Don’t Be Deceived: The Message Might Be Fake

  • Stephan Neumann
  • Benjamin ReinheimerEmail author
  • Melanie Volkamer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10442)


In an increasingly digital world, fraudsters, too, exploit this new environment and distribute fraudulent messages that trick victims into taking particular actions. There is no substitute for making users aware of scammers’ favoured techniques and giving them the ability to detect fraudulent messages. We developed an awareness-raising programme, specifically focusing on the needs of small and medium-sized enterprises (SMEs). The programme was evaluated in the field. The participating employees demonstrated significantly improved skills in terms of ability to classify messages as fraudulent or genuine. Particularly with regard to one of the most widespread attack types, namely fraudulent messages with links that contain well-known domains as sub-domains of generic domains, recipients of the programme improved their recognition rates from \(56.6\%\) to \(88\%\). Thus, the developed security awareness-raising programme contributes to improving the security in SMEs.


Usable security Education concept User studies SME Awareness 



This work was developed within the project KMUAWARE which is funded by the German Federal Ministry for Economic Affairs and Energy under grant BMWi-VIA5-090168623-01-1/2015. Authors assume responsibility for the content.


  1. 1.
    Alnajim, A., Munro, M.: ITNG. In: 6th International Conference on Information Technology: New Generations, pp. 405–410. IEEE (2009)Google Scholar
  2. 2.
    Anne, A., Angela, S.M.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)Google Scholar
  3. 3.
    Bauer, L., Bravo-Lillo, C., Cranor, L., Fragkaki, E.: Warning Design Guidelines. Carnegie Mellon University, Pittsburgh (2013)Google Scholar
  4. 4.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Cham (2014). doi: 10.1007/978-3-319-11851-2_14 Google Scholar
  5. 5.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R., Reinheimer, B., Stockhardt, S., Tenberg, R.: Learn to spot phishing URLs with the Android NoPhish app. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) WISE 2015. IAICT, vol. 453, pp. 87–100. Springer, Cham (2015). doi: 10.1007/978-3-319-18500-2_8 Google Scholar
  6. 6.
    Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. In: USEC. Internet Society (2015)Google Scholar
  7. 7.
    Cialdini, R.B., Cacioppo, J.T., Bassett, R., Miller, J.A.: Low-ball procedure for producing compliance: commitment then cost. J. Pers. Soc. Psychol. 36(5), 463 (1978). APACrossRefGoogle Scholar
  8. 8.
    Dodge, R.C., Carver, C., Ferguson, A.J.: Phishing for user security awareness. Comput. Secur. 26(1), 73–80 (2007). ElsevierCrossRefGoogle Scholar
  9. 9.
    Federal Bureau of Investigation. FBI warns of dramatic increase in business e-mail scams (2016). Accessed 11 Apr 2017
  10. 10.
    Furnell, S., Jusoh, A., Katsabas, D.: The challenges of understanding and using security - a survey of end-users. Comput. Secur. 25(1), 27–35 (2006)CrossRefGoogle Scholar
  11. 11.
    Greg, A., Rasmussen, R.: Global Phishing Survey: Trends and Domain Name Use in 2H2014 (2015). Accessed 11 Apr 2017
  12. 12.
    Kirlappos, I., Sasse, M.A.: Security education against phishing: a modest proposal for a major rethink. IEEE Secur. Priv. 10(2), 24–32 (2012)CrossRefGoogle Scholar
  13. 13.
    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: CHI, pp. 905–914. ACM (2007)Google Scholar
  14. 14.
    Kunz, A., Volkamer, M., Stockhardt, S., Palberg, S., Lottermann, T., Piegert, E.: Nophish: evaluation of a web application that teaches people being aware of phishing attacks. In: LNI, pp. 15–24. GI (2016)Google Scholar
  15. 15.
    Mansfield-Devine, S.: Securing small and medium-size businesses. Netw. Secur. 2016(7), 14–20 (2016)CrossRefGoogle Scholar
  16. 16.
    Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: CHI, pp. 373–382. ACM (2010)Google Scholar
  17. 17.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: SOUPS, pp. 88–99. ACM (2007)Google Scholar
  18. 18.
    Stockhardt, S., Reinheimer, B., Volkamer, M., Mayer, P., Kunz, A., Rack, P., Lehmann, D.: Teaching phishing-security: which way is best? In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 135–149. Springer, Cham (2016). doi: 10.1007/978-3-319-33630-5_10 CrossRefGoogle Scholar
  19. 19.
    Volkamer, M., Renaud, K., Reinheimer, B.: TORPEDO: tooltip-powered phishing email detection. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 161–175. Springer, Cham (2016). doi: 10.1007/978-3-319-33630-5_12 CrossRefGoogle Scholar
  20. 20.
    Volkamer, M., Renaud, K., Reinheimer, B., Kunz, A.: User experiences of TORPEDO: tooltip-powered phishing email detection. Comput. Secur. (2017)Google Scholar
  21. 21.
    Volkamer, M., Stockhardt, S., Bartsch, S., Kauer, M.: Adopting the CMU/APWG anti-phishing landing page idea for Germany. In: STAST, pp. 46–52. IEEE (2013)Google Scholar
  22. 22.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI, pp. 601–610 (2006)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Stephan Neumann
    • 1
  • Benjamin Reinheimer
    • 1
    Email author
  • Melanie Volkamer
    • 1
    • 2
  1. 1.Technische Universität DarmstadtDarmstadtGermany
  2. 2.Karlstad UniversityKarlstadSweden

Personalised recommendations