Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish
July 19, 2007 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf
Researches proposed an on-line game intended to teach users about phishing. Users were shown 10 URLs before training and another 10 after, and were trained either using the game or other methods of anti-phishing training. The results suggested that people learned about phishing better through using this game than through traditional phishing training techniques.
The paper also suggests that if a user suspects a site to be a phishing site they should do a web search for the site they are looking for. The speaker indicated that they examined Google and found zero instances where a phishing site was returned on the first page.
July 19th, 2007 at 06:32
I couldn’t help but notice that all of the “valid” worms in the demo were to http sites, such as http://www.chase.com. Is it really a good idea to train users to think that http sites can be trusted at all as non-phishing? Shouldn’t at least the majority of the good worms be https?
Also, I understand that as a phishing game it is natural to have the phish eat worms…but this may confuse some users due to the existence of “worms” as an independent kind of threat from phishing. Perhaps the user should play as that shark and be eating phish?