the cups blog


School of Phish

Presented by Ponnurangam Kumaraguru (PK) from the CUPS lab at CMU.

Phishing attacks work, in 2005 73 million adults received more than 50 phising attacks. There are many different strategies for dealing with Phishing attacks. 1) Eliminate the threat 2) warn users about the threat 3) educates users about Phishing attacks. The speakers focus is on educating users.

The problem is that users are hard to train. There are many existing training materials but they really could be better. In prior work the CUPS lab presented PhishGuru, which is a web comic that trains users on how to not fall for phish. What is novel about PK’s work on PhishGuru is that it makes use of a “teachable moment,” a time when the user is ready to learn about Phishing. PK found that users teachable moment occurs right after they have fallen for a Phishing attack.

In this study PK is evaluating the retention after several weeks. He also evaluated the retention in relation to the number of training they were given. Subjects were solicitated from CMU faculty, students and staff. Those who signed up for the study were sent simulated Phishing emails and legitimate emails. All help desks at the university were notified about the study so they would not proactively block the emails or send a bulk notification.

Users were split into three groups 1) Control, no training material 2) one training 3) two training. Users were trained by sending them a fake Phishing email which took users to a fake login page. If they provided information the user was shown the training material. Theoretically, those users who don’t click on links in Phishing emails don’t need to be trained to not click on phising emails.

PhishGuru broadly had a 50% reduction in users who click on Phishing links. Those participants who saw the comic were significantly less likely to enter login information on a Phishing page. This was true even after 28 days. Those who received two training emails were even less likely to click on the Phishing links. Additionally, users did not change their behavior towards legitimate emails.

Students were the most vulnerable demographic amongst students, faculty and staff.

Audience questions:

  • How do you think the results of your study are generalizable outside of CMU? Our population is definitely tech savy. People who are between 18-25 are most voneralbe even after training. People outside of CMU could benifit from this work. I hope that it is generalizable but it may only be generalizable to tech savy users.
  • Did you ask users if they had fallen for other phishing attacks? There are lots of people who clicked on the link but did not give information. We don’t know if they fell for other attacks.
  • Most people who clicked on the link entered a password? Yes, this is consistent with all other studies I have done. If a user clicks on a link they are likely to enter the information. We train users not to click on links but if they do they will likely give their information.
  • Legidimate email, lacked images and looked like it was plain text, it could have been an image and it could have hidden the url? In this study we found that if you create a good spear phishing email people will fall for it.
  • Doesn’t that say that training users not to fall for phishing not a good way to deal with phising? Just traing is not going to solve the problem. Training is the last step in the lifecycle of solving the problem.
  • If you tell the security comunity that training works then you give them a way out so they don’t need to implement good security?
  • In the US most banks will cover all the expenses if someone falls for phish, so why would any user take time go through this training? There are other reprocations than just the monitary issues.
  • Users may spend more time in the training than they save in money?