Cogn Comput (2010) 2:242–253

DOI 10.1007/s12559-010-9042-7

Experimental Case Studies for Investigating E-Banking Phishing

Techniques and Attack Strategies
Maher Aburrous • M. A. Hossain • Keshav Dahal •

Fadi Thabtah

Published online: 30 April 2010

Ó Springer Science+Business Media, LLC 2010

Abstract Phishing is a form of electronic identity theft in Keywords Phishing Web site
e-Banking

which a combination of social engineering and Web site Social engineering
Malicious attack
Security awareness
spoofing techniques is used to trick a user into revealing
confidential information with economic value. The prob-
lem of social engineering attack is that there is no single Introduction
solution to eliminate it completely, since it deals largely
with the human factor. This is why implementing empirical Online services simplify our lives. They allow us to access
experiments is very crucial in order to study and to analyze information ubiquitously and are also useful for service
all malicious and deceiving phishing Web site attack providers because they reduce the operational costs
techniques and strategies. In this paper, three different involved in offering a service. For example, online banking
kinds of phishing experiment case studies have been con- over the Web has become indispensable for customers as
ducted to shed some light into social engineering attacks, well as for banks. Unfortunately, interacting with an online
such as phone phishing and phishing Web site attacks for service such as a banking Web application often requires a
designing effective countermeasures and analyzing the certain degree of technical sophistication that not all
efficiency of performing security awareness about phishing Internet users possess. For the last decade, such naive users
threats. Results and reactions to our experiments show the have been increasingly targeted by phishing attacks that are
importance of conducting phishing training awareness for launched by miscreants who are aiming to make an easy
all users and doubling our efforts in developing phishing profit by means of illegal financial transactions. Phishing is
prevention techniques. Results also suggest that traditional a form of electronic identity theft in which a combination
standard security phishing factor indicators are not always of social engineering and Web site spoofing techniques is
effective for detecting phishing websites, and alternative employed to trick a user into revealing confidential infor-
intelligent phishing detection approaches are needed. mation of economic value. Phishing techniques are con-
tinuously being updated, and there are always new
variations appearing. Phishing attackers use various tactics
to lure or hijack a browser into visiting bogus sites.
M. Aburrous (&)
M. A. Hossain
K. Dahal
Department of Computing, University of Bradford, Bradford, Ordinary Internet users cannot become familiar with all
England, UK these phishing techniques easily. Unfortunately, phishing
e-mail: mrmaburr@bradford.ac.uk attacks are growing, both in numbers and in complexity.
M. A. Hossain Phishing websites are becoming increasingly sophisticated.
e-mail: m.a.hossain1@bradford.ac.uk They can capture e-banking website details automatically
K. Dahal without any action on the part of the victim.
e-mail: k.p.dahal@bradford.ac.uk Phishing website attacks are growing at a torrid pace.
The numbers of phishing attacks and reported phishing
F. Thabtah
MIS Department, Philadelphia University, Amman, Jordan sites are increasing every year, even every month. Damage
e-mail: ffayez@philadelphia.edu.jo caused by phishing is severe. The APWG (Anti-Phishing

123
Cogn Comput (2010) 2:242–253 243

Working Group) is an industry association focused on other kinds. A phishing website is a broadly launched
eliminating identity theft and fraud that result from the social engineering attack that attempts to defraud people of
growing problem of phishing and email spoofing. This their personal information including credit card number,
voluntary-based organization provides a forum to discuss bank account information, social security number and their
phishing issues, trials and evaluations of potential tech- personal credentials in order to use these details fraudu-
nology solutions and access to a centralized repository of lently against them [20]. Phishing has a huge negative
reports on phishing attacks [39]. The number of unique impact on organizations’ revenues, customer relationships,
phishing websites detected by this organization showed marketing efforts and overall corporate image. Phishing
that there has been a huge increase in unique phishing sites attacks can cost companies tens to hundreds of thousands
all over the world. In December 2005, the forged phishing of dollars per attack in fraud-related losses and personnel
site alone exceeded 7,000 [5]. APWG has also recently time. Even worse, costs associated with the damage to
released a new report containing statistics of phishing brand image and consumer confidence can run into the
attacks during the first half of 2009. According to the millions of dollars [5].
APWG global phishing survey report [4], there were at
least 55,698 phishing attacks, around 7% higher than the Phishing and the Trust of E-banking Business
previous year. Those attacks occurred on 30,131 unique
domain names. APWG identified that 4,382 were registered Phishing websites can severely hurt Internet business,
by phishers, representing about 14.5% of the domain names because people lose their trust in Internet transactions for
involved in phishing. In addition, phishing was detected on fear that they will become victims of fraud. For example,
3,563 unique IP addresses. The Gartner study [14] shows many people believe that using online banking increases
that phishing attacks escalated in 2007; more than $3 Bil- the likelihood that they will become victims of phishing
lion was lost to these attacks. The survey found that 3.6 websites and identity theft, even though online banking
million adults lost money in phishing attacks in the provides more secure identity protection than paper- and
12 months ending in August 2007, when compared with mail-based systems.
the 2.3 million who did so the year before. And, in 2008, The most harmful effect is that it will create ‘‘trust
Gartner reported a 39.8% increase over the number of crises’’. The trust will be eroded gradually without effec-
victims a year earlier. Media outlets have reported that tive countermeasures to deal with the fraud, and everyone
phishing website-related scams have resulted in more than participating in network transactions will be harmed in the
$5 billion in fraudulent bank and financial charges to date end. Trust is one of the most important determinants of
[25]. successful e-banking [35]. Many researchers have argued
that trust is essential for understanding interpersonal
Internet Banking (E-banking) behavior and is relevant to e-banking. Trust is not merely a
short-term issue, but also the most significant long-term
Internet banking (e-banking) is defined as the automated barrier to realizing the potential of BtoC e-commerce [15].
delivery of new and traditional banking products and ser- Falling victim to phishing websites could steal a cus-
vices directly to customers through interactive electronic tomer’s proprietary information such as their account
communication channels. E-banking includes the systems information and passwords, trade secrets or other intel-
that enable customers, individuals or businesses, to access lectual assets. Theft of a customer’s confidential informa-
accounts, transact business or obtain information on prod- tion could have a disastrous effect on the companies or
ucts and services through a public or private network, banks using electronic technology and could damage the
including the Internet [11]. Commercial banking is trust between them and their clients.
undergoing rapid changes, as the international economy Even in developed countries, many people are worried
expands and advances toward institutional and market that their credit card details will be misused or hacked into
completeness. and are concerned about online fraud, such as phishing
websites that offer imaginary services or items.
Phishing Websites

Phishing is a relatively new Internet crime in comparison Literature Review

with other forms, e.g., virus and hacking. More and more
phishing Web pages have been found in recent years in an Phishing websites are a recent problem. Nevertheless, due
accelerative way [12]. Its impact is the breach of infor- to their huge impact on the financial and online retailing
mation security through the compromise of confidential sectors and since preventing such attacks is an important
data, and the victims may finally suffer losses of money or step toward defending against website phishing attacks,

123
244 Cogn Comput (2010) 2:242–253

there are several promising approaches to this problem and based anti-phishing solution into its Internet Explorer
a comprehensive collection of related works. In this sec- (IE8). The browser queries lists of blacklisted and white-
tion, we briefly survey existing anti-phishing solutions and listed domains from Microsoft servers and makes sure that
a list of the related works. Dhamija and Tygar’s [8] the user is not accessing any phishing sites. Microsoft’s
approach involves the use of a so-called dynamic security solution is also known to use some heuristics to detect
skin on the user’s browser. This technique uses a shared phishing symptoms in Web pages [32]. Obviously, to date,
secret image that allows a remote server to prove its the company has not released any detailed public infor-
identity to a user in a way that supports easy verification by mation on how its anti-phishing techniques function.
humans but which is difficult for the phishers to spoof. The ‘‘The Phishing Guide’’ by Ollmann [26] gives a detailed
disadvantage of this approach is that it requires effort by understanding of the different techniques often included in
the user. That is, the user needs to be aware of the phishing phishing attacks. The phenomenon that started as simple
threat and check for signs that the site he/she is visiting is emails persuading the receiver to reply with the informa-
being spoofed. The proposal approach requires changes to tion the attacker required has evolved into more advanced
the entire Web infrastructure (both servers and clients), so ways to deceive the victim. Links in email and false
it can succeed only if the entire industry supports it. Also advertisements sends the victim to more and more
this technique does not provide security for situations advanced fraudulent websites designed to persuade the
where the user login is from a public terminal. More victim to type in the information the attacker wants, for
recently, Dhamija et al. [9] analyzed 200 phishing attacks example to log into the fraudulent site mimicking the
from the Anti-Phishing Work Group database and identi- company’s original. Ollmann also presents different ways
fied several factors, ranging from pure lack of computer to check whether websites are fraudulent or not. Apart from
system knowledge, to visual deception tricks used by inspecting whether the visited site really is secure through
adversaries, due to which users fall for phishing attacks. SSL (Secure Sockets Layer), the user should also check
They further conducted a usability study with 22 partici- that the certificate added to the website really is from the
pants. The participants were asked to study 20 different company it claims to be from and it is signed by a trusted
websites to see if they could tell whether they were third party. Focusing more attention on the URL can also
fraudulent or authentic. The result of this study showed that often reveal fraudulent sites. There are a number of ways
age, sex and computer habits did not make much differ- for the attackers to manipulate the URL to look like the
ence. They even noticed that pop-up warnings of invalid original, and if the users are aware of this, they can more
signature of the sites and visual signs of SSL (Secure easily check the authentication of the visited site. Watson
Sockets Layer), padlocks etc. were very inefficient and et al. [36] describe in their White Paper, ‘‘Know your
were overlooked. They found that 23% of the participants enemy: Phishing’’, different real-world phishing attacks
failed to look at security indicators warning about phishing collected in German and United Kingdom honeynets.
attacks and, as a result, 40% of the time they were sus- Honeynets are open computer networks designed to collect
ceptible to a phishing attack. Based on their analysis, the information about different attacks out in the real world,
authors suggest that it is important to re-think the design of for further forensic analysis. They noticed that phishing
security systems, particularly by taking usability issues into attacks using vulnerable Web servers as hosts for prede-
consideration. Wu et al. [37] proposed methods that require signed phishing sites are by far the most common, com-
Web page creators to follow certain rules to create Web pared to using self-compiled servers. A compromised
pages, by adding sensitive information location attributes server is often host for several different phishing sites.
to HTML code. However, it is difficult to persuade all Web These sites are often only active for a few hours or days
page creators to follow the rules. after being downloaded to the server. PassMark [27]
Liu et al. [24] analyzed and compared legitimate and includes a personalized image in a Web page to indicate
phishing Web pages to define metrics that can be used to that the user has set up an account with the site. This
detect a phishing page on visual similarity (i.e., block level approach places the burden on users to notice the visual
similarity, layout similarity and overall style similarity). A differences between a good site and a phishing site and
Web page is classified as a phishing page if its visual then to correctly infer that a phishing attack is underway.
similarity value is above a pre-defined threshold. The However, this requires user awareness and prior knowl-
phishing filter in IE8 is a toolbar approach with more edge. Another approach is two-factor authentication, which
features such as blocking the user’s activity on a detected ensures that the user not only knows a secret but also
phishing site. The most popular and widely deployed presents a security token [10]. However, this approach is a
techniques, however, are based on the use of blacklists of server-side solution. Phishing can still happen on sites that
phishing domains that the browser refuses to visit. For do not support two-factor authentication. Sensitive infor-
example, Microsoft has recently integrated a blacklist- mation that is not related to a specific site, e.g., credit card

123
Cogn Comput (2010) 2:242–253 245

information and SSN, cannot be protected by this approach The limitation of browser-based schemes is that they
either. The PRIME project [28] helps users to manage their require prior knowledge of the target site, which is unfor-
online identity in a more natural and intuitive way using tunately not always available. More importantly, since
three UI paradigms. It supports drag-and-drop actions for phishing attackers are able to update the inducement
personal information submission. It does not specifically techniques to get around those schemes, the effectiveness
target the phishing problem, but its improved user interface of these schemes is not convincing. In a proactive manner,
could help users correctly manage their online information. a set of techniques are designed to capture phishing sites on
One potential problem with the PRIME interface is its the Internet.
‘‘Just-In-Time-Click-Through Agreements’’ (JITCTAs) One of the popular methods of detection is using add-in
that is used to generate ‘‘small agreements that are easier toolbars for the browser. Chou et al. introduced one such
for the user to read and process’’. Users could still ignore tool, SpoofGuard [7], that determines whether a Web page
the agreements by directly clicking through the ‘‘I Agree’’ is legitimate based on a series of domain and URL-based
button. tests. It uses domain names, URLs, links and images to
APWG provides a solution directory [2] which contains measure the similarity between a given page and the pages
most of the major anti-phishing companies in the world. in the caches or histories. It looks for phishing symptoms
However, an automatic anti-phishing method is seldom (e.g., obfuscated URLS) in Web pages and raises alerts.
reported. Cyveillance Fraud Management [22] uses pro- The technique examines the downloaded website using
prietary Internet monitoring technology to identify phish- various stateful and stateless evaluations like checking for
ing-related activity such as suspicious domain registrations, invalid links and URL obfuscation attempts. The major
phishing lures, spoofed sites and the post-attack sale of disadvantage with these approaches is that they are sus-
compromised credentials. Others include Internet Identity’s ceptible to attacks launched from the compromised legiti-
Domain Security Audit [24]. These approaches are mainly mate website. Also, in many Web-hosting domains the
motivated to protect corporations’ interests. Nonetheless, attacker could create a user account with the name login
they do not directly defend against phishing attacks for and launch a successful phishing attack by hosting the
users. masqueraded page in his domain space, which would typ-
Gabber et al. [13] present a tool that tries to protect a ically appear as www.domain.com/login, thereby circum-
client’s identity and password information. They define venting the aforementioned approaches. Herzberg and
client personality in terms of username, password and Gbara [16] proposed TrustBar, a third-party certification
email address and introduce a function which provides solution to phishing. The authors propose creating a trusted
clients with different personalities for the different servers credentials area (TCA). The TCA controls a significant
they visit. Jakobsson introduced a new model, called a area, located at the top of every browser window and large
phishing graph, to visualize the flow of information in a enough to contain highly visible logos and other graphical
phishing attack [18]. While this model is not, in essence, a icons for credentials identifying a legitimate page. While
defensive technique, it is the first step toward developing their solution does not rely on complex security factors, it
an abstract model for visualizing phishing. A phishing does not prevent spoofing attacks. Specifically, since the
graph enhances the ability to analyze and understand the logos of websites do not change, they can be used by an
course of a phishing attack. TrustedBrowser [38] uses a attacker to create a look-alike TCA in a distrusted Web
synchronized random colored boundary to secure the path page.
from users to their browser. The trusted status content is It should be emphasized that none of the above defense
marked in the trusted window, whereas the server content techniques—blacklist, spoofing detection, password-
is shown in the distrusted window. Anti-Phish [23] com- scrambling, anti-phishing toolbars or spam filters—will
pares the domains for the same sensitive information in completely make phishing attacks impossible to perpetrate.
Web pages to the domains in the caches. That is, if it Instead, they provide valuable but scattered roadblocks
detects that confidential information such as a password impeding the attacker.
is being entered into a form on a distrusted website, a
warning is generated and the pending operation
is canceled. PhishHook [34] converts a Web page to Phishing Attack Strategies
‘‘normal form’’ through text, images and hyperlinks
transformations. Phishing Attack Using Internet Access
PwdHash [31], in contrast, creates domain-specific
passwords that are rendered useless if they are submitted to Most employees browse the Web for personal reasons,
another domain (e.g., a password for www.gmail.com will such as online shopping or research, at some time. Personal
be different if submitted to www.attacker.com). browsing may bring employees, and therefore the company

123
246 Cogn Comput (2010) 2:242–253

Fig. 1 Web page phishing

hyperlink

computer systems, into contact with generic social engi-

neers who will then use the staff in an effort to gain access
to the company resources. The two most common methods
of enticing a user to click a button inside a dialog box are
by warning of a problem, such as displaying a realistic
operating system or application error message, or by
offering additional services.
Fig. 1 shows how a hyperlink appears to link to a secure
PayPal website (https), while the status bar does not show
anything that indicates for sure that it will take the user to a Fig. 2 Telephone phishing attacks
hacker’s site. A hacker can suppress or reformat the status
bar information. a company and asking for a user ID and password. The
hacker usually presents a scenario, asking for or offering
help, before the request for personal or business informa-
Phishing Attack Using Phone Access tion is made [6].

The telephone offers a unique attack vector for social

engineering hackers. It is a familiar medium, but it is also Phishing Experimental Case Studies
impersonal, because the target cannot see the hacker.
Phone phishing hacking is not considered to be a major Conducting different kinds of phishing experiments can
threat. However, as more businesses embrace this tech- shed some light on social engineering attacks, such as
nology, phone phishing is set to become as widespread as phone phishing and phishing website attacks, and can also
e-mail, and website phishing is now. help us in designing effective countermeasures and ana-
The most common approach is for the hacker to pretend lyzing the efficiency of performing training and security
to be the IT supervisor or outsource IT support engineer, awareness about phishing threats [19]. The surprising
requesting in a hurry all passwords and authenticated cre- percentages of victims who disclosed their credentials in
dentials to analyze and resolve the claimed problems our phishing experiments underscore the need to redouble
reported to him, as shown in the following Fig. 2. our efforts in developing phishing prevention techniques.
Requests for information or access over the telephone
are a relatively risk-free form of attack. If the target Case Study 1: Phone Phishing Experiment
becomes suspicious or refuses to comply with a request, the
hacker can simply hang up. But it should be noted that such For our testing specimen, a group of 50 employees were
attacks are more sophisticated than a hacker simply calling contacted by female colleagues assigned to lure them into

123
Cogn Comput (2010) 2:242–253 247

giving away their personal e-banking accounts, user names under any circumstances regardless of the excuse. The
and passwords (through social and friendly conversations remaining 52% (26 employees) were very cautious and
with a deceitful purpose in mind). The results were sur- declined to reveal any information regarding their cre-
prisingly beyond expectations; many of the employees fell dentials over the phone, as shown in Table 1.
for the trick. After conducting friendly conversations with An overview of the results as shown in Fig. 3 reveals the
them for some time, our team managed to seduce them into high risk of the social engineering security factor. Social
giving away their Internet banking credentials for fake engineering constitutes a direct internal threat to e-banking
reasons. Some of these lame reasons included checking Web services since it hacks directly and internally into the
their privileges and accessibility, or checking the account’s accounts of e-bank customers.
integrity and connectivity with the Web server for main- The results also show the dire need to increase the
tenance purposes, account security and privacy assurance. awareness of customers not to fall victims of this kind of
To assure the authenticity of our request and to give it a threat which can have devastating results.
social dimensional trend, our team had to contact them
repeatedly, perhaps three or four times. Case Study 2: Website Phishing Experiment
Our team managed to deceive 16 out of the 50
employees into giving away their full e-banking credentials We engineered a website for phishing practice and study.
(user name and password), which represented 32% of the The website was an exact replica of the original Jordan
sample. This percentage is considered a high one especially Ahli Bank website www.ahlionline.com.jo, designed to
when we know that the victims were staff members of a trap users and induce them by targeted phishing emails to
bank, who are supposed to be highly educated with regard submit their credentials (username and password). The
to the risks associated with electronic banking services. A specimen was inclusive of our colleagues at Jordan Ahli
total of eight employees (16%) agreed to give their user Bank after attaining the necessary authorizations from our
name only and refrained from giving away their passwords management.

123
248 Cogn Comput (2010) 2:242–253

Table 1 Phone phishing

Response to Phone Phishing Experiment Number of employees
experiment
Giving away their full e-banking credentials(user name and password) 16
Giving away only their e-banking user name without password 8
Refused to reveal their credentials or any kind of information 26
Total 50

Phone phishing experiment chart Website phishing experiment chart

Giving their full Interacted
credentials; 16; positively (IT
32% Interacted department); 8;
negatively (No 7%
Refused to reveal response) ; 40;
credentials ; 26; 33%
52%

Interacted
positively (Other
Interacted departments); 44;
negatively 37%
Giving user name
; 8; 16% (Incorrect info);
28; 23%
Giving away their full e-banking credentials(user name & Password)
Interacted positively (IT department) Interacted positively (Other departments)
Giving away only their e-banking user name without password
Interacted negatively (Incorrect info) Interacted negatively (No response)
Refused to reveal their credentials or any kind of information

Fig. 4 Website phishing response chart

Fig. 3 Phone phishing response chart

We targeted 120 employees with our deceptive phishing employees, representing 33%, received the email but did
email, informing them that their e-banking accounts were not respond at all, as shown in Table 2.
at risk of being hacked and requesting them to log into their The results clearly indicate as shown in Fig. 4 that the
account through a fake link attached to our email using target phishing factor is extremely dangerous since almost
their usual customer ID and password to verify their bal- half of the employees who responded were victimized,
ance and then log out normally. particularly trained employees such as those of the IT
The website successfully attracted 52 out of the 120 tar- Department and IT Auditors.
geted employees, representing 44% who interacted posi- Increasing the awareness of all users of e-banking
tively by following the deceptive instructions and regarding this risk factor is highly recommended; this
submitting their actual credentials (customer ID, Password). includes customers and employees alike.
Surprisingly, IT department employees and IT auditors
constituted 8 out of the 120 victims representing 7%, which Case Study 3: Phishing Website Survey Scenario
shocked me, since we expected them to be more alert than Experiment
others. From other departments, 44 of the 120 targeted
employee victims, representing 37%, fell into the trap and After the success of our previous phishing website empir-
submitted their credentials without any hesitation. ical experiment which was conducted at our bank, targeting
The remaining 68 out of 120, representing 56%, were a specific number of its employees (120), the bank was
divided as follows: 28 employees (23%) supplied incorrect really interested in studying the vulnerability of their
info, which seems to indicate a wary curiosity; and 40 employees toward spear phishing e-banking websites, since
targeted spear phishing attacks have always been more
successful than generic phishing attacks in conning people
and causing financial damage to companies and individu-
Table 2 Phishing website experiment
als. We found this a good opportunity to perform a new
Response to Phishing Experiment Number of Employees usability study experiment to assess and to evaluate the
Interacted positively (IT Department) 8
accuracy and the precision of our 27 phishing website
Interacted positively (Other Departments) 44
factors and features, previously collected and analyzed as a
Interacted negatively (Incorrect info) 28
result of our cognitive walkthrough of phishing websites’
patterns and clues.
Interacted negatively (No response) 40
This time, we decided to create two groups from our
Total 120
bank employees; each group consisting of 50 participants.

123
Cogn Comput (2010) 2:242–253 249

Fig. 5 An example of phishing

website scenario survey

In the first group, the employees were totally naı̈ve about ones were fraudulent and which ones were legitimate and
the phishing threat and did not have any previous experi- to give the reason for their decision and evaluation.
ence or training in dealing with this kind of social engi- We showed the participants that the purpose of this
neering phishing attack. Regarding the second group, we experiment was to help them discover their knowledge and
decided to choose the 50 employees from our previous 120 awareness of the new rising phenomenon of social engi-
employee specimen who had participated in our previous neering phishing website attack, and their capability to
phishing website experiment case, in order to measure and identify and to distinguish the legitimate genuine website
evaluate the effectiveness and the efficiency of prior from the phishing spoofed website.
phishing website awareness training, and past experience For our part, the purposes of our experiment are to find
of dealing with phishing attack hacking incidents. In total, the most common phishing clues and indicators that appear
our new specimen was 100 bank employees; half of them in the scenarios, to determine what aspects of a website
were untrained (First group) and the second half were effectively convey authenticity to our employees and to try
trained (Second group). to identify which malicious strategies and attack techniques
We analyzed a set of phishing attacks and tricks to are successful at deceiving general users and why [1].
measure their effectiveness and influence and developed 50 From this experiment, we also tried to determine the
phishing and legitimate website survey scenarios which effectiveness and the value of implementing some security
were collected from the APWG’s archive [3] and Phishtank training awareness and phishing courses or classes about
archive [29]. The scenarios analyzed were carried out with phishing threats and detection expertise, and how this
the latest scenarios added to the archive by APWG and might reflect the determination of website legitimacy by
Phishtank experts. The scenarios were described and the second, trained, group.
explained in detail in their archives. From these different Our 27 phishing website factors and features were all
scenarios, 30 out of the 50 were phishing websites, and the deliberately distributed randomly across the 30 phishing
rest were legitimate. website scenarios. One phishing factor could appear in
We showed the two participating groups (trained and many phishing scenarios, and one phishing scenario could
untrained) the 50 different website scenarios that appear to have more than one factor. This is illustrated in Table 3.
belong to decent financial institutions and reputable banks, As Table 3 presents, the phishing factor indicator ARUL
as shown in Fig. 5, and asked them to determine which ‘‘Abnormal Request URL’’ appeared in all 30 of the

123
250 Cogn Comput (2010) 2:242–253

Table 3 Phishing factor indicators Website legitimacy decisions for the first group
False
Phishing factor indicator No. of Appearance Positive False
appearance percentage % 1000 Positive
Negative
Negative
Using the IP address 14 46.66 800

Legitimacy
Abnormal request URL 30 100 True

Website
Abnormal URL of anchor 7 23.33 600 Negative
True
Abnormal DNS record 2 06.66 Positive
400
Abnormal URL 5 16.66
Using SSL certificate 17 56.66 200

Certification authority 4 13.33

0
Abnormal cookie 2 06.66 True. False.
Distinguished Names Certificate (DN) 4 13.33 Decision
Redirect pages 3 10.00
Fig. 6 Website legitimacy decisions chart for first group
Straddling attack 2 06.66
Pharming attack 4 13.33
Using on MouseOver to hide the link 6 20.00 72% of their decisions were wrong regarding the legiti-
Server Form Handler (SFH) 2 06.66 macy of the websites presented to them in the experiment.
Spelling errors 24 80.00 These results were represented by either False Positive
Copying website 5 16.66 Case (FP, 38%), which happens when a legitimate website
Using forms with ‘‘Submit’’ button 6 20.00 is considered as phishing by the participant, or by False
Using Pop-Ups windows 8 26.66 Negative (FN, 34%), which happens when a phishing
Disabling right click 2 06.66 website is considered legitimate by the participant. Just
Long URL address 22 73.33 28% of their decisions were right regarding the legitimacy
Replacing similar characters for URL 16 53.33 of the website, represented by either True Positive Case
Adding prefix or suffix 9 30.00 (TP, 11%), which happens when a legitimate website is
Using the @ symbol to confuse 6 20.00 considered legitimate by the participant, or by True Neg-
Using hexadecimal character codes 8 26.66
ative (TN, 17%), which happens when a phishing website
Much emphasis on security and response 5 16.66
is considered as phishing by the participant. Figure 6 rep-
resents the column chart for website legitimacy decisions
Public generic salutation 12 40.00
for the first, untrained, group.
Buying time to access accounts 3 10.00
We found that most of these wrong decisions made by
first, untrained, group arose from their lack of knowledge
and awareness of the most common phishing website tricks
phishing scenarios. Furthermore, the phishing factor indi-
and deceptions. Most of them did not pay attention at all to
cator, ‘‘Spelling Error’’, appeared in 80% of the phishing
some very obvious phishing clues or indications like
scenarios (24 appearances). In contrast, phishing factors
address bar contents, URL, domain name, page style, page
such as ‘‘Abnormal DNS Record’’ and ‘‘Disabling Right
contents and security indicators like SSL certificate or
Click’’ have the fewest appearances (6.66%, representing 2
logos, leading to this high incorrect decision percentage.
appearances). We made sure that each phishing factor
Most of their decisions and judgments concentrated on the
indicator had appeared at least once in the phishing website
look of the website and its fancy colors, pictures and ani-
scenarios.
mation style, thus supporting the arguments mentioned by
The result from this experiment was very interesting. As
Dhamija et al. [9].
shown in Table 4, in the first, untrained, group we found
Five decades of research [21, 33] demonstrates that the
human brain processes visual imagery more reliably than
Table 4 The results of website legitimacy decisions for the first text. Time and time again, it has been found that pictures
group (untrained group) are remembered better than words, because pictures are
Decision website legitimacy True False more likely than words to evoke both verbal and imagery
codes. Furthermore, concepts presented in pictures rather
Positive TP (11%) FP (38%)
than words are much more likely to be remembered.
275 Decision 950 Decision
The basis of the Picture Superiority Effect can be
Negative TN (17%) FN (34%)
attributed to the greater sensory distinctiveness pictures
425 Decision 850 Decision
have compared to words. Recognizing image categories

123
Cogn Comput (2010) 2:242–253 251

Table 5 The results of website legitimacy decisions for the second phishing website tricks and deception attacks that they had
group (trained group) faced before. Most of them depended on their judgment
Decision website legitimacy True False and assessment of the website address bar, URL domain
name and the different security indicators. They were not
Positive TP (39%) FP (12%)
fooled by the design, style or fancy look of the website
975 Decision 300 Decision structure or animation, and their main concentration was
Negative TN (33%) FN (16%) focused on detecting all phishing website factor indicators,
825 Decision 400 Decision which led to this acceptable correct decision percentage.
This of course suggests the importance of conducting
minimizes the load on a user’s memory by making options phishing training awareness for all users.
visible in plain sight. The user is not burdened or dis- Nevertheless, still some expert employees of the second
couraged by trying to remember difficult, complex char- trained group did not took the right decision for some of
acters. Humans are capable of remembering between five phishing or legitimate websites, and they were fooled for
and nine chunks of static information at a time. some visual deception phishing attacks. These results
However, in a dynamic environment such as the Web, a illustrate that traditional standard security phishing factor
user’s memory capacity is limited to roughly two or three indicators are not effective enough for detecting phishing
chunks of information, thereby making the Web ‘‘an enemy website and suggest that alternative intelligent approaches
of human memory’’ [30]. are needed.
Regarding the second, trained, group, the results were
totally different. Their previous experience of the phishing
website experiment and the skills they gained from that Phishing Experiments Reaction Analysis
were very obvious and played a big role in the total
outcomes. While some employees saw the learning value of the
As shown in Table 5, from the second, trained, group we experience and appreciated the insights they had gained as
found 72% of their decisions were right regarding the a result of being part of the study, there were more
legitimacy of the website, represented by either true posi- employees who felt that the study had no value and felt
tive case (TP, 39%) or by true negative (TN, 33%). Just violated at not having been asked permission before the
28% of their decisions were wrong, regarding the legiti- experiment was performed.
macy of the websites presented to them in the experiment. Some of the employees called the experiment unethical,
These results were represented by either false positive case inappropriate, illegal and unprofessional. These reactions
(FP, 12%) or by false negative (FN, 16%). Figure 7 rep- highlight that phishing has a significant psychological cost
resents the column chart for website legitimacy decisions for victims. Many employees stated that they did not and
by the second, trained, group. would never fall for such an attack. This natural denial
We found that most of these correct decisions made by reaction suggests that we may find it hard to admit to our
the second, trained, group resulted from their good expe- own vulnerability. As a consequence, many successful
rience, knowledge and awareness of the most common phishing attacks may go unreported, meaning that phishing
success rates in surveys may be severely underestimated.
Phishers know that most users do not know how to check
Website legitimacy decisions for the second group the security and often assume that sites requesting sensitive
True information are secured. When users do not know how
Positive True secure they are, they assume that they are secured, and it is
1000 Negative Positive
Negative not easy for them to see the difference between authentic
800 security and mimicked security features. We found that
Legitimacy

security is often a secondary goal for most of our

Website

False
600 employees. They did not look at the address bar, status bar
False Negative
Positive or certificate authority. They often focus on their major
400
tasks and neglect all other security pointers or warning
200 messages. Some employees were fooled by the presence of
an SSL closed padlock icon appearing within the body of a
0
Web page instead of looking for it in the right place. Many
True. False.
employees always looked for a certain type of content like
Decision
the closed padlock icon when making their judgment, and
Fig. 7 Website legitimacy decisions chart for second group they never mentioned the other security features like the

123
252 Cogn Comput (2010) 2:242–253

characters and numbers shown in the address bar, the users about their assessments of the authenticity and the
certificate authority or any other factors whatsoever. Some legitimacy of websites. These experiments showed that
employees did not look for any SSL signs that can distin- there is no substitute for a good awareness campaign when
guish the secured encrypted website from the non-secured implementing the social engineering elements of security
one, such as observing the ‘‘HTTPS’’ in the address bar. policy.
Some employees had some reservations when they saw an Our experimental case studies point to the need for
IP address instead of a domain name, and they were able to extensive educational campaigns about phishing and other
distinguish between them. On the other hand, many did not security threats. People can become less vulnerable with a
know what an IP address is! heightened awareness of the dangers of phishing. Our
Most of our employees did not check the certificate experimental case studies also suggest that a new approach
that was presented to their browser in our study since they is needed to design a usable model for detecting e-banking
do not know what it means; those that do know occa- phishing websites, taking into consideration the user’s
sionally check them out. Some employees pointed out that knowledge, understanding, awareness and consideration of
the content details of the website and its fancy design and the phishing pointers located outside the user’s center of
style were one of the main reasons for their opinion about consideration.
the legitimacy of the website. They assumed that the site Results and reactions to our experiments show the
would be legitimate if it contained high-quality images importance of conducting phishing training awareness for
and lots of animations. Many employees who clicked on all users. Nevertheless, these results illustrate that tradi-
the forged VeriSign logo that we created did not compare tional standard security phishing factor indicators are not
the URL displayed in the faked pop-up window, which always effective enough for detecting phishing website
shows the SSL certificate status of www.ahlionline.com.jo and suggest that alternative intelligent approaches are
hosted at VeriSign, to the URL in the address bar to needed.
detect whether they are referring to the same website. Generally speaking, the primary advantage for criminals
Unfortunately, any site can provide a link to this pop-up conducting phishing attacks is the public’s lack of educa-
page in order to gain credibility [17]. Some employees tion and awareness of both the existence of financial crimes
never paid any attention to the SSL padlock icon. Other targeting Internet users and the policies and procedures of
employees did not know the meaning of the SSL padlock online sites for contacting their customers regarding
icon at all, and they could not give any justification for its account information and maintenance issues. Thus, public
existence. We found most of our employees do not know education and awareness are important factors to counter
how to check or locate the self-signed certificate, and they phishing. As awareness of phishing grows among con-
have never checked a certificate before. We also found sumers, the incidences of phishing will shrink to a certain
that some visual deception attacks can fool even the most extent.
sophisticated users. However, getting rid of phishing through education
As a conclusion, most of our employees made incorrect alone will be very difficult. First of all, there are always
decisions about the legitimacy of the e-banking website new or technology-naive Internet users who do not have
because of their lack of knowledge and understanding of any experience and become victims of phishing. Another
the phishing techniques and its malicious methods and aspect is that phishers are getting better and better at
indicators. mimicking genuine emails and websites; even the security
expert may sometimes be fooled.
As a future work, we want to build an e-learning
Conclusions and Future Work security awareness application regarding phishing attacks
and scams; we will implement it to be used as a learning
It is being predicted that social engineering phishing tool to increase the user awareness regarding phishing
attacks will be on the rise in the years to come. Billions of attacks and scams. We plan to demonstrate our decision
dollars are lost every year by corporations and Internet justification extracted phishing features and their signifi-
users to social engineering attacks, in the process making cance influence as summarized report. We also want to
participants in e-commerce increasingly distrustful. The integrate phishing detection assessment user interface
problem of social engineering attack is that there is no (example: short questionnaires, tests cases) to measure
single solution to eliminate it completely, since it deals the effectiveness of our e-learning tools. To make the
largely with the human factor. That is why implementing learning mechanism more effective and interactive, we are
empirical experiments was very crucial in order to study considering integrating concept of phishing games on the
and to analyze all malicious and deceiving strategies and e-learning process. This ensures our package to be more
attack techniques that were successful in confusing general dynamic and user friendly.

123
Cogn Comput (2010) 2:242–253 253

References 19. Jakobsson M, Tsow A, Shah A, Blevis E, Lim Y. What instills

trust? A qualitative study of phishing. Bloomington: Indiana
1. Alnajim A, Munro M. An evaluation of users’ tips effectiveness University; 2007. p. 356–61.
for phishing websites detection, 978-1-4244-2917-2/08, IEEE; 20. James L. Phishing exposed, Tech Target Article sponsored by:
2008. p. 63–68. Sunbelt software. 2006. searchexchange.com.
2. APWG. Phishing activity trends report. 2005. http://antiphishing. 21. Kinjo H, Snodgrass JG. Is there a picture superiority effect in
org/reports/apwg_report_DEC2005_FINAL.pdf. Accessed 12 perceptual implicit tasks? Eur J Cogn. 2000;12(2):145–64.
Apr 2007. 22. Kirda E, Kruegel C. Filching attack of on-line status. J Netw
3. APWG. Phishing activity trends report. 2008. http://antiphishing. Secur Technol Appl. 2005;6(4):17–20.
org/reports/apwg_report_sep2008_final.pdf. Accessed 9 March 23. Kirda E, Kruegel C Protecting users against phishing attacks with
2009. antiphishing. In: Proceedings of the 29th annual international
4. APWG. 2009. http://www.apwg.org/reports/APWG_GlobalPhishing Computer Software and Applications Conference (COMPSAC);
Survey_1H2009.pdf. Accessed 8 Aug 2009. 2005b. p. 517–524.
5. Brooks J. Anti-phishing best practices: keys to aggressively and 24. Liu W, Guanglin H, Liu X, Xiaotie D, Zhang M. Phishing webpage
effectively protecting your organization from phishing attacks, detection. In: Proceedings of the 2005 eight international confer-
White Paper, Cyveillance; 2006. ence on Document Analysis and Recognition (ICDAR’05), IEEE;
6. Business Security Guidance. How to protect insiders from social 2005. p. 560–564.
engineering threats. 2006. www.microsoft.com/technet/security/ 25. Microsoft Corporation. Microsoft phishing filter: a new approach
default.mspx. Accessed 8 Apr 2006. to building trust in E-Commerce Content, White Paper; 2008.
7. Chou N, Ledesma R, Teraguchi Y, Boneh D, Mitchell J. Client 26. Ollmann G. The phishing guide, understanding and preventing
side defense against web-based identity theft. In: Proceeding of phishing attacks (online available). 2004. http://www.nextgenss.
the 11th annual Network and Distributed System Security Sym- com/papers/NISR-WP-Phishing.pdf.
posium (NDSS ‘04); 2004. 27. PassMark. Two-factor two-way authentication, PassMark Secu-
8. Dhamija R, Tygar J. The battle against phishing: dynamic secu- rity. 2005. http://www.passmarksecurity.com.
rity skins. In: Proceedings of ACM Symposium on Usable 28. Pettersson J, Fischer-Hübner S, Danielsson N, Nilsson J, Berg-
Security and Privacy (SOUPS 2005); 2005. p. 77–88. mann M, Clauss S, Kriegelstein T, Krasemann H. Making prime
9. Dhamija R, Tygar J, Marti H. Why phishing works. In: CHI ‘06: usable. In: Proceedings of SOUPS’05. ACM Press, Pittsburgh;
Proceedings of the SIGCHI conference on human factors in 2005. p. 53–64.
computing systems. ACM Press, New York; 2006. p. 581–590. 29. Phishtank. 2008 http://www.phishtank.com/phish_archive.php.
10. FDIC. Putting an end to account-hijacking identity theft, FDIC, Accessed 14 Nov 2008.
Technical Report [Online]. 2004. Available: http://www.fdic.gov/ 30. Rhodes JS. Human memory limitations and web site usability.
consumers/consumer/idtheftstudy/identitytheft.pdf. Accessed 18 1998. Moving WebWord from http://www.webword.com/
Apr 2007. moving/memory.html. Accessed 28 May 2008.
11. FFIEC. E-Banking Introduction, Federal Financial Institutions 31. Ross B, Jackson C, Miyake N, Boneh D, Mitchell J. Stronger
Examination Council, Information Technology Examination password authentication using browser extensions. In: Proceed-
Handbook (IT Handbook InfoBase). 2003. Available Online: ings of the 14th Usenix Security Symposium; 2005.
http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_ 32. Sharif T. Phishing filter in IE7. 2005. http://blogs.msdn.com/ie/
00_intro_def.html. Accessed 15 June 2007. archive/2005/09/09/463204.aspx. Accessed 6 Apr 2007.
12. Fu A, Wenyin L, Deng X. Detecting phishing web pages with 33. Stenberg G. Conceptual and perceptual factors in the picture
visual similarity assessment based on Earth Mover’s Distance superiority effect. Eur J Cogn. 2006;18(6):813–47.
(EMD). IEEE Trans Dependable Secur Comput. 2006;3(4):301– 34. Stepp M. Phishhook: a tool to detect and prevent phishing
11. attacks. In: DIMACS workshop on theft in E-Commerce: content,
13. Gabber E, Gibbons P, Kristol D, Matias Y, Mayer A. Consistent, identity, and service; 2005.
yet anonymous, web access with LPWA. Commun ACM. 35. Suh B, Han I. Effect of trust on customer acceptance of Internet
1999;42(2):42–7. banking. Electron Commer Res Appl. 2002;1(3):247–63.
14. Gartner. 2007. (http://www.gartner.com/it/page.jsp?id=565125). 36. Watson D, Holz T, Mueller S. Know your enemy: phishing,
Accessed 10 Sept 2007. behind the scenes of phishing attacks, The Honeynet Project &
15. Gefen D. Reflections on the dimensions of trust and trustwor- Research Alliance; 2005.
thiness among online consumers. ACM SIGMIS Database. 37. Wu M, Miller R, Little G. Web wallet: preventing phishing
2002;33(3):38–53. attacks by revealing user intentions. MIT Computer Science and
16. Herzberg A, Gbara A. Protecting naive web users, Draft of July Artificial Intelligence Lab; 2006.
18; 2004. 38. Ye Z, Smith S. Trusted paths for browsers. ACM Trans Inform
17. Jagatic T, Johnson N, Jakobsson M, Menczer F. Social phishing, Syst Secur. 2005;8(2):153–86.
community. ACM. 2007;50(10):94–100. 39. Zin A, Yunos Z. How to make online banking secure, article
18. Jakobsson M. Modeling and preventing phishing attacks, School published in The Star InTech; 2005.
of Informatics Indiana University at Bloomington; 2005.

123