Carnegie Mellon University computer scientists have developed an interactive, online game featuring a little fish named Phil who teaches players cybersecurity tips. "Anti-Phishing Phil" helps users to better recognize and avoid email "phishing" and other Internet scams.
In testing at the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory, people who spent 15 minutes playing the game were better able to identify fraudulent websites than people who spent the same amount of time reading anti-phishing tutorials or other online training materials.
Phishing attacks attempt to trick people into revealing personal information, bank or credit card account information. Often they involve emails that appear to be from a legitimate business and direct recipients to visit a website that likewise appears to belong to that business. There they are asked to "verify" account information, which opens the door to financial loss and identity theft.
In addition to spoof emails and counterfeit websites, some attacks even mimic parts of a user's own Web browser.
"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," said Carnegie Mellon's Lorrie Cranor, associate research professor in the School of Computer Science's Institute for Software Research and director of the CUPS Lab.
Cranor added, "Unlike viruses or spyware, phishing attacks don't exploit weaknesses in a computer's hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work."
Several government agencies and schools are now using Anti-Phishing Phil as part of their cybersecurity training.
In addition to Cranor, Anti-Phishing Phil developers include Carnegie Mellon faculty members Jason Hong and Alessandro Acquisti, and students Steve Sheng, Bryant Magnien and Ponnurangam Kumaraguru. CUPS has also collaborated with Portugal Telecom to develop a Portuguese version of the game called Anti-Phishing Ze.
The Anti-Phishing Phil project is part of a larger anti-phishing research effort at Carnegie Mellon funded by the National Science Foundation and the Army Research Office.