documents. Facebook and other social
media provide more contextual details
that can be used for spear-phishing
attacks. Individual employees falling for phish in one context can cause
headaches for their organizations over
reused passwords. Finally, instant
messaging, VOIP, SMS, and other relatively new ways of communicating offer criminals new vector options for
On the positive side, law enforcement, industry, and academic researchers are getting better organized
in terms of reporting phishing attacks, sharing information, analyzing
data to identify trends, and focusing
resources. More organizations are
devoted to combating online fraud,
including APWG, the Internet Crime
Complaint Center (IC3) (http://www.
ic3.gov/), and National Cyber-Foren-sics and Training Alliance (NCFTA)
( http://www.ncfta.net/). There are
also initiatives dedicated to educating people about phishing scams,
including StaySafeOnline.com. Law
enforcement has stepped up efforts
in gathering evidence and cooperating with international partners in
shutting phishing sites and phishing
gangs. Legislators in the U.S. have
also passed laws to explicitly spell
out what phishing is and the related
penalties, including California’s
Anti-Phishing Act of 2005, 21 though
such laws face many of the same challenges as anti-spam laws in terms of
attackers being outside a particular
jurisdiction, the sheer number of attacks, and limited resources available
to law enforcement.
Phishing will continue to be an arms
race. Since any communication medium can be used for phishing, it is also
a problem that can never be solved.
The best we can hope for is to blunt the
worst aspects of phishing and continue
to work on better ways to prevent, detect, and respond to this new form of a
very old crime.
Special thanks to the Supporting
Trust Decisions group (http://cups.
cs.cmu.edu/trust/) at Carnegie Mellon
University and Wombat Security Technologies (
http://www.wombatsecu-rity.com/) for their contributions and
1. abu-nimeh, s., nappa, d., wang, X., and nair, s. a
comparison of machine learning techniques for
phishing detection. In Proceedings of The Anti-Phishing Working Group’s Second Annual eCrime
Researchers Summit (Pittsburgh, Pa, oct. 4–5, 2007),
2. anti-Phishing working group. aPwg & Carnegie
Mellon university’s phishing education landing page;
3. anti-Phishing working group. Phishing Activity Trends
Report: Third Quarter Report, jan. 2010; http://apwg.
4. arthur, C. facebook hit by phishing attack. The
Guardian (apr. 30, 2009); http://www.guardian.co.uk/
5. blizzard entertainment. Battle.net Authenticator FAQ;
6. Cavalli, e. world of warcraft phishing attempts on
the rise. Wired (apr. 29, 2009); http://www.wired.
7. Cova, M., kruegel, C., and vigna, g. there is no free
phish: an analysis of ‘free’ and live phishing kits.
In Proceedings of the Second USENIX Workshop
on Offensive Technologies (san jose, Ca, july
28, 2008). usenix; http://portal.acm.org/citation.
8. dhamija, r., tygar, j.d., and hearst, M.a. why phishing
works. In Proceedings of the CHI Conference on
Human Factors in Computing Systems (Quebec, apr.
24–27). aCM Press, new york, 2006, 581–590; http://
9. downs, j.s., holbrook, M.b., and Cranor, l.f.
decision strategies and susceptibility to phishing.
In Proceedings of the SOUPS Symposium on Usable
Privacy and Security (Pittsburgh, july 12–14). aCM
Press, new york, 2006.
10. egelman, s., Cranor, l.f., and hong, j.I. you’ve been
warned: an empirical study of the effectiveness of
web browser phishing warnings. In Proceedings of
the CHI Conference on Human Factors in Computing
Systems (florence, Italy, apr. 5–10). aCM Press, new
york, 2008, 1065–1074.
11. fette, I., sadeh, n., and tomasic, a. learning to
detect phishing emails. In Proceedings of the 16th
International World Wide Web Conference (banff,
Canada, May 8–12, 2007), 649–656.
12. garera, s., Provos, n., Chew, M., and rubin, a.d. a
framework for detection and measurement of phishing
attacks. In Proceedings of the WORM Workshop on
Rapid Malcode (alexandria, va, nov. 2). aCM Press,
new york, 2007; http://portal.acm.org/citation.
13. görling, s. an overview of the sender Policy
framework as an anti-phishing mechanism. Internet
Research 17, 2 (2007), 169–179.
14. herley, C. and florencio, d. a Profitless endeavor:
Phishing as a tragedy of the commons. In Proceedings
of the New Security Paradigms Workshop (lake tahoe,
Ca, sept. 22–25, 2008).
15. herley, C. and florencio, d. nobody sells gold for
the price of silver: dishonesty, uncertainty, and the
underground economy. In Proceedings of Workshop on
the Economics of Information Security (london, june
16. hong, j. why have there been so many security
breaches recently? blog@CaCM (apr. 27, 2011);
17. hong, j.I. statistical analysis of phished email users
intercepted by the aPwg/CMu phishing education
landing page. In Proceedings of the Anti-Phishing
Working Group Counter eCrime Operations Summit
IV (sao Paulo, brazil, May 11–13, 2010); http://www.
18. jackson, C., simon, d.r., tan, d.s., and barth, a. an
evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th
International Conference on Financial Cryptography
(trinidad/tobago, feb. 12–15, 2007), 281–293.
19. jagatic, t.n., johnson, n.a., jakobsson, M., and
Menczer, f. social phishing. Commun. ACM 50, 10
(oct. 2007), 94–100.
20. jakobsson, M. and Myers, s. Phishing and
Countermeasures: Understanding the Increasing
Problem of Electronic Identity Theft.
21. keizer, g. California enacts tough anti-phishing
law. Information Week (oct. 3, 2005); http://
Jason I. hong ( email@example.com) is an associate
professor in the school of Computer science and human
Computer Interaction Institute at Carnegie Mellon
university, Pittsburgh, Pa.