TORPEDO: TOoltip-poweRed Phishing Email DetectiOn
- 1.5k Downloads
We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips to help people judge links embedded in emails. TORPEDO’s tooltips contain the actual URL with the domain highlighted and delay link activation for a short period, giving the person time to inspect the URL before they click. Furthermore, TORPEDO consists of an information diagram to explain phish detection. We evaluated TORPEDO in particular with respect to its effectiveness: Compared to the worst case ‘status bar’. as used in Thunderbird and Web email clients. TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17 % versus 43.31 % correct answers for phish). A proof of concept implementation is available as a Thunderbird Add-On.
KeywordsTeachable Moment Authentic Email Email Client Legitimate Email Embed Link
Phishing is merely a modern equivalent of a confidence trick that has been carried out for centuries: to deceive someone to derive some personal benefit. The first time that the term “phishing” was used to refer to this digital version of confidence tricking was on January 2, 19961. Phishing messages offer a link embedded in an email message that entices the recipient to click. Email recipients are likely to click on links due to their widespread legitimate use. If they do click, it redirects them to a website masquerading as the real thing or downloads some malware onto their computer. Twenty years after its emergence, phishing still succeeds [11, 39]. Automated detection is a powerful tool against phishing, but the fact that it takes, on average, 28.75 h to detect new phish websites  means that users have to detect phishing messages themselves during the discovery window. However, many people are unable to distinguish legitimate from phish messages. Since there is no financial bar on the number of emails phishers can send, this means a sizeable number of people are snared every day.
2 Identifying Ons Why People Fall for Phish
It is important to understand why people fall for phish in order to support them the better. To identify possible reasons for people falling victim to phish, we carried out a literature review and conducted a cognitive walk-through analysis.
2.1 Literature Review
The Look and Feel: People judge emails’ trustworthiness based on their first impression, informed by a recognisable logo [4, 30], attractive design [30, 35], the use of their name or the provision of the company’s contact details .
The Email Content: People read the email in order to judge the trustworthiness thereof. Relied-upon indicators are the grammar and spelling quality [30, 35]. Researchers also showed that people are more likely to fall for a phish when: emotions such as excitement, fear or anxiety [4, 35] are provoked, a sense of urgency is invoked [30, 34], existing attitudes and beliefs (wanting to believe that the scammer is honest) are exploited , or persuasive and influencing techniques are used [35, 38]. Researchers argue that under such conditions of arousal people’s decision-making abilities are impaired and they are less likely to pick up danger signals .
Wrong Parts of the URL: Some people do look at the URL . However, they misinterpret the URL due to a lack of knowledge of the semantics of URLs [9, 40]. Some people are reassured by the mere presence of HTTPS in the embedded link and look no further . Others are reassured by the brand name being embedded ‘somewhere in the URL’ .
2.2 Cognitive Walk-Through Analysis
Information not provided where expected/needed: Thunderbird2 as well as the Web email clients, display the actual URL destination in the status bar at the bottom of the window. Problem: The status bar is some distance away from the user’s current attentional focus and might easily be missed. The text of the email is far more prominent and thus likely to be focused on.
Tooltip provided by sender: Some email senders provide a tooltip which appears when the mouse hovers over the link when using Thunderbird or the Web email clients3 while the actual URL is still displayed in the status bar. Providing such tooltip is actually a very simple attack since the phisher only needs to provide a “title=” attribute.
Problem: The tooltip encourages examination of the URL by appearing where the user’s attention is focused. If the recipient relies only on the tooltip, a phisher would be successful when providing a reassuring URL.
Redirection: Some email providers seem to make phish detection difficult, if not impossible. These clients do not display the actual URL in the status bar, but rather an (obfuscated) URL, a so-called dereferer (see Fig. 2). Web mail providers argue that they do this to protect their users (due to some checks before redirecting users to the actual web page). Problem: This approach makes it almost impossible for even the most security aware to detect the perfidy of the link.
Tiny URLs: Some senders of (legitimate) emails use shortened URLs to redirect the person to a different website.
Problem: From the URL it is impossible to know where a click will send people to. It is necessary to use external services to get the final destination.
Habituation: While Apple Mail shows a toolbar next to the link in the email, it does so (obviously) for both legitimate and phishing emails.
Problem: While knowing that one should check the URL in the tooltip before clicking, due to habituation people are not very likely to check each URL or even a high percentage.
Mouse hover vs. clicking: In order to get the relevant information in both desktop clients as well as in the Web email clients, one need to touch the link with the mouse while one must not click.
Problem: It is likely that users are not cautioned enough and instead of only moving the mouse to the link they already click before having checked.
2.3 Reasons Why People Fall for Phishing
Not being aware that the URL is the only reliable signal: making a decision based on the wrong signal.
Not knowing which displayed URL to trust. There are three options: embedded in email text, in the displayed tooltip, or in the status bar.
Not having access to the actual URL (destination) due to URLs being obscured – either because of redirection or the use of tiny URLs.
Not consulting the URL carefully enough before clicking due to accidental clicks and/or habituation effects.
Not knowing how to distinguish authentic from phish URLs.
3 TORPEDO as Possible Solution
We try to address all of these reasons with TORPEDO. TORPEDO proves just-in-time and just-in-place trustworthy tooltips which contain the actual URL with the domain highlighted. It delays link activation for a short period. Furthermore, TORPEDO consists of an information diagram to explain phish detection, to be used together with the tooltips (when first used and on demand). We explain in the following paragraphs the different aspects and how they are supposed to address the identified reasons.
Just-in-time means that the tooltip appears when the person hovers their mouse over an embedded link. This addresses ‘Reason 1’ by making the reliable signal more prominent (at least compared to the status bar used by Thunderbird and the Web email clients). Just-in-place means that it appears right next to the link (i.e. more precisely right below the link) and only there. This addresses ‘Reason 1’ and ‘Reason 2’ by making the most important signal the most prominent one and always displaying it at the same position. Highlighting the domain in bold letters (similar to the highlighting in the addressbar of some Web browser) focuses attention on the most important part of the URL addressing ‘Reason 5’.
Disabling the link for a short period , perhaps three seconds while providing continuous feedback in terms of a counter showing the time left to click (3, 2, 1s) increases the likelihood of people examining the link before clicking, addressing ‘Reason 4’. Note, the delay is configurable to give users control. Furthermore, a white list is maintained to remember domains users have already clicked on twice before (requiring two clicks means that domains will not as easily be accidentally white listed). Whitelisted links will be activated immediately and not be subject to any delay to not annoy users.
In Step 1, we suggest focusing only on the URL. This addresses the fact that people do not focus on the URL (‘Reason 1’). It is also explained that the remaining parts of the URL can easily be faked.
In Step 2 we recommend that people actually only consider the highlighted part of the URL displayed in the tooltip.
In Step 3, we explain that they should check whether the brand name is highlighted (to address misleading URLs such as http://amazon.shop-secure.com but also obvious phishes such as IP addresses). More precisely, we explain that they should ignore the remaining parts of the URL.
In Step 4, we advise them to check for extensions of the brand name such as in http://amazon-shopping-in-America.com. This the most difficult phishing URL to detect as some companies use such extensions in their authentic domain. We, thus, recommend that they search at Google if they are not sure.
In Step 5, we recommend that they check letter by letter to identify small modifications in the domain name (to pick up http://mircosoft.com).
Status bar: The group sees the URLs in the status bar.
TORPEDO: The group sees the URL in a tooltip with domain highlighted in bold while having seen the information diagram.
H1 – Phish detection: The TORPEDO group will detect more phishing emails, as compared to the status bar group.
H2 – Authentic eMail identification: The TORPEDO group will identify more authentic emails, as compared to the status bar group.
H3 – Efficiency: The TORPEDO group will judge emails more quickly, as compared to the status bar group5.
H4 – Confidence: The TORPEDO group will be more certain of their judgements, as compared to the status bar group.
4.1 Study Procedure
The study comprised the following three phases6:
Phase 1 – Welcome: General information was provided, including the goal of the study, number of phases, the estimated duration, and data protection. We explained that it was important not to seek assistance (we did not elaborate by citing Google, as this could have been counter productive). We introduced the main tasks: They should imagine that their friend Max Müller is about to work through his emails. Since Max has accounts at all the companies in question, it is important for him to know which emails are authentic and which are phish. Therefore, they were asked to help him to judge the emails based on screenshots which Max provides to them on the following pages.
Phase 2 – Judging screenshots: Participants were presented with screenshots of 16 emails (8 authentic / 8 phish) each on a different web service and in random order. The TORPEDO group got in addition the information diagram, both before starting to answer questions as well as below each screenshot. Participants were asked: Is the email authentic? Then participants were then asked: How certain are you that you properly judged the displayed emails. The TORPEDO group was also asked to comment on the information diagram.
Phase 3: Demographics: We requested demographic information.
4.2 Creation of Email Screenshots
Obfuscate: The phish URL is composed of an arbitrary name or IP address. Note, the brand name of the authentic website does not appear.
Mislead: The phish URL embeds the authentic name somewhere (e.g. in the subdomain or the path) in order to allay suspicions.
Mangle: The phish URL includes letter substitutions, different letter ordering, or misspelling e.g. arnazon instead of amazon.
Camouflage: The domain name of the phish URL contains the brand name together with an extension or a different top level domain.
Legitimate(L) and Manipulated(M) URLs incl. type of manipulation.
URL (abbreviated with ‘...’)
4.3 Ethics, Recruitment, and Incentives
Our University’s ethical requirements with respect to respondent consent and data privacy were met. Participants first read an information page on which they were assured that their data would not be linked to their identity and that the responses would only be used for study purposes. Furthermore, using SoSciSurvey ensured that data was stored in Germany and thus subject to German data protection law. No debriefing was necessary. We recruited participants through a platform called Workhub, which is a German equivalent of Amazon Mechanical Turk. Every Workhub participant receives €3.
5 Results and Discussion
The demographics are summarized for both groups in Table 2. Participants in the TORPEDO group, on average, detected phishing emails 85.17 % of the time and they, on average, identified legitimate emails as such 91.57 % of the time. The corresponding percentages for the control group are: 43.31 % for phish detection and 63.66 % for identifying legitimate emails. Note, participants, on average, detected Camouflaged URLs 72.09 % of the time in the TORPEDO group and 38.37 % in the status bar group, Misleading URLs 87.21 % versus 30.23 %, Mangled URLs 91.86 % versus 37.20 %) and Obfuscated URLs 89.53 % versus 67.44 %. Furthermore, the corresponding numbers for the answer ‘I do not know’ are (TORPEDO/status bar): 3.49 %/6.98 %, 2.91 %/7.56 %, 2.33 %/8.14 %, and 5.81 %/5.23 %. The descriptive data for H3 and H4 is depicted in Fig. 4.
H1 – Phish Detection: Our analysis shows a significantly improved detection rate for phish Emails for participants in the TORPEDO group, as compared to those in the statusbar group (\(U = 210, p < .001\), \(\eta ^2 = 0.455\)).
H2 – Authentic Email Identification: Our analysis shows a significantly improved identification rate of authentic Emails for participants in the TORPEDO group, as compared to those in the status bar group (\(U = 304, p < .001\), \(\eta ^2 = 0.374\)).
H3 – Efficiency: Our analysis shows that participants in the TORPEDO group were significantly more efficient than participants in the status bar group (\(U = 676.5, p = .032\), \(\eta ^2 = 0.053\)).
H4 – Confidence: Our analysis shows that participants in the TORPEDO group were significantly more certain about their decisions than participants in the status bar group (\(U = 536.5, p < .001\), \(\eta ^2 = 0.155\)).
Diagram Feedback. We used open coding to analyse the free text answers. We came up with the following categories: ‘grateful’, ‘nothing to improve’, ‘confusing’, ‘too much information’, ‘too little information’, and ‘small improvements’. Most of the participants (29 from 43 in total) were happy with the diagram, not mentioning anything to improve. Three were grateful. Eight mentioned that the diagram was confusing and five added that the confusion cleared once they read it. Two participants considered the diagram to contain too much information while another two participants complained about it giving too little information (requesting more examples). Three provided small suggestions for improvement: provide a title, and reconsider the usage of terms such as phish and URL.
Discussion. The results show that, in the studied scenario, we significantly improved phish detection as well as the identification of legitimate emails with TORPEDO. The detection rates for all four phishing types increased, too. The participants in the TORPEDO group are also more confident that they made the proper decision in comparison to the status bar group. The decision making process is also significantly more efficient. Operating more quickly can, in the long run, lead to more errors being made. It is worth providing people with information such as that given in the information diagram since it is easy to apply and requires the email recipient to spend less time checking each individual email. The feedback to the information diagram showed that there is not much need to improve the diagram other than making the numbers clearer and adding a title. We acknowledge that the diagram might not provide sufficient information for some people. In these few cases, we recommend extending our defence approach with existing proven training approaches (see Sect. 6).
Limitations. We acknowledge that we evaluated the approach in a best-case scenario as their primary task was security. Phishing effectiveness evaluations in field studies are not possible due to ethical and legal constraints. Lab studies also have their limitations because participants would not use a study laptop instead of their own. We also acknowledge that the URLs were displayed the entire time and not only when hovering the mouse over the link. This only partially simulates the proposed delay. Note, we only used HTTPS since we wanted to assess their ability to check the actual URL, not the presence or absence of HTTPS. Finally, we acknowledge that the sample was not representative.
6 Related Work
Researchers have proposed different ways of addressing phishing:
Automated Detection. Phishing emails can be detected either pre- or post-click. Emails can be analysed by the email provider before being forwarded to the user. This analysis includes checking the integrated URLs against several blacklists provided by companies such as Microsoft, Google and phishTank. Other checks can also be carried out. For example, to look at differences between displayed and actual domain names  or carry out an NLP analysis of the actual email text . If the email is delivered and the person clicks, post-click detection can also occur. Web browsers or Add-ons can check the URL against various blacklists or check the web site content in combination with the actual URL. A number of different approaches for these checks have been proposed [3, 27, 28, 31]. In both pre- and post-click checks a risky situation can either lead to blocking or a warning e.g. [24, 29, 40, 42]. As a final comment, there is an inherent flaw to post-click warnings. The human tendency to consistency makes it less likely for people to even want to detect the deceptive nature of any site if they have already committed to the process . They have judged the email to be legitimate. Withdrawing at this stage is unlikely. TORPEDO does not aim to replace detection approaches but to complement them in order to help people to protect themselves in case none of the checks detects the phish or it is simply during the pre-detection window .
Training. A number of researchers have focused on training users to spot phish [1, 5, 6, 18, 20, 21, 22, 33] but most of them address phish detection in a web browser context. Researchers have shown that training improves phish detection rates. Training has two drawbacks as compared to TORPEDO. First, people need to be aware that there is a problem and that they need to be active in dealing with it. Otherwise they will not undergo training. This problem was addressed by Kumaraguru  by employing the concept of teachable moments, where people are given instructions or training when they almost fall for a phish. In their scheme, instead of blocking a link they allow it, and then show them that they almost fell for a phish. Second, people may forget the information the training imparted as they are not confronted with phishing emails every day. Again the teachable moment approach can help. However, we think providing the information graphic on demand, as and when required, is the safer approach as it might be that the next time they forget how to check the teachable moment mechanism may not be installed and they would be unprotected. Dodge et al.  report a different approach, post-click training. They send out fake phish messages and then train people who click on the links. They report a positive effect. However, this approach can only be taken within an organisation. A few participants in our evaluation had trouble understanding our diagram. For those, more exhaustive training may help them. Note, the training, as such, would be shorter than what would be required without TORPEDO.
Combining Approaches. We propose TORPEDO to complement existing approaches to address the email phishing problem. Other researchers have also proposed combining approaches to maximise phish protection. Khonji et al.  suggest a two-pronged approach, the first prong being user training, and the second being automated detection. The latter includes blacklists, machine learning and visual similarity detection. Frauenstein and Von Solms  propose combining human, organisational and technical measures. The first includes awareness and training, the second policies and procedures and the last one includes automated measures to detect phish.
7 Conclusion and Future Work
Phishing is a thorny issue. Trying to filter out phishing emails before they reached the end users reduces the problem. Great strides have been made in this direction but no one will claim that any automated system will catch 100 % of phishing emails. So, it is up to the end users to protect themselves. The research we have presented here offers a way to support end users by deploying TORPEDO providing just-in-time, just-in-place, trustworthy tooltips; disabling links for a short period of time; detection of re-directions and tiny URLs, and providing a diagram at installation, or on demand, that encapsulates phish detection advice in a step by step fashion. This approach was evaluated and improved. We found that it highly significantly improved phish and legitimate email detection, made such detection significantly faster and led to people feeling more confident about their judgements compared to the status bar approach as used in Thunderbird and Web email clients. With 85.17 % phish detection compared to 43.31 % with the status bar URL display, it can only be hoped that the different email clients and email providers deploy this approach as soon as possible. Until then, people can use the TORPEDO Add-on we developed. As future work, we plan to conduct acceptance tests to determine whether TORPEDO will indeed be used. We also plan to extend this approach to mobile email clients.
The mention occurred in alt.online-service.america-online.
Note, this is different for Apple Mail and also for Outlook.
Again, this is different for Apple Mail and for Outlook.
According to Wikipedia popular shortening services are: bit.ly, goo.gl, ow.ly, t.co, TinyURL, and Tr.im. The URL is parsed accordingly. Those services are addressed.
Note, on the one hand it is important that people take their time to check the URL, however in addition, if they know what to consider, they can make decisions faster.
Questions were translated from German for this paper.
This work was developed within the project ‘KMU AWARE’ which is funded by the German Federal Ministry for Economic Affairs and Energy under grant no. BMWi-VIA5-090168623-01-1/2015. The authors assume responsibility for the content.
- 1.Alnajim, A., Munro, M.: An anti-phishing approach that uses training intervention for phishing websites detection. In: 6th International Conference on Information Technology: New Generations, pp. 405–410. IEEE (2009)Google Scholar
- 2.APWG Internet Policy Committee: Global Phishing Survey: Trends and Domain Name Use in 2H2013 (2013). http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf. Accessed 13 March 2016
- 4.Blythe, M., Petrie, H., Clark, J.A.: F for fake: four studies on how we fall for phish. In: CHI, pp. 3469–3478. ACM (2011)Google Scholar
- 5.Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Heidelberg (2014)Google Scholar
- 6.Canova, G., Volkamer, M., Bergmann, C., Borza, R.: Learn to spot phishing URLs with the android nophish app. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) Information Security Education Across the Curriculum. IFIP Advances in Information and Communication Technology, vol. 453, pp. 87–100. Springer, Heidelberg (2015)Google Scholar
- 7.Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. In: USEC. Internet Society (2015)Google Scholar
- 9.Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI, pp. 581–590. ACM (2006)Google Scholar
- 11.Erkkilä, J.-P.: Why we fall for phishing. In: Conference on Human Factors in Computer Systems. ACM (2011)Google Scholar
- 12.Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: 16th International Conference on World Wide Web, pp. 649–656. ACM (2007)Google Scholar
- 13.Frauenstein, E.D., von Solms, R.: Phishing: how an organization can protect itself. In: Information Security South Africa Conference, pp. 253–268. Information Security South Africa (2009)Google Scholar
- 14.Friedman, B., Hurley, D., Howe, D.C., Felten, E., Nissenbaum, H.: Users’ conceptions of web security: a comparative study. In: CHI, pp. 746–747. ACM (2002)Google Scholar
- 15.Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Recurring Malcode, pp. 1–8. ACM (2007)Google Scholar
- 18.Jansson, K., von Solms, R.: Simulating malicious emails to educate end users on-demand. In: 3rd Symposium on Web Society, pp. 74–80. IEEE (2011)Google Scholar
- 21.Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: CHI, pp. 905–914. ACM (2007)Google Scholar
- 22.Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L.-F., Hong, J.: Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Anti-phishing WG, pp. 70–81. ACM (2007)Google Scholar
- 25.Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: CHI, pp. 2075–2084. ACM (2011)Google Scholar
- 26.Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists learning to detect malicious web sites from suspicious URLs. In: 15th SIGKDD, pp. 1245–1254. ACM (2009)Google Scholar
- 28.Maurer, M.-E., Herzner, D.: Using visual website similarity for phishing detection and reporting. In: CHI, pp. 1625–1630. ACM (2012)Google Scholar
- 29.Maurer, M.-E., Luca, A.D., Kempe, S.: Using data type based security alert dialogs to raise online security awareness. In: SOUPS, p. 2. ACM (2011)Google Scholar
- 30.Naidoo, R.: Analysing urgency and trust cues exploited in phishing scam designs. In: 10th International Conference on Cyber Warfare and Security, p. 216. Academic Conferences Limited (2015)Google Scholar
- 31.Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: PhishNet: predictive blacklisting to detect phishing attacks. In: INFOCOM, pp. 1–5. IEEE (2010)Google Scholar
- 32.Rusch, J.J.: The “social engineering” of internet fraud. In: Internet Society Annual Conference. Internet Society (1999)Google Scholar
- 33.Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E., Phil, A.-P.: The design and evaluation of a game that teaches people not to fall for phish. In: SOUPS, pp. 88–99. ACM (2007)Google Scholar
- 35.University of Exeter School of Psychology. The psychology of scams: Provoking and committing errors of judgement, University of Exeter (2012)Google Scholar
- 38.Wang, J., Chen, R., Herath, T., Rao, H.: An empirical exploration of the design pattern of phishing attacks. Inform. Assurance, Security & Privacy Services, Emerald Publishers (2009)Google Scholar
- 39.Webroot. Webroot 2015 Threat Brief. http://www.webroot.com/shared/pdf/Webroot_2015_Threat_Brief.pdf. Accessed 13 March 2016
- 40.Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI, pp. 601–610. ACM (2006)Google Scholar
- 41.Xu, Z., Zhang, W.: Victimized by phishing: a heuristic-systematic perspective. J. Internet Bank. Commer. 17(3), 1 (2012). ARRAY DevelopmentGoogle Scholar
- 42.Zhang, Y., Egelman, S., Cranor, L.F., Hong, J.: Phinding phish: evaluating anti-phishing tools. In: NDSS. School of Computer Science, Internet Society (2007)Google Scholar