In a recent article ‘A new method to educate users about spam?‘ by Dan Blacharski, the U.S. Department of Justice tested and educated employees with fake phishing scams. This phishing scam “fire drill” provides an excellent training lesson that more companies should adopt. As I mentioned in an earlier article, ‘Ultimate Defense Against Spam in 2009′, educating email users is the best defense against spam and phishing scams.
Apparently the National Science Foundation, the U.S. Army Research Office, Microsoft and IBM agree on phishing education. Each of these companies provided grant money to fund the CyLab Usable Privacy and Security Laboratory (CUPS). In affiliation with Carnegie Mellon CyLab, CUPS has developed an awesome anti phishing educational tool.
CUPS brings together researchers working on a diverse set of projects related to understanding and improving the usability of privacy and security software and systems. This valuable research has produced a game employees can actually justify playing at work called Anti-Phishing Phil. This interactive game teaches people how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
I not only had fun playing Anti-Phishing Phil, it also taught me a few things. The game can be customized with your organization’s URLs and branding. Anti-Phishing Phil can integrate the game into a larger training program. The game play data can be used to assess your organization’s ability to resist phishing attacks and focus company training efforts.
Cylab studies have found that user education makes a big difference in preventing people from falling prey to phishing attacks. Cylab research also proves Anti-Phishing Phil to be an effective approach to educating all staff on technology security. Playing a game at work that helps reduce the loss of personal and business assets surely deserves serious consideration from company management.
Anti-Phishing Phil addresses the main causes of people getting hooked into phishing scams:
- People usually won’t read security tutorials
- With so much online security training material, how can people identify what’s important to know?
- Much of the security information is still lacking in not educating people in how to protect themselves.