Anti-Phishing Day

Too bad it doesn’t exist. I mean really exist. Here is how an anti-phishing day that is designed to be a highly effective educational deterrent to phishing would work.

Google, Facebook, Hotmail, Yahoo, Twitter, Myspace, Banks, Online Gaming sites, such as World of WarCraft, and others would all send phishing emails to their users. Yes, phishing emails to their users. The idea is very simple. Make the emails look like any number of successful phishing attacks and then follow up with the educational component. The users who go to the phishing site to enter their credentials are the users who need to learn what they did wrong.

Recently Microsoft cited a dramatic reduction in autorun malware successfully infecting computers after they had automatically updated computers to change the way in which autorun works, effectively taking the bite out of autorun malware. Of course Microsoft knew for years that what they did would dramatically decrease the effectiveness of this attack vector. Well, the same principal can be applied to phishing attacks. A few years ago Carnegie Mellon performed testing that demonstrated users who had been phished were magnitudes more likely to learn to accurately identify a phishing attack than users who did not receive such training.

Facebook probably has the ability to reach at least 1 in 10 computer users in the world. Combine the resources of Facebook, Microsoft, Google, and other large players to actively phish and then provide access to well designed educational materials and the results are as easily predictable as the results of Microsoft disabling autorun.

Perhaps Mark Zucherberg, who has stated that he will eat no meat other than that which he has killed himself, could make the connection between that perspective and the urgent need to reduce phishing scams on the Internet. Most people consider fish to be meat, so maybe he could go fishing to educate users about phishing!

For those of you in corporate environments don’t expect these major organizations to have the guts to step up to the plate anytime soon. I recommend you phish your users to identify who needs more education. It is important that when doing this style of training extraordinary efforts are made to demonstrate that the training is for the benefit of the student and not a humiliating experience. You will better protect your business and make employees safer at home.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author , ESET

  • R. Zager

    You overstate the value of training in solving this problem.  The second and third Carronade studies conducted at West Point showed very disappointing results from training.  The recent paper, "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model." by Vishwanath, et al. provided insight into the limited value of training to address this problem.
    In a nutshell, training requires that people pay attention to processing email in order to spot defects in the email that call its authenticity into question.  People just don't put that much focus on the email task.  Additionally, as Lt. Col. Conti, West Point professor, recently observed in the NY Times, phishing emails are becoming increasingly difficult to spot as bad guys avail themselves of better and better targeting data that is available on the internet. 

  • Randy Abrams

    The educational approach being used is defective, not the value of the education. Being phished first makes the student more likely to pay attention to the education, but then we need to move away from a spot the phish to a behavioral approach to anti-phishing. Teaching people the basics of not providing a password and not logging into an accoiunt from a lin is far easier than teaching them to identify that a phish is such.

  • Randy Abrams is where one of the Carnegie Mellon studies resides. Still, I believe that even more effective than trying to identify the email as a phish, it is far more effective to teach people not to perform the behavior the results in the attack being effective.

  • Patricio Del Boca

    Hello Randy! I'm a student of Information System Engineering in Argentina (so I beg your pardon for my english).
    I liked very much this article. It's good to see people that care about the education of all the internet users who don't have enough knowledgde to understand the way malware works. I think that well educated users are the foundation to achieve a society protected from cybercriminals. A society where the security of all members depends on how users (less educated) used the network.
    Now a days, I'm writing a paper for a contest inspired in a phrase I read in a book: "Security through education". In the paper, I insist (in my humble opinion) in the importance of teaching to the Internet Users the basics concepts of Social Engineering used in most of the actual malware (among other things). The main idea is: educate helpless people in order to make the entire society safer.
    So, one more time, I want to congratulate you for your article. I think the idea of using phishing emails to make people understand the mechanics of Phising Attacks is an idea that should be heard by more people. :)

    Greetings from Argentina!

    Patricio Del Boca

Follow us

Copyright © 2017 ESET, All Rights Reserved.