States: Thomson Course Technology, 2008.
University, Carnegie Mellon. Anti-Phishing Phil. September 2008. Wombot Security Technologies. 5 January 2009. <http://cups.cs.cmu.edu/antiphishing_phil/>.
What is Social Engineering. 16 January 2007. Microsoft. 29 December 2008. <http://www.microsoft.com/protect/yourself/phishing/engineering.mspx>.
Zhang, Yue, Jason Hong and Lorrie Craner. “CANTINA: A Content-Based Approach to Detecting Phishing Web Sites.” International World Wide Web Conference. Banff, Alberta, Canada.: ACM, 2007.