Anti-Phishing Phil Aims To Educate

September 27, 2007 | by Christopher Nickson

A new game developed at Carnegie Mellon University educates users on phishing threats.

It’s hardly a secret that phishing is one of the biggest problems facing computer users these days. Phishing attacks are becoming more sophisticated – just think of the one launched last month against Monster.com users – and there are also many who don’t understand exactly what phishing is.
 
However, researchers at Carnegie Mellon University are aiming to change that. They’ve developed an online game called Anti-Phishing Phil which is intended to both entertain and educate.
 
In a statement on the site, researchers said,
 
“Our user studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Our studies demonstrate that Anti-Phishing Phil is an effective approach to user education.”
 
In testing, people who spent as little as 15 minutes playing the game could better identify phishing threats by being able to more readily identify the bogus URLs all too often used in phishing scams. And if you want to give it a shot and improve your anti-phishing skills, testing is ongoing, and you could win a $100 gift certificate from Amazon.
 
CMU is also partnering with Portugal Telecom to develop a Portuguese version of the game, known as Anti-Phishing Ze.
 

Post Your Comment...Comments

Ian Kemmish on Sep 27th, 2007 at 9:26 AM:

There's a far simpler way of helping to stamp out phishing - make it less profitable.

If we can persuade the banks to provide pages which, when visited generate random but guaranteed fake account info which can be entered into the phisher's website, then those of us who are alert enough to recognise a phishing email can do something proactive whenever we receive one.

1) This gives us a warm fuzzy.

2) The more dud data there is in the phisher's database, the more attempts he has to make in order to carry out a successful transaction.

3) As soon as the bank sees an attempted transaction using the known fake data, it can identify and block the phisher's IP address, rendering even the real data in his database useless.

At the moment I'm reduced to making up phoney account data in the name of Scrooge McDuck, which is hardly ideal, only addressing points 1) and 2).

Comment on this article




Please keep your comments relevant to this article. Email addresses are not displayed, they are only required to verify you are human.

When you submit your comment, an email will be sent to your email address with a confirmation link. Once you have clicked on that confirmation link your comment will be posted.

HTML is not allowed.