Online game teaches users about the threats of phishing

Jun Xian Leong Oct 8, 2007

Researchers from the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory have recently released the first field test for Anti-Phishing Phil (APP), an online game that teaches users to identify dangerous websites and practice safer Internet surfing.

Phishing is a term used to describe criminal websites that pretend to be other, legitimate websites, such as eBay or PayPal, in order to obtain people’s personal information.

Possession of this information could lead to further criminal activity.

A “phisher,” for instance, might set up a website that looks like the website of the Bank of America to trick visitors into entering their bank account numbers and pins.

The phisher could then use this information to access the visitor’s bank account and steal funds.

Phishing is often a precursor to other, more damaging crimes, including identity theft and fraud.

APP was created specifically to help combat this new wave of crime.

APP is an interactive game that teaches players to recognize common methods of phishing by putting the player in control of a fish named Phil, who must pick wisely between several worms floating in the sea.

Each worm is attached to a website URL, and picking websites that are actually “phishes” causes players to be “hooked” and lose the game.

According to “Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish,” the project design paper published in July, APP primarily teaches players to recognize false IP address URLs.

This is done through a series of interactive tutorials between and during the quizzes.

“We wanted to find a way to educate people about the common methods of phishing online as well as their dangers,” said associate research professor Lorrie Cranor, advisor of the project.
“We found that no one really reads security warnings, and we needed to find a way to make the public more aware of phishing,” she said.

According to Kami Vaniea, one of Cranor’s graduate students, APP promises to be an effective way to educate people concerning the dangers of phishing due to its entertaining elements.
“This is a much more engaging method of educating people compared to giving them a thick manual to pore through,” Vaniea said.

Vaniea said that one of the websites that tricked many people during trials of the game was one that was well designed and professional-looking.

“Everyone thought it was real, despite there being many other signs that it was really a phish,” she said, adding that APP will help train people to look beyond appearances and be more alert to subtle threats of phishing. “There’s a difference between brand identification in real life and websites.”

The paper also presents statistics that suggest that interactive games such as APP can be a promising way of educating people about phishing.

Although several prominent companies, including Google and AOL, have taken steps to help combat this phenomenon, phishing remains a major threat to the security of Internet users.

According to the Business Communications Review magazine, losses worldwide due to phishing have been estimated to be between $400 million and $1.2 billion yearly.

Based on preliminary tests, APP has been receiving consistent attention. Upward of 100 people an hour tested out APP during the early trial period, said Steve Sheng, the Ph.D. student who developed the game.

The study group also found a notable increase in anti-phishing knowledge among testers who played the game.

APP is currently in the field study stage, although plans for its commercial release are already in the works.

“We were really surprised, but within a week of putting it online, we’ve been contacted by a dozen different companies interested in leasing it for commercial purposes,” Cranor said.

Most of the offers were interested in using it as a method of employee training, Cranor said, but no deals have been finalized as of yet.

The CUPS laboratory is also currently working on several other methods to combat phishing, including embedded training, CANTINA (Carnegie Mellon ANTI-phishing and Network Analysis tool) and Phishguru. Phishguru is a method of training that teaches users about phishing threats through email.

Check APP out at http://cups.cs.cmu.edu/antiphishing_phil/.