A recent review of conventional vs. automated cybersecurity anti-phishing techniques

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link."In the era of electronic and mobile commerce, massive numbers of financial transactions are conducted online on daily basis, which created potential fraudulent opportunities. A common fraudulent activity that involves creating a replica of a trustful website to deceive users and illegally obtain their credentials is website phishing. Website phishing is a serious online fraud, costing banks, online users, governments, and other organisations severe financial damages. One conventional approach to combat phishing is to raise awareness and educate novice users on the different tactics utilised by phishers by conducting periodic training or workshops. However, this approach has been criticised of being not cost effective as phishing tactics are constantly changing besides it may require high operational cost. Another anti- phishing approach is to legislate or amend existing cyber security laws that persecute online fraudsters without minimising its severity. A more promising anti-phishing approach is to prevent phishing attacks using intelligent machine learning (ML) technology. Using this technology, a classification system is integrated in the browser in which it will detect phishing activities and communicate these with the end user. This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing approaches. More importantly, ways to combat phishing by intelligent and conventional are highlighted, besides revealing these approaches differences, similarities and positive and negative aspects from the user and performance prospective. Different stakeholders such as computer security experts, researchers in web security as well as business owners may likely benefit from this review on website phishing.

A maximum entropy classification scheme for phishing detection using parsimonious features

Over the years, electronic mail (e-mail) has been the target of several malicious attacks. Phishing is one of the most recognizable forms of manipulation aimed at e-mail users and usually, employs social engineering to trick innocent users into supplying sensitive information into an imposter website. Attacks from phishing emails can result in the exposure of confidential information, financial loss, data misuse, and others. This paper presents the implementation of a maximum entropy (ME) classification method for an efficient approach to the identification of phishing emails. Our result showed that maximum entropy with parsimonious feature space gives a better classification precision than both the Naïve Bayes and support vector machine (SVM)

A Survey on Phishing Website Detection Using Hadoop

Phishing is an activity carried out by phishers with the aim of stealing personal data of internet users such as user IDs, password, and banking account, that data will be used for their personal interests. Average internet user will be easily trapped by phishers due to the similarity of the websites they visit to the original websites. Because there are several attributes that must be considered, most of internet user finds it difficult to distinguish between an authentic website or not. There are many ways to detecting a phishing website, but the existing phishing website detection system is too time-consuming and very dependent on the database it has. In this research, the focus of Hadoop MapReduce is to quickly retrieve some of the attributes of a phishing website that has an important role in identifying a phishing website, and then informing to users whether the website is a phishing website or not

Performance Assessment of some Phishing predictive models based on Minimal Feature corpus

Phishing is currently one of the severest cybersecurity challenges facing the emerging online community. With damages running into millions of dollars in financial and brand losses, the sad tale of phishing activities continues unabated. This led to an arms race between the con artists and online security community which demand a constant investigation to win the cyberwar. In this paper, a new approach to phishing is investigated based on the concept of minimal feature set on some selected remarkable machine learning algorithms. The goal of this is to select and determine the most efficient machine learning methodology without undue high computational requirement usually occasioned by non-minimal feature corpus. Using the frequency analysis approach, a 13-dimensional feature set consisting of 85% URL-based feature category and 15% non-URL-based feature category was generated. This is because the URL-based features are observed to be more regularly exploited by phishers in most zero-day attacks. The proposed minimal feature set is then trained on a number of classifiers consisting of Random Tree, Decision Tree, Artificial Neural Network, Support Vector Machine and Naïve Bayes. Using 10 fold-cross validation, the approach was experimented and evaluated with a dataset consisting of 10000 phishing instances. The results indicate that Random Tree outperforms other classifiers with significant accuracy of 96.1% and a Receiver’s Operating Curve (ROC) value of 98.7%. Thus, the approach provides the performance metrics of various state of art machine learning approaches popular with phishing detection which can stimulate further deeper research work in the evaluation of other ML techniques with the minimal feature set approach

Why Johnny can’t rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks?

Phishing is a way of stealing people’s sensitive information such as username, password and banking details by disguising as a legitimate entity (i.e. email, website). Anti-phishing education considered to be vital in strengthening “human”, the weakest link in information security. Previous research in anti-phishing education focuses on improving educational interventions to better interact the end user. However, one can argue that existing anti-phishing educational interventions are limited in success due to their outdated teaching content incorporated. Furthermore, teaching outdated anti-phishing techniques might not help combat contemporary phishing attacks. Therefore, this research focuses on investigating the obfuscation techniques of phishing URLs used in anti-phishing education against the contemporary phishing attacks reported in PhishTank.com. Our results showed that URL obfuscation with IP address has become insignificant and it revealed two emerging URL obfuscation techniques, that attackers use lately, haven’t been incorporated into existing anti-phishing educational interventions

A Maximum Entropy Classification Scheme for Phishing Detection using Parsimonous Features

Over the years, electronic mail (e-mail) has been the target of several malicious attacks. Phishing is one of the most recognizable forms of manipulation aimed at e-mail users and usually, employs social engineering to trick innocent users into supplying sensitive information into an imposter website. Attacks from phishing emails can result in the exposure of confidential information, financial loss, data misuse, and others. This paper presents the implementation of a maximum entropy (ME) classification method for an efficient approach to the identification of phishing emails. Our result showed that maximum entropy with parsimonious feature space gives a better classification precision than both the Naïve Bayes and support vector machine (SVM

A framework for securing email entrances and mitigating phishing impersonation attacks

Emails are used every day for communication, and many countries and organisations mostly use email for official communications. It is highly valued and recognised for confidential conversations and transactions in day-to-day business. The Often use of this channel and the quality of information it carries attracted cyber attackers to it. There are many existing techniques to mitigate attacks on email, however, the systems are more focused on email content and behaviour and not securing entrances to email boxes, composition, and settings. This work intends to protect users' email composition and settings to prevent attackers from using an account when it gets hacked or hijacked and stop them from setting forwarding on the victim's email account to a different account which automatically stops the user from receiving emails. A secure code is applied to the composition send button to curtail insider impersonation attack. Also, to secure open applications on public and private devices

Phishing happens beyond technology : the effects of human behaviors and demographics on each step of a phishing process

Prior studies have shown that the behaviours and attitudes of Internet users influence the likelihood of being victimised by phishing attacks. Many scammers design a step-by-step approach to phishing in order to gain the potential victim's trust and convince them to take the desired actions. It is important to understand which behaviours and attitudes can influence following the attacker in each step of a phishing scam. This will enable us to identify the root causes of phishing and to develop specific mitigation plans for each step of the phishing process and to increase prevention points. This study investigates to what extent people's risk-taking and decision-making styles influence the likelihood of phishing victimisation in three specific phishing steps. We asked participants to play a risk-taking game and to answer questions related to two psychological scales to measure their behaviours, and then conducted a simulated phishing campaign to assess their phishability throughout the three phishing steps selected. We find that the attitude to risk-taking and gender can predict users' phishability in the different steps selected. There are however other possible direct and indirect behavioural factors that could be investigated in future studies. The results of this study and the model developed can be used to build a comprehensive framework to prevent the success of phishing attempts, starting from their root causes

Breakout edu jardueraren erabilera gurasoei zuzendutako formakuntza saioetan: Esku-hartze baten ebaluazioa

Informazio eta Komunikazio Teknologien eskuragarritasunak zein erabilera anitzak komunikatzeko modu berriak ekarri ditu egungo jendartera. Teknologia digitalek, ordea, espazio segurua eta aberatsa izan behar dute parekoekin harremantzeko eta norbanakoaren ikaskuntza eta garapen prozesuan aurrera jarraitzeko. Egoera honen aurrean, zenbait eskolek teknologia digitalen erabilera arduratsua bultzatzea helburu duten hainbat hezkuntza esku-hartze eskaintzen dituzte, ikasleei zein haien gurasoei zuzenduak. Lan honen helburua gurasoei zuzendutako hezkuntza esku-hartze bat ebaluatzea eta aztertzea da. Aurrera eramandako esku-hartze horren xedea teknologia digitalen erabilera arduratsua lantzea da eta, horretarako, breakout edu jarduera erabili da. Guztira, bi ikastetxetako 37 gurasok parte hartu dute. Emaitzen artean gurasoek jarduerari buruz egindako balorazio positiboa nabarmentzen da, batez ere saioan izandako eztabaida giro aberasgarria eta proposaturiko ariketaren lankidetza izaera. Lan honetan ikusiko dugun moduan, mota honetako jarduera berritzaileak ikasleekin lan egiteko aberasgarri eta eraginkorrak izateaz gain, gurasoekin lantzeko ere baliagarriak ote diren aztertu da.; The access to Information and Communication Technologies has brought new and diverse forms of communication in today’s society. However, digital technologies must be a safe and en-riching space to be able to interact with others and to carry out the individual learning and develop-ment process. In view of this situation, schools implement educational interventions with the aim of promoting the responsible use of digital technologies among young people and parents. In this work, an educational intervention focused on families and based on the breakout edu technique is evaluated. A total of 37 parents from two educational centres participated. Among the results, the positive assess-ment made by the participants highlights, especially, the atmosphere of collaboration and debate that arose throughout the activity. As we will see through the article, this type of innovative methodologies can be appropriate and effective for working not only with students, but also with parents

Improving social engineering resilience in enterprises

A Engenharia Social é um problema significativo para as empresas. Os cyber-criminosos continuam a desenvolver novos e sofisticados métodos para ludibriar indivíduos, levando-os a divulgar informações confidenciais ou a conceder acesso não autorizado a sistemas de infraestruturas. Estes ataques continuam a constituir uma ameaça significativa para os sistemas empresariais, apesar dos investimentos significativos em arquitetura técnica e medidas de segurança. A formação e sensibilização dos funcionários, entre outras intervenções comportamentais, são fundamentais para melhorar a resiliência à Engenharia Social. Os programas de formação e educação dos funcionários são cruciais para a redução da probabilidade destes ataques. O cumprimento das políticas e procedimentos de segurança é significativamente melhorado através de formação baseada na educação. Uma cultura de segurança envolvendo todas as partes é também essencial, uma vez que uma comunicação aberta e honesta por parte da direção pode aumentar a consciência dos funcionários sobre potenciais ameaças. Os preconceitos e características emocionais como o medo, confiança e curiosidade têm também impacto na suscetibilidade a este tipo de ataques, mas, no entanto, as características pessoais que tornam os indivíduos vulneráveis exigem uma investigação profunda. Esta dissertação tem como objetivo fornecer uma avaliação abrangente do estado do conhecimento neste campo e propor uma Framework, identificando as melhores práticas para melhorar a resiliência à Engenharia Social nas empresas, enquanto apoia o desenvolvimento de novos estudos de investigação para abordar esta questão. O seu objetivo é ajudar as empresas de qualquer dimensão a utilizar esta Framework para reduzir o risco de ataques bem-sucedidos de Engenharia Social e melhorar a sua cultura de sensibilização para a segurança.Social Engineering is a significant problem for enterprises. Cybercriminals continue developing new and sophisticated methods to trick individuals into disclosing confidential information or granting unauthorized access to infrastructure systems. These attacks remain a significant threat to enterprise systems despite significant investments in technical architecture and security measures. User awareness training and other behavioral interventions are critical for improving Social Engineering resilience. Training and education programs for users are crucial in reducing the probability of these attacks. Compliance with security policies and procedures is significantly improved through education-based training. A security culture involving all stakeholders is also essential, as open, and honest communication from management can increase user awareness of potential threats. Emotional biases such as fear, trust, and curiosity also impact susceptibility to attacks, but personal traits that make individuals vulnerable require further investigation. This dissertation aims to provide a comprehensive assessment of the state of knowledge in this field and propose a framework by identifying best practices for improving Social Engineering resilience in organizations, while supporting the development of new research studies to address this issue. Its goal is to help enterprises of any size leverage this framework to reduce the risk of successful Social Engineering attacks and improve their culture of security awareness