Playing an online game beats computer tutorials or written materials in arming people against phishing attacks,Carnegie Mellon University computer scientists have determined.
The scientists tested an online game they developed, Anti-Phishing Phil, against a tutorial they created based on the game and existing online materials.
After 15-minute tests,"We found that participantswho played the game were better able to identify fraudulent websites, compared to the participants in other conditions," the researchers reported in a paper presented at an online security symposium in July.
"We designed the game to teach people how to use web addresses, or URLs, to identify phishing websites," said Steve Sheng, a Carnegie PhD student and lead developer of the game, a project of the university's Usable Privacy and Security Laboratory.
Other computer scams,like viruses or spyware, are basedon aweakness in the computer's hardware or software. But phishing attacks "take advantage of the way people use their computers and their often-limited knowledge of the way computers work," said Lorrie Cranor, Carnegie professor and director of the lab.
The game stars a little fish named Phil who helps users identify phishing URLs, look for cues in web browsersand use search engines to find legitimate sites.
The lab'suser studies concluded thateducation can protect people from falling for phishing attacks, the scientists said.
But "it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves."
The researchers want to expand their tests by asking visitors to go to their website and play the game.
Phishing is a computer-based scam that tries to trick people into revealing personal,bank or credit-card information. Phishing often involves e-mails that appear legitimate, such as a request from a bank to confirm account information by sending details of the account.
Ifconsumers do,the scammers will try to use the information to break into the consumer'saccount.