Online game ‘Anti-Phishing Phil’ trains people to identify Internet scams

Washington, Sept 26 : Computer scientists of Carnegie Mellon University have developed an interactive, online game featuring a little fish named Phil that can teach people how to better recognize and avoid email "phishing" and other Internet scams.

Phishing attacks means tricking people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to "verify" account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user's own Web browser.

"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," Lorrie Cranor, associate research professor in the School of Computer Science's Institute for Software Research and director of the CUPS Lab said.

"Unlike viruses or spyware, phishing attacks don't exploit weaknesses in a computer's hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work," Cranor added.

Therefore, a test was conducted at the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory where in people who spent 15 minutes playing the Anti-Phishing Phil game were better able to identify fraudulent Web sites than people who spent the same amount of time reading anti-phishing tutorials or other online training materials.

And now, scientists at the CUPS Lab want to see how Anti-Phishing Phil performs when it steps out of the laboratory to a bigger and vulnerable environment.

As part of a field test, researchers will ask people to visit http://cups.cs.cmu.edu/antiphishing_phil/ and click on the "Play the game!" link. And people who participate will be asked to take a short quiz. Those who leave their email address and participate in a follow-up quiz a week later will be eligible for a raffle prize of a 100 dollars Amazon.com gift card.

Security experts, however disagree about whether user education is effective in reducing vulnerability to increasingly sophisticated phishing attacks.

But Steve Sheng, a Ph.D. student in Carnegie Mellon's Engineering and Public Policy Department and lead developer of Anti-Phishing Phil, presented results of a lab study at the Symposium on Usable Privacy and Security this past July, which showed that training could improve people's ability to correctly identify legitimate and illegitimate Web sites. The game format of Anti-Phishing Phil proved particularly effective, improving the users' accuracy from 69 percent prior to training to 87 percent after playing the game.

"We designed the game to teach people how to use Web addresses, or URLs, to identify phishing Web sites. That tactic can also be useful in analysing suspicious email messages,” said Sheng. (With inputs from ANI)

General: 
Regions: