Defending against phishing attacks: taxonomy of methods, current issues and future directions

Abstract

Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people’s lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly inventive. One such a serious threat is “phishing”, in which, attackers attempt to steal the user’s credentials using fake emails or websites or both. It is true that both industry and academia are working hard to develop solutions to combat against phishing threats. It is therefore very important that organisations to pay attention to end-user awareness in phishing threat prevention. Therefore, aim of our paper is twofold. First, we will discuss the history of phishing attacks and the attackers’ motivation in details. Then, we will provide taxonomy of various types of phishing attacks. Second, we will provide taxonomy of various solutions proposed in literature to protect users from phishing based on the attacks identified in our taxonomy. Moreover, we have also discussed impact of phishing attacks in Internet of Things (IoTs). We conclude our paper discussing various issues and challenges that still exist in the literature, which are important to fight against with phishing threats.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

References

  1. 1.

    Ramanathan, V., & Wechsler, H. (2012). phishGILLNET—phishing detection methodology using probabilistic latent semantic analysis, AdaBoost, and co-training. EURASIP Journal on Information Security, a Springer Open Journal, 1, 1–22.

  2. 2.

    Arachchilage, N. A. G., Love, S., & Beznosov, K. (2016). Phishing threat avoidance behaviour: An empirical investigation. Computers in Human Behavior, 60, 185–197.

    Article  Google Scholar 

  3. 3.

    The Statistics Portal. Global number of Internet Users 2005–2015. http://www.statista.com/statistics/273018/number-of-internet-users-worldwide/.

  4. 4.

    Gupta, B. B., Joshi, R. C., & Misra, M. (2009). Defending against distributed denial of service attacks: Issues and challenges. Information Security Journal: A Global Perspective, 18(5), 224–247.

    Google Scholar 

  5. 5.

    Internet World Stats. Internet User Statistics—The Big Picture: World Internet Users and Population Stats. http://www.internetworldstats.com/stats.htm.

  6. 6.

    Goggi, C. (2013). The 13 worst security threats of 2013,” December, 2013. http://www.gfi.com/blog/the-13-worst-security-threats-of-2013/.

  7. 7.

    Christina, G. The 13 worst security threats of 2013. http://www.gfi.com/blog/the-13-worst-security-threats-of-2013/.

  8. 8.

    Ragan, S. (2013). Senior executives blamed for a majority of undisclosed security incidents. http://www.networkworld.com/article/2171678/data-center/senior-executives-blamed-for-a-majority-of-undisclosed-security-incidents.html.

  9. 9.

    Sheng, S., Holbrook, M., & Kumaraguru, P. (2010). Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions, CHI, pp. 373–382, Atlanta, GA.

  10. 10.

    Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F. & Downs, J., (2010). Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In 28th international conference on human factors in computing systems, 10–15 April, 2010, Atlanta, GA.

  11. 11.

    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J. & Nunge, E. (2007). Anti-phishing Phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on usable privacy and security, Pittsburgh, PA, July 2007.

  12. 12.

    EMC. RSA Online Fraud Resource Center. http://www.emc.com/onlinefraud#!resources.

  13. 13.

    McCaney, K. (2012). To hackers, government users are phish in a barrel. http://gcn.com/articles/2012/03/19/phishing-goverment-cyber-attacks-us-cert.aspx.

  14. 14.

    FireEye. Operation Clandestine Wolf—Adobe Flash Zero-Day in APT3 Phishing Campaign. https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html.

  15. 15.

    Krieg, G., & Kopan, T. (2016). CNN News, Is this the email that hacked John Podesta’s account? http://edition.cnn.com/2016/10/28/politics/phishing-email-hack-john-podesta-hillary-clinton-wikileaks/. Accessed 19 November 2016.

  16. 16.

    Ollmann, G. (2004). The Phishing guide—understanding & preventing phishing attacks. IBM Internet Security Systems.

  17. 17.

    Breen, C., & Dahlbom, C. A. (1960). Signaling systems for control of telephone switching. Bell System Technical Journal, 39(6), 1381–1444.

    Article  Google Scholar 

  18. 18.

    The Trembling Uterus Blog. http://tremblinguterus.blogspot.pt/.

  19. 19.

    20% Indians are victims of Online phishing attacks: Microsoft. IANS. news.biharprabha.com. Retrieved 11 February 2014.

  20. 20.

    IID. eCrime trends report. http://internetidentity.com/resources/.

  21. 21.

    Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing threat avoidance perspective. Computers in Human Behavior, 38, 304–312.

    Article  Google Scholar 

  22. 22.

    Arachchilage, N. A. G., & Love, S. (2013). A game design framework for avoiding phishing attacks. Computers in Human Behavior, 29(3), 706–714.

    Article  Google Scholar 

  23. 23.

    Arachchilage, N. A. G. (2015). User-centred security: A game design to thwart phishing attacks. In International Conference: Redefining the R&D Needs for Australian Cyber Security on November 16, 2015, University of New South Wales at the Australian Defence Force Academy, Canberra. arXiv preprint arXiv:1511.03459.

  24. 24.

    The statistics portal. Phishing: Distribution of attacks by country 2015. http://www.statista.com/statistics/266362/phishing-attacks-country/.

  25. 25.

    ThreatSim. State of Phish 2015. http://threatsim.com/wp-content/uploads/2015/04/ThreatSim-Phish2015_FINAL.pdf:state of art.

  26. 26.

    Wombat Security Technologies. The latest in phishing, June 2015. http://info.wombatsecurity.com/blog/latest-in-phishing-june-2015.

  27. 27.

    Wombat Security Technologies. The latest in phishing, September 2015. http://www.marketwired.com/press-release/the-latest-in-phishing-september-2015-2058330.htm.

  28. 28.

    Symanctec. Symantec intelligence report, January 2015. https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf. Last accessed on March 11 2016.

  29. 29.

    Downs, J. S. et al. (2007). Behavioural response to phishing risk. In Proceedings of the A. C. M. conference on anti-phishing working groups 2nd annual eCrime researchers summit (pp. 37–44). Pittsburgh, PA.

  30. 30.

    Chen, J., & Guo, C. (2006) Online detection and prevention of phishing attacks. In Proceedings of the fifth Mexican international conference in computer science, IEEE conference, pp. 1–7.

  31. 31.

    GARTNER. Gartner survey shows phishing attacks escalated in 2007; More than $3 billion lost to these attacks, December 17, 2007. http://www.gartner.com/it/page.jsp?id=565125.

  32. 32.

    Yu, W. D., Nargundkar, S., & Tiruthani, N. (2008). A phishing vulnerability analysis of web based systems. In Proceedings of the 13th IEEE symposium on computers and communications (ISCC 2008), IEEE. Marrakech, pp. 326–331.

  33. 33.

    Bergholz, A., Paaß, G., Reichartz, F., Strobel, S., & Chang, J. H. (2008). Improved phishing detection using model based features. In Proceedings on conference on email and anti-spam (CEAS). Mountain View, CA.

  34. 34.

    Toolan, F., & Carthy, J. (2009). Phishing detection using classifier ensembles. In IEEE conference eCrime researchers summit, (pp. 1–9). Tacoma, WA.

  35. 35.

    Tally, G., Thomas, R., & Vleck, T. V. (2004). Anti-phishing: Best practices for Institutions and Consumers, Mcafee research technical report, September.

  36. 36.

    Security Response. Symnatec. http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign. Last accessed on December 2014.

  37. 37.

    Li, J., Li, J., Chen, X., Jia, C., & Lou, W. (2015). Identity-based encryption with outsourced revocation in cloud computing. IEEE Transactions on Computers., 64(2), 425–437.

    Article  Google Scholar 

  38. 38.

    APWG. (2016). Phishing activity trends report. http://www.antiphishing.org/resources/apwg-reports/.

  39. 39.

    Almomani, B., Gupta, B., Wan, T., et al. (2013). Phishing dynamic evolving neural fuzzy framework for online detection “Zero-day” phishing email. Indian Journal of Science and Technology, 6(1), 3960–3964.

    Google Scholar 

  40. 40.

    Srivastava, B., Gupta, B., Tyagi, A., Shamn, A., & Mishra, A. Recent survey on DDoS attacks and defence mechanisms. In Advances in parallel distributed computing, communications in computer and information science, Vol. 203, pp. 570–580.

  41. 41.

    Khonji, M., Iraqi, Y., & Jones, A. (2013). Phishing detection: A literature survey. IEEE Communications Surveys & Tutorials, 15(4), 2091–2121.

    Article  Google Scholar 

  42. 42.

    Aburrous, M. et al. (2008). Intelligent phishing website detection system using fuzzy techniques, IEEE conference, Damascus, Syria, pp. 1–6.

  43. 43.

    Aburrous, M. et al. (2010). Predicting phishing websites using classification mining techniques with experimental case studies. In IEEE conference on seventh international conference on information technology (pp. 176–181). Las Vegas, NV.

  44. 44.

    Almomani, A., Gupta, B. B., Atawneh, S., Meulenberg, A., & Almomani, E. (2013). A survey of phishing email filtering techniques. IEEE Communications Surveys & Tutorials, 15(4), 2070–2090.

    Article  Google Scholar 

  45. 45.

    Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81.

    Article  Google Scholar 

  46. 46.

    Chuenchujit, T. (2016). A taxonomy of phishing research. University of Illinois at Urbana-Champaign, Doctoral dissertation.

  47. 47.

    Dhamija, R., Tygar, J. D. & Hearst, M., (2006). Why phishing works. In Proceedings of the SIGCHI conference on human factors in computing systems, CHI ’06, pp. 581–590, Montréal, Québec, April 22–27, 2006. New York, NY: ACM Press. doi:10.1145/1124772.1124861. Accessed 25 November 2016.

  48. 48.

    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E., (2007). Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the SIGCHI conference on human factors in computing systems, San Jose, CA, April–May 2007.

  49. 49.

    Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., & Cranor, L. F., et al. (2007). Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer, APWG eCrime Researchers Summit, 4–5 October 2007, Pittsburgh, PA.

  50. 50.

    Marforio, C., Masti, R. J., Soriente, C., Kostiainen, K. & Capkun, S., (2016). Hardened setup of personalized security indicators to counter phishing attacks in mobile banking. In Proceedings of the 6th workshop on security and privacy in smartphones and mobile devices (pp. 83–92). New York: ACM.

  51. 51.

    Vishwanath, A. (2016). Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks. Computers in Human Behavior, 63, 198–207.

    Article  Google Scholar 

  52. 52.

    Zhao, M., An, B. & Kiekintveld, C. (2016). Optimizing personalized email filtering thresholds to mitigate sequential spear phishing attacks. In Proceedings of the 30th AAAI conference on artificial intelligence (AAAI).

  53. 53.

    Downs, J. S., Holbrook, M. & Cranor, L. F. (2007). Behavioural response to phishing risk. In Proceedings of the anti-phishing working groups—2nd annual eCrime researchers summit, pp. 37–44, October 2007, Pittsburgh, PA. doi:10.1145/1299015.1299019. Accessed 25 November 2016.

  54. 54.

    Wu, M., Miller, R. & Garfinkel, S., (2005). Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI conference on human factors in computing systems, Montreal, Quebec, 22–27 April 2006.

  55. 55.

    Kirlappos, I., & Sasse, M. A. (2012). Security education against phishing: A modest proposal for a major rethink. IEEE Security and Privacy Magazine, 10(2), 24–32.

    Article  Google Scholar 

  56. 56.

    Gupta, B., Agrawal, D. P., & Yamaguchi, S. (eds.) (2016). Handbook of research on modern cryptographic solutions for computer and cyber security. IGI Global.

  57. 57.

    Bottazzi, G. et al. (2015). MP-shield: A framework for phishing detection in mobile devices. In Proceedings of the 3rd IEEE international workshop on cybercrimes and emerging web environments, Liverpool, October.

  58. 58.

    Khonji, M., et al. (2012). Enhancing phishing e-mail classifiers: A lexical URL analysis approach. International Journal for Information Security Research, 2(1/2), 236–245.

    Google Scholar 

  59. 59.

    Khonji, M. et al. (2011). A study of feature subset evaluators and feature subset searching methods for phishing classification. In Proceedings of the 8th annual collaboration, electronic messaging, anti-abuse and spam conference, ACM conference, Perth.

  60. 60.

    DNSBL Information. Spam Database Lookup. http://www.dnsbl.info.

  61. 61.

    Lyon, J., & Wong, M. (2006). Sender ID: Authenticating E-mail. RFC 4406, April.

  62. 62.

    Delany, M. (2007). Domain-based email authentication using public keys advertised in the DNS (Domain Keys). RFC 4870, May.

  63. 63.

    Adida, B., Hohenberger, S., & Rivest, R. L. (2005). Fighting phishing attacks: A light-weight trust architecture for detecting spoofed emails. In USENIX steps to reducing unwanted traffic on the internet workshop (SRUTI).

  64. 64.

    Chen, J., & Guo, C. (2006). Online detection and prevention of phishing attacks. In Communications and networking in China, ChinaCom ’06, Beijing, pp. 1–7.

  65. 65.

    Chandrasekaran, M., Narayanan, K., & Upadhyaya, S. (2006). Phishing email detection based on structural properties. In NYS cyber security conference, pp. 1–7.

  66. 66.

    Gansterer, W. N., & Polz, D. (2009). E-mail classification for phishing defence. In Proceedings of the 31th ECIR research on advances in information retrieval. Springer conference, Toulouse, pp. 449–460.

  67. 67.

    Park, G., & Taylor, J. M. (2015). Using syntactic features for phishing detection, May.

  68. 68.

    Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A. & Pham, T. (2009). School of phish: A real-world evaluation of anti-phishing training. In Proceedings of the 5th symposium on usable privacy and security, 15–17 July 2009, Mountain View, CA. doi:10.1145/1572532.1572536. Accessed 25 October 2011.

  69. 69.

    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F. & Hong, J. (2008). Lessons from a real world evaluation of anti-phishing training. eCrime Researchers Summit, 15–16 October, pp. 1–12.

  70. 70.

    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J., (2007). Teaching Johnny not to fall for phish. Technical reports, Cranegie Mellon University, http://www.cylab.cmu.edu/files/cmucylab07003.pdf. Accessed 12 June 2011.

  71. 71.

    Arachchilage, N. A. G., (2016). Serious games for cyber security education. Lambert Academic Publishing, pp. 1–244, ISBN-13: 978-3-659-85318-0. [arXiv preprint arXiv: 1610.09511]. Accessed 15 November 2016.

  72. 72.

    Schuetz, S., Lowry, P. B., & Thatcher, J. (2016). Defending against spear-phishing: Motivating users through fear appeal manipulations. In 20th Pacific Asia conference on information systems (PACIS 2016) (pp.1–12). Chiayi, Taiwan.

  73. 73.

    Arachchilage, N. A. G. (2012). Security awareness of computer users: A game based learning approach. Ph.D. dissertation, Brunel University, School of Information Systems, Computing and Mathematics. http://bura.brunel.ac.uk/handle/2438/7620. Accessed 19 November 2016.

  74. 74.

    Tayal, K., & Rav, V. (2016). Particle swarm optimization trained class association rule mining: Application to phishing detection. In Proceedings of the international conference on informatics and analytics ICIA-16, Article No. 13, Pondicherry, August 25–26.

  75. 75.

    Tan, C. L., Chiew, K. L., Wong, K., & Sze, S. N. (2016) PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder. Decision Support Systems Vol. 88, August, pp. 18–27.

  76. 76.

    Safe Browsing API—Google Developer. https://developers.google.com/safe-browsing/.

  77. 77.

    Prakash, P., Kumar, M., Kompella, R. R., & Gupta, M. (2010). PhishNet: Predictive blacklisting to detect phishing attacks. In Proceedings of the INFOCOM-2010 IEEE, San Diego, pp. 1–5.

  78. 78.

    Han, W., Cao, Y., Bertino, E., & Yong, J. (2012). Using automated individual whitelist to protect web digital identities. Expert Systems with Applications, 39(15), 11861–11869.

    Article  Google Scholar 

  79. 79.

    Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., & Mitchell, J. C. (2004). Client-side defence against web-based identity theft. In NDSS. The Internet Society.

  80. 80.

    Wu, Y. -S., Foo, B., Mei, Y., & Bagchi, S. (2003). Collaborative intrusion detection system (CIDS): A framework for accurate and efficient IDS. In Proceedings of the computer security applications conference, 2003, pp. 234–244.

  81. 81.

    Joshi, Y. et al. (2008). PhishGuard: A browser plugin for protection from phishing. In 2nd international conference on internet multimedia services architecture and applications, 2008. IMSAA 2008. IEEE.

  82. 82.

    Zhang, Y., Hong, J. I., & Cranor, L. F. (2007). Cantina: A content-based approach to detecting phishing web sites. In Proceedings of the 16th international conference on World Wide Web. New York: ACM.

  83. 83.

    Medvet, E., Kirda, E., & Kruegel, C. (2008). Visual-similarity-based phishing detection. In Proceedings of the 4th international conference on Security and privacy in communication networks, SecureComm ’08, Article no 2, pp. 1–11.

  84. 84.

    Mao, J., Li, P., Li, K., Tao, W., & Zhenkai, L. (2013). BaitAlarm: Detecting phishing sites using similarity in fundamental visual features. In 5th international conference on intelligent networking and collaborative system intelligent networking and collaborative systems (IN-CoS), Xi’an, 2013, pp. 790–795.

  85. 85.

    Amir, H., & Gbara, A. (2004). Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. Computer Science Department Bar Ilan University, July, pp. 1–28.

  86. 86.

    Dhamija, R., & Tygar, J. D. (2005). The battle against phishing—dynamic security skins. In Proceedings of the 2005 symposium on usable privacy and security, SOUPS ’05, pp. 77 – 88.

  87. 87.

    Teh-Chung, C., Scott, D., & James, M. (2010). Detecting visually similar web pages: Application to phishing detection. ACM Transactions on Internet Technology (TOIT), 10(2), 5.

    Google Scholar 

  88. 88.

    Gastellier-Prevost, S., Granadillo, G. G., & Laurent, M. (2011). Decisive heuristics to differentiate legitimate from phishing sites. In IEEE conference on network and information systems security (SAR-SSI), 2011.

  89. 89.

    Moghimi, M., & Varjani, A. Y. (2016). New rule-based phishing detection method. Expert Systems with Application, 53, 231–242.

    Article  Google Scholar 

  90. 90.

    Solanki, J., & Vaishnav, R. G. (2015). Website phishing detection using heuristic based approach. In Proceedings of the third international conference on advances in computing, electronics and electrical technology.

  91. 91.

    Atzori, L., Iera, A., & Morabito, G. (2010). The internet of things: A survey. Computer Networks, 54, 2787–2805.

    Article  Google Scholar 

  92. 92.

    Bertlucci, J. (2016). Internet of thingbots: The new security worry. http://www.informationweek.com/big-data/big-data-analytics/internet-of-thingbots-the-new-security-worry/d/d-id/1234973.

  93. 93.

    Gorman, M. The internet of things isn’t safe: Thousands of smart gadgets hacked to send spam and phishing emails. http://www.engadget.com/2014/01/17/internet-of-things-hacked-malicious-email-phishing/.

  94. 94.

    Proofpint. Proofpoint uncovers internet of things (IoT) cyberattack. http://investors.proofpoint.com/releasedetail.cfm?releaseid=819799.

  95. 95.

    Gubbi, J., Buyya, R., Marusic, S., & Palaniswami, M. (2013). Internet of things (IoT): A vision, architectural elements, and future directions. Future Generation Computer Systems, 29(7), 1645–1660.

    Article  Google Scholar 

  96. 96.

    Roman, R., Najera, P., & Lopez, J. (2011). Securing the internet of things. Computer, 44(9), 51–58.

    Article  Google Scholar 

  97. 97.

    Tang, D. (2009). Event detection in sensor networks. School of Engineering and Applied Sciences, The George Washington University.

  98. 98.

    Koroneous, G. L. (2016). Enterprise Tech Spotlight: IoT Tipping Point, Phishing Scams, Retail Breaches. http://news.verizonenterprise.com/2015/08/iot-retail-breaches-phishing-security/.

  99. 99.

    Arachchilage, N. A. G., & Cole, M. (2011). Design a mobile game for home computer users to prevent from “phishing attacks”. In IEEE International Conference on Information Society (i-Society), 2011, pp. 485–489.

  100. 100.

    Gupta, B. B., et al. (2016). Fighting against phishing attacks: state of the art and future challenges. Neural Computing and Applications. doi:10.1007/s00521-016-2275-y.

  101. 101.

    Jain, A. K., & Gupta, B. B. (2016). A novel approach to protect against phishing attacks at client side using auto-updated white-list. EURASIP Journal on Information Security. doi:10.1186/s13635-016-0034-3.

  102. 102.

    Mayer-Schönberger, V. (2011). Failing to forget the “Drunken Pirate”. In: Delete: The virtue of forgetting in the digital age (new in paper), 1st edn. (pp. 3–15). Princeton: Princeton University Press.

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to B. B. Gupta.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Gupta, B.B., Arachchilage, N.A.G. & Psannis, K.E. Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun Syst 67, 247–267 (2018). https://doi.org/10.1007/s11235-017-0334-z

Download citation

Keywords

  • Phishing
  • Security
  • Malware
  • Social engineering
  • Spam
  • Visual similarity
  • Data mining
  • Machine learning