Phish phodder: is user education helping or hindering?

Andrew Lee Eset
David Harley Small Blue-Green World

Mostly, security professionals can spot a phish a mile off. If they do err, it's usually on the side of caution, when real organizations fail to observe best practice, and generate phish-like marketing messages. Many sites are now addressing the problem with phishing quizzes, intended to teach the everyday user to distinguish phish from phowl (sorry). Academic papers on why people fall for phishing mails and sites are something of a growth industry. Yet phishing attacks continue to increase, and, while accurate and up-to-date figures for financial loss are hard to come by, indications are that losses from phishing and other forms of identity theft continue to climb.

This paper:

  • Evaluates current research on how end users are susceptible to phishing attacks and ID theft.
  • Evaluates a range of web-based educational and informational resources in general and summarizes the pros and cons of the quiz approach in particular.
  • Reviews the shared responsibility of phished institutions and phishing mail targets for reducing the impact of phishing scams. What constitutes best practice for finance-related mail-outs and e-commerce transactions? How far can we rely on detection technology? What are the responsibilities of employers and ISPs towards staff and customers?

Poll

Do you use the same password(s) across multiple websites?
I use the same password for all sites
I have a number of passwords but use the same for some sites
I use a different password for each site
I don't sign up to any sites that require a password

Leave a comment
View 4 comments
Jobs Career Sidebar

VB2010

VB2010 VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada. Early bird discount available until 15th June 2010.
Virus Bulletin currently has 190,688 registered users.