Impact: We introduced new phishing education methods

Phishing attacks look like they’re coming from a trusted source (your bank, for example), but these fake messages are designed to trick recipients into doing dangerous things, like sharing their passwords with attackers or installing malware. 

Since the majority of data breaches attack people and not the infrastructure, we developed proven ways to teach phishing awareness and safety through innovative cybersecurity games, simulated attacks, and warnings.

We studied the social aspects of phishing attacks and protected millions of people through education and training.

This work led to...

  • New educational methods. Our team pioneered cybersecurity games and simulated phishing attacks to teach employees about phishing attacks, which are now an industry best practice.
  • Effective warnings that resonate when someone is about to click. We studied different kinds of anti-phishing warnings to identify what messaging works in the moment. The anti-phishing security warnings now seen in today’s web browsers are based on our research.
  • A landing page developed in partnership with the Anti-Phishing Working Group. This educational landing page that replaces fake phishing web sites after they are taken down has info about how to stay safe from phishing and has been seen by well over 200K people around the world.
  • Co-founding a spin-off company. In 2008, Wombat Security Technologies commercialized some of this research. Wombat had over 200 employees, over 1000 customers, and protected millions of people around the world before being acquired by Proofpoint in 2018 for $225M. Wombat’s products are now offered by Proofpoint.
  • New algorithms for detecting phishing web sites. Our work on algorithmic detection is the most highly cited work in this space and it has influenced how many companies detect fake sites.


Supported by:  The National Science Foundation, Portugal Telecom, Army Research Office

Timing:  2004 - 2008

Related work:  See https://cups.cs.cmu.edu/trust.php for more information.

Researchers:  Jason Hong, Lorrie Cranor, and teams 

Research Area:   Usable Privacy and Security

 

Looking at Additional HCII Impacts...

Nesra sits at a NoRILLA table and reaches for a tower of blocks

NoRILLA Interactive Mixed-Reality Science for Kids

Our novel, mixed-reality intelligent science stations bridge the physical and virtual worlds. Millions of children and families across the US are learning more science and improving their critical thinking skills after predicting, observing and explaining experiments with our patented system at their schools and museums.

screenshot of the game Anti-Phishing Phil, named after an orange fish in an underwater world that helps players to learn more about phishing

Protecting Millions of People from Phishing Scams

We studied the social aspects of phishing attacks and protected millions of people through education and training. This work led to new educational methods to raise awareness, effective anti-phishing warnings, and algorithmic detection of phishing attacks.

PrivacyGrade

Grading Your Smartphone Apps on Their Privacy Practices

We created a model that analyzed over 1 million smartphone apps on their privacy and data collection practices, and then assigned them a public-facing privacy grade. This easy-to-follow grading system raised public awareness and led to improved privacy practices from several app developers.

hands interacting with a black touch screen with labeled inputs of fingernail, knuckle and pad

TapSense Improved Touch Detection on Millions of Smartphones

We trained smartphones to reliably detect four different touchscreen inputs – for example, a tap by a finger pad as compared to a knuckle – which created opportunities for new interactions and features.

screenshot from PAT, a cognitive tutor for algebra

Millions Learned More Math with Our AI Tutor

Millions of middle school and high school students across the US have learned more math as a result of our decades of work with AI-based cognitive tutoring systems.

proposed data label for IoT devices, modeled after a nutritional label

Human-Centered Privacy for the Internet of Things

As more gadgets become “smart” things and the Internet of Things (IoT) expands to tens of billions of connected devices, we want consumers to be aware of what their devices are doing with their personal data.

decimal point game map

Improved Math Mastery with the Decimal Point Game

We explored the learning analytics behind our digital learning game to see how student learning responds to curriculum changes to the game. Over the past 10 years, over 1,500 students have benefited from the Decimal Point game and curriculum materials.

Zensors airport queue screenshot

Zensors Turns Cameras Into Smart Sensors

In one application installed at the Pittsburgh International Airport in 2019, Zensors use existing cameras as powerful general-purpose sensors to provide wait time estimates for the security line, which benefits almost 10M PIT travelers per year.