Abstract
We argue that phishing IQ tests fail to measure susceptibility to phishing attacks. We conducted a study where 40 subjects were asked to answer a selection of questions from existing phishing IQ tests in which we varied the portion (from 25% to 100%) of the questions that corresponded to phishing emails. We did not find any correlation between the actual number of phishing emails and the number of emails that the subjects indicated were phishing. Therefore, the tests did not measure the ability of the subjects. To further confirm this, we exposed all the subjects to existing phishing education after they had taken the test, after which each subject was asked to take a second phishing test, with the same design as the first one, but with different questions. The number of stimuli that were indicated as being phishing in the second test was, again, independent of the actual number of phishing stimuli in the test. However, a substantially larger portion of stimuli was indicated as being phishing in the second test, suggesting that the only measurable effect of the phishing education (from the point of view of the phishing IQ test) was an increased concern—not an increased ability.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anti-Phishing Working Group: Phishing Activity Trends Report November 2005 (2005)
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client Side Defense Against Web-based Identity Theft, http://crypto.stanford.edu/SpoofGuard/#publications
The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond, http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf
Dhamija, R., Tygar, J.D.: The Battle Against Phishing: Dynamic Security Skins, In: Proc. SOUPS (2005)
Dhamija, R., Tygar, J.D., Hearst, M.: Why Phishing Works. In: CHI 2006. Proceedings of the Conference on Human Factors in Computing Systems (to appear)
Fogg, B.J., Soohoo, C., Danielson, D.R., Marable, L., Stanford, J., Tauber, E.R.: How Do Users Evaluate the Credibility of Web Sites?: A Study with Over 2,500 Participants. In: Proc. DUX (2003)
Fogg, B.J., Marshall, J., Laraki, O., Osipovich, A., Varma, C., Fang, N., Paul, J., Rangnekar, A., Shon, J., Swani, P., Treinen, M.: What Makes Web Sites Credible?: A Report on a Large Quantitative Study. In: Proc. CHI, pp. 61–68 (2001)
FTC.gov Alert, http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm
Jakobsson, M.: Modeling and Preventing Phishing Attacks. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, Springer, Heidelberg (2005)
Jakobsson, M.: The Human Factor in Phishing. Privacy & Security of Consumer Information (2007)
Jakobsson, M., Myers, S.A. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, p. 739 (December 2006) ISBN 0-471-78245-9
MailFrontier Phishing IQ Test II, http://survey.mailfrontier.com/forms/msft_iq_test.html
MailFrontier Phishing IQ Test – Deutsche Edition, http://german.mailfrontier.com/survey/phishing_de.jsp
MailFrontier Phishing IQ Test – UK Edition, http://survey.mailfrontier.com/survey/phishing_uk.html
MailFrontier/Sonicwall Phishing, http://www.sonicwall.com/phishing/
PassMark Security: Protecting Your Customers from Phishing Attacks - An Introduction to PassMarks, http://www.passmarksecurity.com/
The Phishing Guide - Understanding & Preventing Phishing Attacks, http://www.ngssoftware.com/papers/NISR-WP-Phishing.pdf
RSA Security: Protecting Against Phishing by Implementing Strong Two-Factor Authentication (2004), https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf
Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-By Pharming. Technical Report TR641, Indiana University (December 2006)
Tsow, A., Jakobsson, M., Yang, L., Wetzel, S.: Warkitting: the Drive-by Subversion of Wireless Home Routers. Anti-Phishing and Online Fraud, Part II. Journal of Digital Forensic Practice (Special Issue)Â 1(3) (November 2006)
Wu, M., Miller, R., Garfinkel, S.: Do Security Toolbars Actually Prevent Phishing Attacks? In: Proc. CHI (2006)
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anandpara, V., Dingman, A., Jakobsson, M., Liu, D., Roinestad, H. (2007). Phishing IQ Tests Measure Fear, Not Ability. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77366-5_33
Download citation
DOI: https://doi.org/10.1007/978-3-540-77366-5_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77365-8
Online ISBN: 978-3-540-77366-5
eBook Packages: Computer ScienceComputer Science (R0)