an organization’s or individual’s security measures. It doesn’t matter how
many firewalls, encryption software,
certificates, or two-factor authentication mechanisms an organization has
if the person behind the keyboard falls
for a phish.
On the surface, phishing attacks
may seem to be a variant of spam. However, such attacks can lead to damaging losses in terms of identity theft, 14, 25
sensitive intellectual property and customer information, and national-secu-rity secrets.
Phishing attacks are also increasingly pervasive and sophisticated.
Phishing has spread beyond email
to include VOIP, SMS, instant messaging, social networking sites, and
even massively multiplayer games. 4, 6, 35
Criminals have also shifted from sending mass-email messages, hoping to
trick anyone, to more selective “
spear-phishing” attacks that use relevant
contextual information to trick specific victims.
Academic research and commercial work in phishing is a dynamic
area combining social psychology,
economics, distributed systems, machine learning, human-computer interaction, and public policy. In 2006,
Jakobsson and Myers20 published an
overview of how phishing works and
what countermeasures were available
at the time. This article serves as an introduction, as well as overview, of the
Looking past the systems people use,
By Jason honG
they target the people using the systems.
PHIsHInG Is a kind of social-engineering attack in
which criminals use spoofed email messages to trick
people into sharing sensitive information or installing
malware on their computers. Victims perceive these
messages as being associated with a trusted brand,
while in reality they are only the work of con artists.
Rather than directly target the systems people use,
phishing attacks target the people using the systems.
Phishing cleverly circumvents the vast majority of
;;; Phishing attacks initially targeted
general consumers, aiming to steal
identity and credit-card information,
but evolved to also include high-profile
targets, aiming to steal intellectual
property, corporate secrets, and
sensitive information concerning
;;; Developers must go beyond blaming
users if they expect to deploy
effective countermeasures against
;;; the three general strategies for
protecting end users from phishing
scams: make things invisible, develop
better user interfaces, and provide