Abstract
Phishing is a form of electronic identity theft in which a combination of social engineering and Web site spoofing techniques is used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing Web site attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing Web site attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed.
Similar content being viewed by others
References
Alnajim A, Munro M. An evaluation of users’ tips effectiveness for phishing websites detection, 978-1-4244-2917-2/08, IEEE; 2008. p. 63–68.
APWG. Phishing activity trends report. 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf. Accessed 12 Apr 2007.
APWG. Phishing activity trends report. 2008. http://antiphishing.org/reports/apwg_report_sep2008_final.pdf. Accessed 9 March 2009.
APWG. 2009. http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2009.pdf. Accessed 8 Aug 2009.
Brooks J. Anti-phishing best practices: keys to aggressively and effectively protecting your organization from phishing attacks, White Paper, Cyveillance; 2006.
Business Security Guidance. How to protect insiders from social engineering threats. 2006. www.microsoft.com/technet/security/default.mspx. Accessed 8 Apr 2006.
Chou N, Ledesma R, Teraguchi Y, Boneh D, Mitchell J. Client side defense against web-based identity theft. In: Proceeding of the 11th annual Network and Distributed System Security Symposium (NDSS ‘04); 2004.
Dhamija R, Tygar J. The battle against phishing: dynamic security skins. In: Proceedings of ACM Symposium on Usable Security and Privacy (SOUPS 2005); 2005. p. 77–88.
Dhamija R, Tygar J, Marti H. Why phishing works. In: CHI ‘06: Proceedings of the SIGCHI conference on human factors in computing systems. ACM Press, New York; 2006. p. 581–590.
FDIC. Putting an end to account-hijacking identity theft, FDIC, Technical Report [Online]. 2004. Available: http://www.fdic.gov/consumers/consumer/idtheftstudy/identitytheft.pdf. Accessed 18 Apr 2007.
FFIEC. E-Banking Introduction, Federal Financial Institutions Examination Council, Information Technology Examination Handbook (IT Handbook InfoBase). 2003. Available Online: http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_00_intro_def.html. Accessed 15 June 2007.
Fu A, Wenyin L, Deng X. Detecting phishing web pages with visual similarity assessment based on Earth Mover’s Distance (EMD). IEEE Trans Dependable Secur Comput. 2006;3(4):301–11.
Gabber E, Gibbons P, Kristol D, Matias Y, Mayer A. Consistent, yet anonymous, web access with LPWA. Commun ACM. 1999;42(2):42–7.
Gartner. 2007. (http://www.gartner.com/it/page.jsp?id=565125). Accessed 10 Sept 2007.
Gefen D. Reflections on the dimensions of trust and trustworthiness among online consumers. ACM SIGMIS Database. 2002;33(3):38–53.
Herzberg A, Gbara A. Protecting naive web users, Draft of July 18; 2004.
Jagatic T, Johnson N, Jakobsson M, Menczer F. Social phishing, community. ACM. 2007;50(10):94–100.
Jakobsson M. Modeling and preventing phishing attacks, School of Informatics Indiana University at Bloomington; 2005.
Jakobsson M, Tsow A, Shah A, Blevis E, Lim Y. What instills trust? A qualitative study of phishing. Bloomington: Indiana University; 2007. p. 356–61.
James L. Phishing exposed, Tech Target Article sponsored by: Sunbelt software. 2006. searchexchange.com.
Kinjo H, Snodgrass JG. Is there a picture superiority effect in perceptual implicit tasks? Eur J Cogn. 2000;12(2):145–64.
Kirda E, Kruegel C. Filching attack of on-line status. J Netw Secur Technol Appl. 2005;6(4):17–20.
Kirda E, Kruegel C Protecting users against phishing attacks with antiphishing. In: Proceedings of the 29th annual international Computer Software and Applications Conference (COMPSAC); 2005b. p. 517–524.
Liu W, Guanglin H, Liu X, Xiaotie D, Zhang M. Phishing webpage detection. In: Proceedings of the 2005 eight international conference on Document Analysis and Recognition (ICDAR’05), IEEE; 2005. p. 560–564.
Microsoft Corporation. Microsoft phishing filter: a new approach to building trust in E-Commerce Content, White Paper; 2008.
Ollmann G. The phishing guide, understanding and preventing phishing attacks (online available). 2004. http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf.
PassMark. Two-factor two-way authentication, PassMark Security. 2005. http://www.passmarksecurity.com.
Pettersson J, Fischer-Hübner S, Danielsson N, Nilsson J, Bergmann M, Clauss S, Kriegelstein T, Krasemann H. Making prime usable. In: Proceedings of SOUPS’05. ACM Press, Pittsburgh; 2005. p. 53–64.
Phishtank. 2008 http://www.phishtank.com/phish_archive.php. Accessed 14 Nov 2008.
Rhodes JS. Human memory limitations and web site usability. 1998. Moving WebWord from http://www.webword.com/moving/memory.html. Accessed 28 May 2008.
Ross B, Jackson C, Miyake N, Boneh D, Mitchell J. Stronger password authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium; 2005.
Sharif T. Phishing filter in IE7. 2005. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx. Accessed 6 Apr 2007.
Stenberg G. Conceptual and perceptual factors in the picture superiority effect. Eur J Cogn. 2006;18(6):813–47.
Stepp M. Phishhook: a tool to detect and prevent phishing attacks. In: DIMACS workshop on theft in E-Commerce: content, identity, and service; 2005.
Suh B, Han I. Effect of trust on customer acceptance of Internet banking. Electron Commer Res Appl. 2002;1(3):247–63.
Watson D, Holz T, Mueller S. Know your enemy: phishing, behind the scenes of phishing attacks, The Honeynet Project & Research Alliance; 2005.
Wu M, Miller R, Little G. Web wallet: preventing phishing attacks by revealing user intentions. MIT Computer Science and Artificial Intelligence Lab; 2006.
Ye Z, Smith S. Trusted paths for browsers. ACM Trans Inform Syst Secur. 2005;8(2):153–86.
Zin A, Yunos Z. How to make online banking secure, article published in The Star InTech; 2005.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Aburrous, M., Hossain, M.A., Dahal, K. et al. Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies. Cogn Comput 2, 242–253 (2010). https://doi.org/10.1007/s12559-010-9042-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12559-010-9042-7