Cybersecurity Awareness: A Critical Analysis of Education and Law Enforcement Methods

Said Baadel, Fadi Thabtah, Joan Lu

Abstract


According to the international Anti-Phishing Work Group (APWG), phishing activities have abruptly risen over the last few years, and users are becoming more susceptible to online and mobile fraud. Machine Learning techniques have potential for building technical anti-phishing models, with a handful already implemented in the real time environment. However, majority of them have yet to be applied in a real time environment and require domain experts to interpret the results. This gives conventional techniques a vital role as supportive tools for a wider audience, especially novice users. This paper reviews in-depth, common, phishing countermeasures including legislation, law enforcement, hands-on training, and education among others. A complete prevention layer based on the aforementioned approaches is suggested to increase awareness and report phishing to different stakeholders, including organizations, novice users, researchers, and computer security experts. Therefore, these stakeholders can understand the upsides and downsides of the current conventional approaches and the ways forward for improving them.


Full Text:

PDF

References


Aaron, G., and Manning, R. (2020). APWG Phishing Activity Trends Reports. https://docs.apwg.org/reports/apwg_trends_report_q4_2019.pdf [Accessed March 10th 2020].

Aaron, G., and Rasmussen, R. (2010). Global phishing survey: trends and domain name use in 2H 2009. Lexington, MA: Anti-Phishing Working Group (APWG).

Abdehamid, N. (2015). Multi-label rules for phishing classification. Applied Computing and Informatics 11 (1), 29-46.

Abdelhamid, N., Thabtah, F., Ayesh, A. (2014). Phishing detection based associative classification data mining. Expert systems with Applications Journal, 41, 5948–5959.

Abdelhamid, N., and Thabtah F. (2014). Associative Classification Approaches: Review and Comparison. Journal of Information and Knowledge Management (JIKM), 13(3).

Abdelhamid, N., Thabtah, F., and Abdeljaber, H. (2017). Phishing detection: A recent intelligent machine learning comparison based on models content and features. Proceedings of IEEE International Conference on Intelligence and Security Informatics (ISI), China. IEEE.

Aburrous, M., Hossain, M., Dahal, K., and Thabtah, F. (2010). Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies. Journal of Cognitive Computation, 2(3): 242-253.

Aburrous, M., Hossain, A., Dahal, K., and Thabtah, F. (2008). Intelligent Quality Performance Assessment for E-Banking Security using Fuzzy Logic. Proceedings of the 7th IEEE International Conference on Information Technology (ITNG 2008). Las Vegas, USA.

Afroz, A., and Greenstadt, R. (2011). PhishZoo: Detecting Phishing Websites by Looking at Them. Proceedings of the Fifth International Conference on Semantic Computing. Palo Alto, California, USA. IEEE.

Aleroud, A., and Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey. Computer and Security, 68: 160-196.

Alsharnouby, M., Alaca, F., and Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82: 69-82.

APWG (2017). Anti-phishing Work Group. https://apwg.org// [Accessed Oct 20, 2017]

Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., and Roinestad, H. (2007). Phishing IQ tests measure fear, not ability. Usable Security (USEC’07).

Arachchilage, N., and Love, S. (2013). A game design framework for avoiding phishing attacks. Computers in Human Behavior, 29(3): 706-714.

Arachchilage, N., and Love, S. (2014). Security awareness of computer users: A phishing threat avoidance perspective. Computers in Human Behaviour, 38: 304-312.

Arachchilage, N., Love, S., and Beznosov, K. (2016). Phishing threat avoidance behaviour: an empirical investigation. Computers in Human Behaviour, 60: 185–197.

Arachchilage, N., and Cole, M. (2011). Design a mobile game for home computer users to prevent from “phishing attacks”. International Conference on Information Society (i-Society), 485-489.

Arachchilage, N., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L., and Hong, J. (2007). Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit. Pittsburgh, PA, USA. ACM.

Atkins, B., and Huang, W. (2013). A study of social engineering in online frauds. Open J Soc Sci, 1(03):23-32.

Aycock, J. (2007). A design for an anti-spear-phishing system. Proceedings of the 7th Virus Bulletin International Conference, Vienna, Austria. Pp. 290–293

Associated Press (2009). Dozens Charged in Phishing Scam. http://www.independent.co.uk/life-style/gadgets-and-tech/news/dozens-charged-in-phishing-scam-1799482.html [Accessed Oct 8, 2019]

Baadel, S., Lu, J. (2019). Data Analytics: intelligent anti-phishing techniques based on Machine Learning. Journal of Knowledge and Information Management. 18 (1) 1950005.

Baadel, S., Thabtah, F., Majeed, A. (2018). Avoiding the Phishing Bait: The Need for Conventional Countermeasures for Mobile Users. Proceedings of the 9th IEEE Annual Information Technology, Electronics and Mobile Communication Conference. Vancouver, Canada.

Bainbridge, D. (2007). Criminal law tackles computer fraud and misuse. Computer Law & Security Review, 23(3):276-281.

Calman, C. (2006). Bigger phish to fry: California's antiphishing statute and its potential imposition of secondary liability on internet service providers. Richmond Journal of Law & Technology, 13(1): 1‐24.

Cassim, F. (2014). Addressing the Spectre of Phishing: Are Adequate Measures in Place to Protect Victims of Phishing. The Comparative and International Law Journal of Southern Africa, 47(3):401-428.

Dhamija, R., and Tygar, J. (2005). The battle against phishing: dynamic security skins. Symposium on Usable Privacy and Security (SOUPS) Pittsburgh, PA, USA, pp. 77‐88.

Department of Justice (2004). Report on Phishing. United States Dept. of Justice, p. 3. https://www.justice.gov/sites/default/files/opa/legacy/2006/11/21/report_on_phishing.pdf.

Downs, J., Holbrook, M., and Cranor, L. (2007). Behavioral response to phishing risk. 2nd annual eCrime researcher’s summit. Pittsburgh, PA. USA.

Granova, A., and Eloff, J. (2005). A legal overview of phishing. Computer Fraud & Security, Vol. 20(7):6‐11.

GSF (2017). Google Safe Browsing. http://ww.safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Hadnagy, C. (2015). Phishing-as-a-service (PHaas) used to increase corporate security awareness. U.S. Patent Application 14/704, 148

Harrison, B., Svetieva, E., and Vishwanath, A. (2016). Individual processing of phishing emails. Online Information Review, 40(2):265-281.

Harrison, B., Vishwanath, A., Yu, J., Ng, and Rao, R. (2015). Examining the impact of presence on individual phishing victimization. 48th Hawaii International Conference on System Sciences (HICSS), pp. 3483-3489.

Huang, H., Tan J., and Liu, L. (2009). Countermeasure techniques for deceptive phishing attack. International Conference on New Trends in Information and Service Sciences. Pg 636-641.

Jagatic, T., Johnson, N., Jakobsson, M., and Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10):94-100.

Jain, A., Gupta, B (2017). Phishing Detection: Analysis of Visual Similarity Based Approaches. Security and Communication Networks, Volume 2017, pp. 1-20.

James, L. (2005). Phishing Exposed. Rockland, MA: Syngress Publishing.

Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing Detection: A Literature Survey. IEEE Surveys and Tutorials, 15(4).

Kirlappos, I., and Sasse, M. (2012). Security education against phishing: a modest proposal for a major rethink. Security & Privacy, 10: 24-32.

Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L., et al. (2007). Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. 2nd annual eCrime researchers summit, Pittsburgh, PA. USA.

Kumaraguru, P., Cranshaw, J., et al. (2009). School of phish: a real-world evaluation of anti-phishing training. Proceedings of the 5th Symposium on Usable Privacy and Security Article No. 3, ACM.

Larson, J. (2010). Enforcing intellectual property rights to deter phishing. Intellectual Property & Technology Law Journal, 22(1):1‐8.

Le, A., Markopoulou, A., and Faloutsos, M. (2011). PhishDef: URL names say it all. Proceedings of IEEE INFOCOM. Pp. 191-195.

Leyden, J. (2006). Florida Man Indicted over Katrina Phishing Scam. The Register (U.K.),

http://www.theregister.com/2006/08/18/hurricane_k_phishing_scam/

Leung, C. (2009). Depress phishing by CAPTCHA with OTP. Proceedings of the 3rd International Conference on Anti‐counterfeiting, Security, and Identification in Communication. Pp. 187‐92.

Leukfeldt, E., Lavorgna, A., and Kleemans, E. (2017). Organised Cybercrime or Cybercrime that is Organised? An Assessment of the Conceptualisation of Financial Cybercrime as Organised Crime. European Journal on Criminal Policy and Research, 23(3):287-300.

Liang, X., and Xue, Y. (2010). Understanding security behaviours in personal computer usage: A threat avoidance perspective. Association for Information Systems, 11(7):394-413.

Lungu, I., and Tabusca, A. (2010). Optimising anti‐phishing solutions based on user awareness, education and the use of the latest web security solutions. Informatica Economica Journal, 14(2): 27‐36.

Ma, J., Saul, L., Savage, S., and Voelker, G. (2009). Beyond blacklists: Learning to detect malicious web sites from suspicious urls. Proceedings of the 15th ACM SIGKDD, 2009, pp. 1245-1254.

Medvet, E., Kirda, E., and Kruegel, C. (2008). Visual-similarity-based phishing detection. Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 22:1-22:6.

McCall, T. (2007). Gartner Survey Shows Phishing Attacks Escalated in 2007. Gartner, Inc. Stamford, USA. http://www.gartner.com/newsroom/id/565125

Marchal, S., Saari, K., Singh, N., and Asokan, N. (2016). Know your phish: Novel techniques for detecting phishing sites and their targets. Proceedings of the IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

Mohammad, R., Thabtah, F., and McCluskey L. (2014). Predicting Phishing Websites based on Self-Structuring Neural Network. Journal of Neural Computing and Applications, 25 (2): 443-458.

Mohammad, R., Thabtah, F., and McCluskey, L. (2015). Tutorial and critical analysis of phishing websites methods. Computer Science Review Journal, 17, 1–24.

Netcraft (2017). Netcraft Antiphishing Services. https://www.netcraft.com/anti-phishing/

Nguyen, L., To, B., and Nguyen H. (2015). An Efficient Approach for Phishing Detection Using Neuro-Fuzzy Model. Journal of Automation and Control Engineering, 3(6).

Petty, R., and Cacioppo, J. (1986). The elaboration likelihood model of persuasion. L. (Ed.), Advances in Experimental Social Psychology, Vol 19. New York: Academic Press, 123-205.

Pike, G. (2006). Lost data: The legal challenges. Information Today, 23 (10): 1–3.

Phillips, K. (2017). Police Arrest Millennial Behind Multi-Million Dollar IRS Phone Scam. Forbes (US). https://www.forbes.com/sites/kellyphillipserb/2017/04/10/police-arrest-millennial-behind-multi-million-dollar-irs-phone-scam/#1bb604206ffc

Cofense (2020). US Phishing Report Trends. https://cofense.com/phishing-response-trends [Accessed Mar 10, 2020]

Purkait, S. (2012). Phishing counter measures and their effectiveness – literature review. Information Management & Computer Security, 20(5): 382-420.

Qabajeh, I., Thabtah, F., Chiclana, F. (2015). Dynamic Classification Rules Data Mining Method. Journal of Management Analytics, 2(3):233-253.

Ramanathan, V., and Wechsler, H. (2013). Phishing detection and impersonated entity discovery using conditional random field and latent Dirichlet allocation. Computers & Security, 34, 123-139.

Robila, S., and Ragucci, J. (2006). Don't be a phish: steps in user education. Proceedings of the 11th Annual SIGCSE Conference on Innovation and Technology in Computer Science Education. ACM Press, New York, NY, pp. 237‐41.

Ronald, D., Curtis, C., and Aaron, F. (2007). Phishing for user security awareness. Computers & Security, 26(1): 73-80.

Saklikar, S., and Saha, S. (2008). Public key‐embedded graphic CAPTCHAs. Proceedings of the Consumer Communications and Networking Conference (CCNC 2008), pp. 262‐6.

Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., et al. (2007). Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA.

Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., and Zhang, C. (2009). An empirical analysis of phishing blacklists. Proceedings of the 6th Conference in Email and Anti-Spam, Mountain view, CA, USA.

Sheng S., Holbrook M., Arachchilage, N., Cranor, L., and Downs, J. (2010). Who falls for phish? a demographic analysis of phishing susceptibility and effectiveness of interventions. Proceedings of the 28th international conference on Human factors in computing systems. New York, NY, USA, 2010. ACM.

Stevenson, R. (2005). Plugging the “Phishing” Hole: Legislation versus Technology. Duke Law and Technology Review, 2005(6).

Symantec (2017). Report Suspected Phishing Sites. https://submit.symantec.com/antifraud/phish.cgi [Accessed October 20, 2017]

Thabtah, F., Mohammad, R., and McCluskey, L. (2016). A Dynamic Self-Structuring Neural Network Model to Combat Phishing. Proceedings of the 2016 IEEE World Congress on Computational Intelligence. Vancouver, Canada.

Thabtah, F., Qabajeh, I., and Chiclana, F. (2016). Constrained dynamic rule induction learning. Expert Systems with Applications, 63, 74-85.

US-CERT (2017). Report Phishing Sites. https://www.us-cert.gov/report-phishing

Vishwanath, A., Harrison, B., and Ng, Y. (2015). Suspicion, cognition, automaticity model (SCAM) of phishing susceptibility. Proceedings of the Annual Meeting of 65th International Communication Association Conference, San Juan.

Vishwanath, A., Herath, T., Chen, R., Wang, J., and Rao, H. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated information processing model. Decision Support Systems, 51(3): 576-586.

Workman, M. (2008). A test of intervention for security threats from social engineering. Information Management & Computer Security, 16(5): 463-483.

Whittaker, C., Ryner, B., and Nazif, M. (2010). Large-scale automatic classification of phishing pages. Proceedings of the 2010 Network and Distributed System Security (NDSS) Symposium.

Wu, L., Du, X., and Wu, J. (2016). Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms. IEEE Transactions on Vehicular Technology, Vol. 65, Issue: 8. IEEE.

Xiang, G., and Hong, J. (2009). A hybrid phish detection approach by identity discovery and keywords retrieval. Proceedings of the 18th International Conference on World Wide Web. Pp. 571-580.

Xu, Z., and Zhu, S. (2012). Abusing notification services on smartphones for phishing and spamming. In USENIX Workshop on Offensive Technologies (201), WOOT’12, pp. 1–11.

Yue, C., and Wang, H. (2008). Anti‐phishing in offense and defense. Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 345‐54.




DOI: https://doi.org/10.31449/inf.v45i3.3328

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.