CUPS - CMU Usable Privacy
					  and Security Laboratory -
					  Carnegie Mellon University,
					  5000 Forbes Ave.,
					  Pittsburgh, PA 15213

Supporting Trust Decisions

When Internet users are asked to make "trust" decisions they often make the wrong decision. Implicit trust decisions include decisions about whether or not to open an email attachment or provide information in response to an email that claims to have been sent by a trusted entity. Explicit trust decisions are decisions made in response to specific trust- or security-related prompts such as pop-up boxes that ask the user whether to trust an expired certificate, execute downloaded software, or allow macros to execute. Attackers are able to take advantage of most users' poor trust decision-making skills through a class of attacks known as "semantic attacks." It is not always possible for systems to make accurate trust decisions on a user's behalf, especially when those decisions require knowledge of contextual information. The goal of this research is not to make trust decisions for users, but rather to develop approaches to support users when they make trust decisions. This work is sponsored by the US National Science Foundation under Grant No. 0524189, Fundação para a Ciência e Tecnologia (FCT) Portugal under a grant from the Information and Communications Technology Institute (ICTI) at CMU, and ARO/CyLab (See also the CyLab announcement about this project.) Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or the Army Research Office.

Supporting Trust Decisions Poster - presented at NSF Cyber Trust Principal Investigators Meeting, January 28-30, 2007

Anti-phishing filtering and education at Carnegie Mellon University - May 2008 2-page handout providing an overview of our work


October 2009: After five very productive years, we've completed this project and moved on to other things. Many of the solutions developed by this project are now commercialized by Wombat Security Technologies, Inc.

Lorrie Cranor's article on phishing was published in the December issue of Scientific American

Play Wombat's demo version of our Anti-Phishing Phil game and learn how to protect yourself from phishing scams.

Our Projects

Improving Phishing Countermeasures

S. Sheng, P. Kumaraguru, A. Acquisti, L. Cranor, and J. Hong. Improving phishing countermeasures: An analysis of expert interviews. In eCrime Researchers Summit, 2009. eCRIME'09., pages 1-15.

Anti-phishing Phil

We are developing a web-based interactive game to teach people how to avoid falling for phishing attacks. You can play the game online.

Through a collaboration between CMU and Portugal Telecom, we developed a Portuguese version of this game, Anti-Phishing Ze.

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

Anti-phishing toolbar testing

We have developed a test bed for semi-automated testing of anti-phishing toolbars. We have used this testbed to test 10 popular anti-phishing toolbars. It has also been useful in testing our own anti-phishing toolbar. We have also conducted a study to test whether users pay attention to anti-phishing toolbar warnings.

S. Sheng, B. Wardman, G. Warner, L. Cranor, J. Hong, and C. Zhang. An Empirical Analysis of Phishing Blacklists. CEAS 2009.

Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28th February - 2nd March, 2007.

S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.


CANTINA (Carnegie Mellon ANTI-phishing and Network Analysis tool) is a novel, content-based approach to detecting phishing web sites, based on the well-known TF-IDF algorithm used in information retrieval. Our experiments show that CANTINA is good at detecting phishing sites, correctly labeling approximately 95% of phishing sites.

Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.

Xiang, G., C. Rose, J. Hong, B. Pendleton. A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection. European Symposium on Research in Computer Security (ESORICS 2010). To Appear.

Embedded training

We are developing a new email-based anti-phishing training system called PhishGuru, in which training messages are designed to look like actual phishing messages. When users "fall" for our messages, we immediately present them with interventions that contain information about phishing and teach them how to avoid falling for real scams. This approach has shown great promise in our laboratory and field studies, and is now being commercialized by Wombat Security Technologies.

P. Kumaraguru, L. Cranor, and L. Mather. Anti-Phishing Landing Page: Turning a 404 into a Teachable Moment for End Users. CEAS 2009.

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M.A. Blair, and T. Pham. School of Phish: A Real-Word Evaluation of Anti-Phishing Training. SOUPS 2009.

Ponnurangam Kumaraguru. PhishGuru: A System for Educating Users about Semantic Attacks. PhD Thesis, Computation, Oragnizations and Society, Carnegie Mellon University, Pittsburgh, PA, CMU-ISR-O9-106, April 14, 2009.

P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. Cranor and J. Hong. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 70-81.

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. ACM Trans. Internet Technol. 10, 2 (May. 2010), 1-31.

P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI 2007: Conference on Human Factors in Computing Systems, San Jose, California, 28 April - May 3, 2007, 905-914. [Originally published as CyLab Technical Report CMU-CyLab-06-017, 2006]

P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Lessons from a real world evaluation of anti-phishing training. In Proceedings of the third eCrime Researchers Summit (eCrime 2008), October 15-16, 2008, Atlanta, GA.

Mental models study

We are conducting a series of mental models interviews aimed at understanding and modeling how people make trust decisions in the online context.

S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and J. Downs. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. CHI 2010.

J. Downs, M. Holbrook, and L. Cranor. Behavioral Response to Phishing Risk. Proceedings of the 2nd Annual eCrime Researchers Summit, October 4-5, 2007, Pittsburgh, PA, p. 37-44.

J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

P. Kumaraguru, A. Acquisti and L. Cranor. Trust modeling for online transactions: A phishing scenario. In Privacy, Security, Trust, Oct 30 - Nov 1, 2006, Ontario, Canada.


We have developed a new framework for detecting phishing emails called PILFER (Phishing Identification by Learning on Features of Email Received). By incorporating features specifically designed to highlight the deceptive methods used to fool users, we are able to accurately classify over 96% of phishing emails, while maintaining a false positive rate on the order of 0.1%.

I. Fette, N. Sadeh, and A. Tomasic. Learning to Detect Phishing Emails In Proceedings of the 16th International conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007. [Earlier version available as ISRI Technical Report. CMU-ISRI-06-112, 2006.]

Other CMU Anti-Phishing Projects

Phoolproof Phishng Prevention

Phoolproof Phishing Prevention (developed by Adrian Perrig and his students) uses a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts Man-in-the-Middle attacks after setup, and protects a user's account even in the presence of keyloggers and most forms of spyware.


Faculty and Research Staff

In the news

ISO carries out phishing study by Edmund Huber, The Tartan, 6 April 2009.

Web tool detects something phishy by Bonnie Pfister, Pittsburgh Tribune-Review, 12/11/07.

Researchers: Current education inadequate to fight phishing by Elizabeth Montalbano, Computerworld, 10 October 2007.

Online game teaches users about the threats of phishing by Kun Xian Leong, The Tartan, 8 October 2007.

Phishing victims learn online security lesson by Robert Jacques,, 3 October 2007.

Fighting Phish, Dr. Dobb's Journal, 2 October 2007.

Coolest Security Tool Ever! - Online game to teach cyber-security by Alexandru Dumitru, Softpedia, 2 October 2007.

Anti-Phishing Game To Help Raise Awarness,, 1 October 2007.

Scientists develop Anti-Phishing game to educate Web users by Ruben Francia,, 29 September 2007.

Carnegie Mellon's Online Game Helps People Recognize Internet Scams, Phishing by Regina Sass, Associated Press, 28 September 2007.

A new game developed at Carnegie Mellon University educates users on phishing threats. by Christopher Nickson, Digital Trends, 27 September 2007.

Phishers caught hook, line and sinker by Stuart Turton, PC Pro, 26 September 2007.

Carnegie Mellon floats anti-phishing game by Robert Jaques, PC Magazine, 26 September 2007.

CMU's Anti-Phishing Phil helps users identify Internet scams--try it! by Deb Smit, POP City, 26 September 2007.

Fish named Phil helps foil phishers, CBC News, 26 September 2007.

The truth about anti-phishing toolbars by Paul Roberts, InforWorld Tech Watch, 30 November 2006.

Study blasts failing phishing toolbars by Shaun Nichols,, 22 November 2006.

Phishing toolbars: all as hopeless as one another by John E. Dunn, Techworld, 20 November 2006.

Phishing Filter Prevents E-Mail Identity Theft by Brian Livingston, Executive Tech, 18 July 2006.

Don't click anything! by Thomas Olson, Pittsburgh Tribune-Review, 12 July 2006.

Researchers work to thwart cleverer cyber scammers by Corilyn Shropshire, Pittsburgh Post-Gazette, 12 July 2006.