Alnajim, Abdullah M. (2009) Fighting internet fraud: anti-phishing effectiveness for phishing websites detection. Doctoral thesis, Durham University.
Recently, the Internet has become a very important medium of communication. Many people go online and conduct a wide range of business. They can sell and buy goods, perform different banking activities and even participate in political and social elections by casting a vote online. The parties involved in any transaction never need to meet and a buyer can sometimes be dealing with a fraudulent business that does not actually exist. So, security for conducting businesses online is vital and critical. All security-critical applications (e.g. online banking login pages) that are accessed using the Internet are at the risk of fraud. A common risk comes from so-called Phishing websites, which have become a problem for online banking and e-commerce users. Phishing websites attempt to trick people into revealing their sensitive personal and security information in order for the fraudster to access their accounts. They use websites that look similar to those of legitimate organizations and exploit the end-user's lack of knowledge of web browser clues and security indicators. This thesis addresses the effectiveness of Phishing website detection. It reviews existing anti-Phishing approaches and then makes the following contributions. First of all, the research in this thesis evaluates the effectiveness of the current most common users' tips for detecting Phishing websites. A novel effectiveness criteria is proposed and used to examine every tip and rank it based on its effectiveness score, thus revealing the most effective tips to enable users to detect Phishing attacks. The most effective tips can then be used by anti-Phishing training approaches. Secondly, this thesis proposes a novel Anti-Phishing Approach that uses Training Intervention for Phishing Websites' Detection (APTIPWD) and shows that it can be easily implemented. Thirdly, the effectiveness of the New Approach (APTIPWD) is evaluated using a set of user experiments showing that it is more effective in helping users distinguish between legitimate and Phishing websites than the Old Approach of sending anti-Phishing tips by email. The experiments also address the issues of the effects of technical ability and Phishing knowledge on Phishing websites' detection. The results of the investigation show that technical ability has no effect whereas Phishing knowledge has a positive effect on Phishing website detection. Thus, there is need to ensure that, regardless their technical ability level (expert or non-expert), the participants do not know about Phishing before they evaluate the effectiveness of a new anti-Phishing approach. This thesis then evaluates the anti-Phishing knowledge retention of the New Approach users and compares it with the knowledge retention of users who are sent anti-Phishing tips by email.
|Item Type:||Thesis (Doctoral)|
|Award:||Doctor of Philosophy|
|Copyright:||Copyright of this thesis is held by the author|
|Deposited On:||08 Sep 2011 18:26|