Anti-phishing coalition deploys real-time education program

The APWG (Anti-Phishing Working Group) and Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory (CUPS) will announce tomorrow the deployment of their real-time counter-eCrime education system designed to instruct consumers the moment they’ve been pulled into a phishing scam.

It will deliver online safety education – free – to consumers who’ve clicked on links in phishing mails by redirecting them away from the URLs of decommissioned phishing websites onward to a page of Internet security and safety instruction hosted by the APWG.

The goal of this initiative is to instruct the most at-risk consumers about online safety at the “most teachable moment” when they have just clicked on a link in a phishing communication, a key moment of error discovery in which one is more receptive to instruction – and better able to retain its essential messages.

The APWG’s members, research collaborators and CUPS have been working together on the project since the APWG’s 2007 Fall eCrime Researchers Summit in Pittsburgh, where they were inspired by a paper delivered by then-CMU graduate student Ponnurangam Kumaraguru, an assistant professor at Indraprastha Institute of Information Technology (IIIT) in Delhi, about the utility of a redirect system in helping to education users.

“Our research has shown that most Internet users don’t know very much about online scams and don’t realize that there are some simple things they can do to protect themselves,” said Dr. Lorrie Cranor, an associate professor of computer science and engineering & public policy at Carnegie Mellon and director of the CyLab Usable Privacy and Security Laboratory. “People aren’t interested in computer safety courses. But we’ve demonstrated that users are receptive to on-line safety instruction immediately after they fall for a phishing attack and they tend to remember this instruction.”

APWG Deputy Secretary General Foy Shiver and the APWG’s Internet Safety Engineers pulled together a PHP system to respond to the inbound redirects from Internet Service Providers who are participating in the program. The system parses the language setting for the browser and browser type used by the redirected consumer, responding in the appropriate language and content format: illustrated pages for PCs and laptops; text-only pages for handheld devices. ISPs looking for more information on the redirect system can look here:

Greg Ogorek, Manager of Anti-Phishing Operations at long-time APWG member company Cyveillance, has assembled a large corps of volunteer translators with Dr. Mather to complete translations of the landing page for every known language in which phishing is a problem. The APWG’s goal is to make this public-education utility available to every online consumer and provide them with useful counter-ecrime advice in their own language.

So far, Ogorek and his polyglot corps of volunteers have completed translations for versions of the phishing education landing page in Arabic, Chinese (Mandarin), Danish, Dutch, German, Greek, English (UK), English (US), Spanish, Filipino, French, Hebrew, Hungarian, Italian, Japanese, Portuguese (Brazilian), Romanian, Russian and Ukrainian. Translations for versions in Afrikaans, Basque, Bulgarian, Catalan, Croatian, Czech, Hindi, Korean, Bahasa Malaysia, Norwegian, Polish, Portuguese, Swedish, Urdu and Vietnamese are underway – or waiting for volunteer translators to step up.

Don't miss