Phony Phishing Fosters Less-Gullible Users

Later this week in Pittsburgh, the Anti-Phishing Working Group will hold its eCrime Researchers Summit. Among the presentations will be some findings from researchers at Carnegie Mellon University, who have used phishing tactics to educate unwary users about the dangers of phishing attacks. Got that?In the CMU study, "three groups of 14 volunteers participated in role-playing exercises in which they processed e-mail" that included a mix of phishing, spam, and legitimate messages. One group received phishing e-mails that directed them to an educational site about not falling for phishing e-mails.

Not only did the members of the fooled group spend more than twice as much time studying the materials on the anti-phishing site, but they were much more successful at identifying phony e-mail going forward: A week later, when the exercise was repeated, those in the "embedded training" group idenfitied 64% of phishing e-mails as bogus, versus 7% spotted by the other two groups.

The findings, said Lorrie Cranor, associate research professor of computer science at Carnegie Mellon and director of the university's Usable Privacy and Security Lab, suggest that "using the tricks of phishers, perhaps in a controlled environment, might be a good first step in educating computer users to protect themselves."

In other words: Once phished, twice shy.