Why Johnny can't rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks?
This work addresses the problem of ineffective anti-phishing education for end-users, highlighting incremental updates needed to keep pace with evolving phishing tactics.
The study investigated whether outdated URL obfuscation techniques in anti-phishing education effectively combat contemporary phishing attacks, finding that IP address obfuscation is now insignificant and two emerging techniques are missing from current interventions.
Phishing is a way of stealing people's sensitive information such as username, password and banking details by disguising as a legitimate entity (i.e. email, website). Anti-phishing education considered to be vital in strengthening "human", the weakest link in information security. Previous research in anti-phishing education focuses on improving educational interventions to better interact the end user. However, one can argue that existing anti-phishing educational interventions are limited in success due to their outdated teaching content incorporated. Furthermore, teaching outdated anti-phishing techniques might not help combat contemporary phishing attacks. Therefore, this research focuses on investigating the obfuscation techniques of phishing URLs used in anti-phishing education against the contemporary phishing attacks reported in PhishTank.com. Our results showed that URL obfuscation with IP address has become insignificant and it revealed two emerging URL obfuscation techniques, that attackers use lately, haven't been incorporated into existing anti-phishing educational interventions.