Online Game Helps People Recognize Internet Scams

In testing at the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory, people who spent 15 minutes playing the Anti-Phishing Phil game were better able to identify fraudulent Web sites than people who spent the same amount of time reading anti-phishing tutorials or other online training materials. 

Now, the CUPS Lab wants to see how Anti-Phishing Phil performs when he swims in a bigger, more diverse pond. As part of a field test, researchers ask people to visit the online game * and click on the "Play the game!" link. Participants will be asked to take a short quiz, play the game and then take another quiz.

Those who leave their email address and participate in a follow-up quiz a week later will be eligible for a raffle prize of a $100 Amazon.com gift card.

Phishing attacks attempt to trick people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to "verify" account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user's own Web browser.

"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," said Lorrie Cranor, associate research professor in the School of Computer Science's Institute for Software Research and director of the CUPS Lab. "Unlike viruses or spyware, phishing attacks don't exploit weaknesses in a computer's hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work."

Security experts disagree about whether user education is effective in reducing vulnerability to increasingly sophisticated phishing attacks. But Steve Sheng, a Ph.D. student in Carnegie Mellon's Engineering and Public Policy Department and lead developer of Anti-Phishing Phil, presented results of a lab study at the Symposium on Usable Privacy and Security this past July, showing that training could improve people's ability to correctly identify legitimate and illegitimate Web sites. The game format of Anti-Phishing Phil proved particularly effective, improving the users' accuracy from 69 percent prior to training to 87 percent after playing the game.

"We designed the game to teach people how to use Web addresses, or URLs, to identify phishing Web sites," said Sheng. "That tactic can also be useful in analyzing suspicious email messages." 

In addition to Cranor and Sheng, Anti-Phishing Phil developers include Carnegie Mellon faculty members Jason Hong and Alessandro Acquisti, and students Bryant Magnien and Ponnurangam Kumaraguru. CUPS has also collaborated with Portugal Telecom to develop a Portuguese version of the game called Anti-Phishing Ze.

Play the game at: http://cups.cs.cmu.edu/antiphishing_phil/