The Definitive Fraud Encyclopedia

This unique guide provides step-by-step instructions on how to commit fraud. From buying the correct hardware and software, to spoofing the personal details of your victims, to actually using stolen cards effectively. Originally published by an anonymous individual “Yegate”, this guide was bought by Brett Johnson, a former cyber criminal turned good, and released for free online for the public to read.     Read full paper    ...

Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding ‘Phishing Attacks’

Phishing is a form of online identity theft, which attempts to appropriate confidential and sensitive information such as usernames and passwords from its victims. To facilitate cyberspace as a secure environment, phishing education needs to be made accessible to home computer users and mobile games enable embedded learning in a natural environment. Previously, we have introduced a mobile game design that aimed to enhance avoidance motivation and behavior to protect against phishing threats. This paper focuses on a design that develops the conceptual knowledge that is necessary to combat...

F for Fake: Four Studies on How We Fall for Phish

This paper reports findings from a multi-method set of four studies that investigate why we continue to fall for phish. Current security advice suggests poor spelling and grammar in emails can be signs of phish. But a content analysis of a phishing archive indicates that many such emails contain no obvious spelling or grammar mistakes and often use convincing logos and letterheads. An online survey of 224 people finds that although phish are detected approximately 80% of the time, those with logos are significantly harder to detect. A qualitative interview study was undertaken to better...

Teaching Johnny Not to Fall for Phish

Research focusing on educating users about phishing and identifying phishing emails, as opposed to using technology for prevention and detection. The research identified multiple problems, namely: that people were not motivated to learn about security; that security is seen as a secondary task; and that it’s difficult to teach people to identify threats without them also misidentifying non-threats. The authors conclude that education should be used in conjunction with automated detection systems to best stop losses.     Read full paper     Authors: Ponnurangam Kumaraguru,...

School of Phish: A Real-World Evaluation of Anti-Phishing Training

PhishGuru is a training system that helps users stop falling for phishing emails by sending them a training message when they click the URL of a simulated phishing email. The authors of this paper analysed PhishGuru training and found trained users retained knowledge for 28 days. Authors also found incorporating a second training message into training reduced the likelihood of a user giving away sensitive information, and that, perhaps surprisingly, training did not reduce the likelihood of a user clicking the link in a legitimate email.     Read full paper    ...