Phishing is a type of attack that aims at circumventing technical defences such as anti-viruses or firewalls by targeting the users directly. Although the specific goal can vary, the attackers’ objectives can be broadly categorized as one of two possibilities:
1) trick the victims into disclosing their credentials to access sensitive information (e.g., bank account, email account) or
2) trick the victims into clicking on a link or download an attachment to deliver malware.
The phishing threat has increasingly grown over the years, and it is now one of the most damaging cyber-attacks for both businesses and private citizens. Fighting this dangerous practice requires both technical solutions that support users as well as awareness material to inform them of both the threat and how to protect themselves. To this end, we have created a series of measures that have been evaluated and shown to be effective in raising awareness of the problem.

Research Questions

Some interesting research questions that will be or already have been (partly) answered are:

• What are the strengths and weaknesses of various forms of awareness interventions?
• What is the duration of retained awareness from various awareness interventions over extended periods, including several months?
• What efficiency disparities exist among different awareness interventions?
• Which methods of awareness refreshment are particularly effective?

Informational Material

In collaboration with MotionEnsemble, we created three informative videos to enhance understanding of various facets of fraudulent messages (plausibility & attachments, links and content like time pressure), equipping everyday users with the skills to more effectively distinguish between phishing attempts and legitimate communications.

More awareness measures can be found on our webpage

Some of our most relevant publications:

• Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support Tool
  Berens, B.; Schaub, F., Mossano, M.; Volkamer, M. 2024, Mai Conference on Human Factors in Computing Systems (CHI 2024), Honolulu, Hawai'i, USA, 11.-16.05 Mai 2024
• Phishing awareness and education – When to best remind? Berens, B. M.; Dimitrova, K.; Mossano, M.; Volkamer, M. 2022. Symposium on Usable Security and Privacy (USEC),San Diego, CA, April 23, 2022
• An investigation of phishing awareness and education over time: When and how to best remind users.
  Reinheimer, B. M.; Aldag, L.; Mayer, P.; Mossano, M.; Düzgün, R.; Lofthouse, B.; von Landesberger, T.; Volkamer, M. 2020. Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS), 259–284, USENIX Association
• Teaching Phishing-Security: Which Way is Best?
  Stockhardt, S.; Reinheimer, B.; Volkamer, M.; Mayer, P.; Kunz, A.; Rack, P.; Lehmann, D. 2016. 31st International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2016, Ghent, Belgium, May 30th - June 1st, 2016, 135–149, Springer, Cham.