PITTSBURGH -- Carnegie Mellon University computer scientists have developed an interactive, online game featuring a little fish named Phil that can teach people how to better recognize and avoid email "phishing" and other Internet scams.
In testing at the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory, people who spent 15 minutes playing the Anti-Phishing Phil game were better able to identify fraudulent Web sites than people who spent the same amount of time reading anti-phishing tutorials or other online training materials.
Now, the CUPS Lab wants to see how Anti-Phishing Phil performs when he swims in a bigger, more diverse pond. As part of a field test, researchers ask people to visit http://cups.
Phishing attacks attempt to trick people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to "verify" account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user's own Web browser.
"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," said Lorrie Cranor, associate research professor in the School of Computer Science's Institute for Software Research and director of the CUPS Lab. "Unlike viruses or spyware, phishing attacks don't exploit weaknesses in a computer's hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work."
Security experts disagree about whether user education is effective in reducing vulnerability to increasingly sophisticated phishing attacks. But Steve Sheng, a Ph.D. student in Carnegie Mellon's Engineering and Public Policy Department and lead developer of Anti-Phishing Phil, presented results of a lab study at the Symposium on Usable Privacy and Security this past July, showing that training could improve people's ability to correctly identify legitimate and illegitimate Web sites. The game format of Anti-Phishing Phil proved particularly effective, improving the users' accuracy from 69 percent prior to training to 87 percent after playing the game.
"We designed the game to teach people how to use Web addresses, or URLs, to identify phishing Web sites," said Sheng. "That tactic can also be useful in analyzing suspicious email messages."
In addition to Cranor and Sheng, Anti-Phishing Phil developers include Carnegie Mellon faculty members Jason Hong and Alessandro Acquisti, and students Bryant Magnien and Ponnurangam Kumaraguru. CUPS has also collaborated with Portugal Telecom to develop a Portuguese version of the game called Anti-Phishing Ze (http://seguranca.
The Anti-Phishing Phil project is part of a larger anti-phishing research effort at Carnegie Mellon funded by the National Science Foundation and the Army Research Office. For more information, see http://cups.
About Carnegie Mellon:
Carnegie Mellon is a private research university with a distinctive mix of programs in engineering, computer science, robotics, business, public policy, fine arts and the humanities. More than 10,000 undergraduate and graduate students receive an education characterized by its focus on creating and implementing solutions for real problems, interdisciplinary collaboration, and innovation. A small student-to-faculty ratio provides an opportunity for close interaction between students and professors. While technology is pervasive on its 144-acre Pittsburgh campus, Carnegie Mellon is also distinctive among leading research universities for the world-renowned programs in its College of Fine Arts. A global university, Carnegie Mellon has campuses in Silicon Valley, Calif., and Qatar, and programs in Asia, Australia and Europe. For more, see www.cmu.edu.