research-article

School of phish: a real-world evaluation of anti-phishing training

Authors:

Ponnurangam Kumaraguru,

Theodore PhamAuthors Info & Claims

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

Article No.: 3, Pages 1 - 12

https://doi.org/10.1145/1572532.1572536

Published: 15 July 2009 Publication History

Get Access

Abstract

PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users' willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18--25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.

References

[1]

J. R. Anderson and H. A. Simon. Situated learning and education. Educational Researcher, 25:5--11, 1996.

Crossref

Google Scholar

[2]

D. B. Buller and J. K. Burgoon. Interpersonal deception theory. Communication Theory, 6(3):203--242, 1996.

Crossref

Google Scholar

[3]

J. R. Carlson, J. F. George, J. K. Burgoon, M. Adkins, and C. H. White. Deception in computer-mediated communication. Group Decision and Negotiation, 13(1):5--28, 2004.

Crossref

Google Scholar

[4]

R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. Proceedings of the Conference on Human Factors in Computing Systems (CHI), 2006.

Digital Library

Google Scholar

[5]

E. Ellis, L. Worthington, and M. Larkin. Research synthesis on effective teaching principles and the design of quality tools for educators. Technical report, National center to improve the tools of educators, 1994.

Google Scholar

[6]

A. J. Ferguson. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly, (1), 2005.

Google Scholar

[7]

T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10):94--100, October 2007.

Digital Library

Google Scholar

[8]

P. Johnson, S. Grazioli, K. Jamal, and G. Berryman. Detecting deception: adversarial problem solving in a low base-rate world. Cognitive Science: A Multidisciplinary Journal, 25(3):355--392, 2001.

Crossref

Google Scholar

[9]

P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge. Protecting people from phishing: the design and evaluation of an embedded training email system. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 905--914, 2007.

Digital Library

Google Scholar

[10]

P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor, and J. Hong. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti-Phishing Working Group, 2007.

Digital Library

Google Scholar

[11]

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Under review.

Google Scholar

[12]

P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. e-Crime Researchers Summit, Anti-Phishing Working Group, October 2008.

Google Scholar

[13]

R. Lininger and R. D. Vines. Phishing: Cutting the Identity Theft Line. Indianapolis, Indiana, USA, 2005.

Digital Library

Google Scholar

[14]

R. C. Miller and M. Wu. Fighting Phishing at the User Interface. O'Reilly, August 2005. In Lorrie Cranor and Simson Garfinkel (Eds.) Security and Usability: Designing Secure Systems that People Can Use.

Google Scholar

[15]

T. Moore and R. Anderson. How brain type influences online safety. Working paper, July 2008.

Google Scholar

[16]

R. A. Morin and A. Fernandez Suarez. Risk aversion revisited. Journal of Finance, 38(4):1201--16, September 1983.

Crossref

Google Scholar

[17]

New York State Office of Cyber Security&Critical Infrastructure Coordination. Gone phishing. a briefing on the anti-phishing exercise initiative for new york state government. Aggregate Exercise Results for public release., 2005.

Google Scholar

[18]

R. A. Schmidt and R. A. Bjork. New conceptualizations of practice: Common principles in three paradigms suggest new concepts for training. Psychological Science, 3(4):207--217, July 1992.

Crossref

Google Scholar

[19]

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 88--99, 2007.

Digital Library

Google Scholar

[20]

E. Spagat. Justice department hoaxes employees. News article, January 2009. http://news.yahoo.com/s/ap/20090129/ap_on_go_ca_st_pe/justice_hoax.

Google Scholar

[21]

G. Stefano. Where did they go wrong? an analysis of the failure of knowledgeable internet consumers to detect deception over the internet. Group Decision and Negotiation, 13:149--172, March 2004.

Crossref

Google Scholar

Cited By

View all

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Schöni LCarles VStrohmeier MMayer PZimmermann V(2024)You Know What? - Evaluation of a Personalised Phishing Training Based on Users' Phishing Knowledge and Detection SkillsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688460(1-14)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688460
Show More Cited By

Index Terms

School of phish: a real-world evaluation of anti-phishing training

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education ...
Teaching Johnny not to fall for phish

Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the ...

Reviews

Reviewer: Pieter Hartel

The well-designed "school of phish" experiment compares to what extent three groups, of about 170 participants each, fall for phishing scams. The control group received no training, one group was trained once, and the third group received two training sessions. The results indicate that training the participants reduces the likelihood that they will fall for phishing scams. However, even after training, the number of participants who fall for phishing scams remains large-about 20 percent. The research demonstrates that participants are equally likely to fall for the scam, regardless of their demographics. Given that all of the participants in the experiment are either staff or students at Carnegie Mellon University, one fears that individuals randomly selected from the population at large would be even more likely to fall for phishing scams. Case studies like the one presented here are unfortunately rare in the computer science literature. The paper represents an important first step (in the sense that it assesses the likelihood of victimization) toward a scientific study of evidence-based crime prevention. One might hope that the authors will take the next step, which would be to evaluate in randomized controlled trials how effective the "school of phish" actually is in reducing crime. This study indicates that in spite of the significant attention received from the research community to date, phishing is still a serious problem that training alone will not solve. The paper is relevant to a wide audience interested in preventing cybercrime, which includes computer scientists, criminologists, policy makers, and members of law enforcement. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

July 2009

205 pages

ISBN:9781605587363

DOI:10.1145/1572532

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SOUPS '09

Sponsor:

SOUPS '09: Symposium on Usable Privacy and Security

July 15 - 17, 2009

California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;

Overall Acceptance Rate 15 of 49 submissions, 31%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

168
Total Citations
View Citations
2,817
Total Downloads

Downloads (Last 12 months)313
Downloads (Last 6 weeks)34

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Schöni LCarles VStrohmeier MMayer PZimmermann V(2024)You Know What? - Evaluation of a Personalised Phishing Training Based on Users' Phishing Knowledge and Detection SkillsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688460(1-14)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688460
Sun ZKokulu FZhang POest AStringhini GBao TWang RShoshitaishvili YDoupé AAhn G(2024)From Victims to Defenders: An Exploration of the Phishing Attack Reporting EcosystemProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678926(49-64)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678926
Palheiros Da Silva AMbaka WMayer JBullee JTuma K(2024)Does trainer gender make a difference when delivering phishing training? A new experimental design to capture biasProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661232(130-139)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661232
Schiller KAdamsky FEichenmüller CReimert MBenenson ZLuo BLiao XXu JKirda ELie D(2024)Employees' Attitudes towards Phishing Simulations: "It's like when a child reaches onto the hot hob"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690212(4167-4181)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690212
Hielscher JSchöps MOpdenbusch JReichmann FGutfleisch MMarky KParkin SLuo BLiao XXu JKirda ELie D(2024)Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors' PromisesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690196(2666-2680)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690196
Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Berens BSchaub FMossano MVolkamer M(2024)Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support ToolProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642843(1-60)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642843
Chen XSacré MLenzini GGreiff SDistler VSergeeva A(2024)The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design ExperimentProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3641943(1-21)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3641943
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Teaching Johnny not to fall for phish

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Protecting people from phishing: the design and evaluation of an embedded training email system

Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Teaching Johnny not to fall for phish

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations