Play and Learn

Online Game Helps People Recognize Internet Scams
by: Jerry Liao

User studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. So rather than doing it the traditional way, why not educate users via playing a game called Anti-Phishing Phil.

Carnegie Mellon University computer scientists have developed an interactive, online game featuring a little fish named Phil that can teach people how to better recognize and avoid email “phishing” and other Internet scams.

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites. It’s an entertaining and fun way to inform your employees or customers about phishing attacks and how to avoid them. It can be customized with your organization’s URLs and branding information or integrated into a larger training program.

In testing at the Carnegie Mellon Usable Privacy and Security (CUPS) Laboratory, people who spent 15 minutes playing the Anti-Phishing Phil game were better able to identify fraudulent Web sites than people who spent the same amount of time reading anti-phishing tutorials or other online training materials.

Now, the CUPS Lab wants to see how Anti-Phishing Phil performs when he swims in a bigger, more diverse pond. As part of a field test, researchers ask people to visit http://cups.cs.cmu.edu/antiphishing_phil/ and click on the “Play the game!” link. Participants will be asked to take a short quiz, play the game and then take another quiz.

Those who leave their email address and participate in a follow-up quiz a week later will be eligible for a raffle prize of a $100 Amazon.com gift card.

Phishing attacks attempt to trick people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to “verify” account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user’s own Web browser.

“We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams,” said Lorrie Cranor, associate research professor in the School of Computer Science’s Institute for Software Research and director of the CUPS Lab. “Unlike viruses or spyware, phishing attacks don’t exploit weaknesses in a computer’s hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work.”

Security experts disagree about whether user education is effective in reducing vulnerability to increasingly sophisticated phishing attacks. But Steve Sheng, a Ph.D. student in Carnegie Mellon’s Engineering and Public Policy Department and lead developer of Anti-Phishing Phil, presented results of a lab study at the Symposium on Usable Privacy and Security this past July, showing that training could improve people’s ability to correctly identify legitimate and illegitimate Web sites. The game format of Anti-Phishing Phil proved particularly effective, improving the users’ accuracy from 69 percent prior to training to 87 percent after playing the game.

So for those of you who wants to be educated with regards to how to spot and better recognize phishing and other Internet scam, try playing the game – or you can always read the manuals if you want. At the end of the day, the important thing is all of us users should be protected and put an end or at least minimize the dangers brought about by phishings and scams.