Skip to main content
Article
School of Phish: A Real-World Evaluation of Anti-Phishing Training
Institute for Software Research
  • Ponnurangam Kumaraguru, Carnegie Mellon University
  • Justin Cranshaw, Carnegie Mellon University
  • Alessandro Acquisti, Carnegie Mellon University
  • Lorrie Faith Cranor, Carnegie Mellon University
  • Jason Hong, Carnegie Mellon University
  • Mary Ann Blair, Carnegie Mellon University
  • Theodore Pham, Carnegie Mellon University
Date of Original Version
1-1-2009
Type
Working Paper
Rights Management
All Rights Reserved
Abstract or Description
PhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated the effectiveness of this approach. Here, we extend our previous work with a 515-participant, real-world study in which we focus on long-term retention and the effect of two training messages. We also investigate demographic factors that influence training and general phishing susceptibility. Results of this study show that (1) users trained with PhishGuru retain knowledge even after 28 days; (2) adding a second training message to reinforce the original training decreases the likelihood of people giving information to phishing websites; and (3) training does not decrease users’ willingness to click on links in legitimate messages. We found no significant difference between males and females in the tendency to fall for phishing emails both before and after the training. We found that participants in the 18-25 age group were consistently more vulnerable to phishing attacks on all days of the study than older participants. Finally, our exit survey results indicate that most participants enjoyed receiving training during their normal use of email.
Citation Information
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Faith Cranor, et al.. "School of Phish: A Real-World Evaluation of Anti-Phishing Training" (2009)
Available at: http://works.bepress.com/lorrie_cranor/19/