Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

DON\u27T BITE THE BAIT: PHISHING ATTACK FOR INTERNET BANKING (E-BANKING)

Phishing attacks are based on obtaining desired information from users quickly and easily with the help of misdirecting, panicking, curiosity, or excitement. Most of the phishing web sites are designed on internet banking(e-banking) and the attackers can acquire financial information of misled users with the tactics and discourses they develop. Despite the increase of prevention techniques against phishing attacks day by day, an effective solution could not be found for this issue due to the human factor. Because of this reason, real phishing attack studies are essential to study and analyze the attackers’ attack techniques and strategies. This study focused on the detection and analysis of a real e-banking phishing attack using the phishing website. Analysis results show that the attacker’s information is traceable

Detecting Phishing Websites Using Associative Classification

Phishing is a criminal technique employing both social engineering and technical subterfuge to steal consumer's personal identity data and financial account credential. The aim of the phishing website is to steal the victims’ personal information by visiting and surfing a fake webpage that looks like a true one of a legitimate bank or company and asks the victim to enter personal information such as their username, account number, password, credit card number, …,etc. This paper main goal is to investigate the potential use of automated data mining techniques in detecting the complex problem of phishing Websites in order to help all users from being deceived or hacked by stealing their personal information and passwords leading to catastrophic consequences. Experimentations against phishing data sets and using different common associative classification algorithms (MCAR and CBA) and traditional learning approaches have been conducted with reference to classification accuracy. The results show that the MCAR and CBA algorithms outperformed SVM and algorithms. Keywords: Phishing Websites, Data Mining, Associative Classification, Machine Learning

Detecting Phishing Websites Using Associative Classification

Phishing is a criminal technique employing both social engineering and technical subterfuge to steal consumer's personal identity data and financial account credential. The aim of the phishing website is to steal the victims’ personal information by visiting and surfing a fake webpage that looks like a true one of a legitimate bank or company and asks the victim to enter personal information such as their username, account number, password, credit card number, …,etc. This paper main goal is to investigate the potential use of automated data mining techniques in detecting the complex problem of phishing Websites in order to help all users from being deceived or hacked by stealing their personal information and passwords leading to catastrophic consequences. Experimentations against phishing data sets and using different common associative classification algorithms (MCAR and CBA) and traditional learning approaches have been conducted with reference to classification accuracy. The results show that the MCAR and CBA algorithms outperformed SVM and algorithms. Keywords: Phishing Websites, Data Mining, Associative Classification, Machine Learnin

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

An Examination of E-Banking Fraud Prevention and Detection in Nigerian Banks

E-banking offers a number of advantages to financial institutions, including convenience in terms of time and money. However, criminal activities in the information age have changed the way banking operations are performed. This has made e-banking an area of interest. The growth of cybercrime – particularly hacking, identity theft, phishing, Trojans, service denial attacks and account takeover– has created several challenges for financial institutions, especially regarding how they protect their assets and prevent their customers from becoming victims of cyber fraud. These criminal activities have remained prevalent due to certain features of cyber, such as the borderless nature of the internet and the continuous growth of the computer networks. Following these identified challenges for financial institutions, this study examines e-banking fraud prevention and detection in the Nigerian banking sector; particularly the current nature, impacts, contributing factors, and prevention and detection mechanisms of e-banking fraud in Nigerian banking institutions. This study adopts mixed research methods with the aid of descriptive and inferential analysis, which comprised exploratory factor analysis (EFA) and confirmatory factor analysis (CFA) for the quantitative data analysis, whilst thematic analysis was used for the qualitative data analysis. The theoretical framework was informed by Routine Activity Theory (RAT) and Fraud Management Lifecycle Theory (FMLT). The findings show that the factors contributing to the increase in e-banking fraud in Nigeria include ineffective banking operations, internal control issues, lack of customer awareness and bank staff training and education, inadequate infrastructure, presence of sophisticated technological tools in the hands of fraudsters, negligence of banks’ customers concerning their e-banking account devices, lack of compliance with the banking rules and regulations, and ineffective legal procedure and law enforcement. In addition, the enforcement of rules and regulations in relation to the prosecution of financial fraudsters has been passive in Nigeria. Moreover, the findings also show that the activities of each stage of fraud management lifecycle theory are interdependent and have a collective and considerable influence on combating e-banking fraud. The results of the findings confirm that routine activity theory is a real-world theoretical framework while applied to e-banking fraud. Also, from the analysis of the findings, this research offers a new model for e-banking fraud prevention and detection within the Nigerian banking sector. This new model confirms that to have perfect prevention and detection of e-banking fraud, there must be a presence of technological mechanisms, fraud monitoring, effective internal controls, customer complaints, whistle-blowing, surveillance mechanisms, staff-customer awareness and education, legal and judicial controls, institutional synergy mechanisms of in the banking systems. Finally, the findings from the analyses of this study have some significant implications; not only for academic researchers or scholars and accounting practitioners, but also for policymakers in the financial institutions and anti-fraud agencies in both the private and public sectors