Defending against phishing attacks: taxonomy of methods, current issues and future directions

Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people’s lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly inventive. One such a serious threat is “phishing”, in which, attackers attempt to steal the user’s credentials using fake emails or websites or both. It is true that both industry and academia are working hard to develop solutions to combat against phishing threats. It is therefore very important that organisations to pay attention to end-user awareness in phishing threat prevention. Therefore, aim of our paper is twofold. First, we will discuss the history of phishing attacks and the attackers’ motivation in details. Then, we will provide taxonomy of various types of phishing attacks. Second, we will provide taxonomy of various solutions proposed in literature to protect users from phishing based on the attacks identified in our taxonomy. Moreover, we have also discussed impact of phishing attacks in Internet of Things (IoTs). We conclude our paper discussing various issues and challenges that still exist in the literature, which are important to fight against with phishing threats.

[1]  Daniel B. Neill,et al.  Fast Bayesian scan statistics for multivariate event detection and visualization , 2011, Statistics in medicine.

[2]  Wilfried N. Gansterer,et al.  E-Mail Classification for Phishing Defense , 2009, ECIR.

[3]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[4]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[5]  Jason Bennett Thatcher,et al.  Defending against Spear Phishing: Motivating Users through Fear appeal Manipulations , 2016, PACIS.

[6]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Dharma P. Agrawal,et al.  Handbook of Research on Modern Cryptographic Solutions for Computer and Cyber Security , 2016 .

[8]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[9]  Youssef Iraqi,et al.  Enhancing Phishing E-Mail Classifiers: A Lexical URL Analysis Approach , 2013 .

[10]  Ronald L. Rivest,et al.  Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails , 2005 .

[11]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[12]  Gustavo Gonzalez Granadillo,et al.  Decisive Heuristics to Differentiate Legitimate from Phishing Sites , 2011, 2011 Conference on Network and Information Systems Security.

[13]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[14]  Nalin Asanka Gamagedara Arachchilage User-Centred Security Education: A Game Design to Thwart Phishing Attacks , 2015, ArXiv.

[15]  Elisa Bertino,et al.  Using automated individual white-list to protect web digital identities , 2012, Expert Syst. Appl..

[16]  Vadlamani Ravi,et al.  Particle Swarm Optimization Trained Class Association Rule Mining: Application to Phishing Detection , 2016, ICIA.

[17]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[18]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[19]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[20]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[21]  Jaydeep Solanki,et al.  Website Phishing Detection using Heuristic Based Approach , 2016 .

[22]  Fadi A. Thabtah,et al.  Predicting Phishing Websites Using Classification Mining Techniques with Experimental Case Studies , 2010, 2010 Seventh International Conference on Information Technology: New Generations.

[23]  Giovanni Bottazzi,et al.  MP-Shield: A Framework for Phishing Detection in Mobile Devices , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[24]  Dharma P. Agrawal,et al.  Fighting against phishing attacks: state of the art and future challenges , 2016, Neural Computing and Applications.

[25]  B. B. Gupta,et al.  A Survey of Phishing Email Filtering Techniques , 2013, IEEE Communications Surveys & Tutorials.

[26]  Harry Wechsler,et al.  phishGILLNET—phishing detection methodology using probabilistic latent semantic analysis, AdaBoost, and co-training , 2012 .

[27]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[28]  Julia M. Taylor,et al.  Using Syntactic Features for Phishing Detection , 2015, ArXiv.

[29]  Rodrigo Roman,et al.  Securing the Internet of Things , 2017, Smart Cards, Tokens, Security and Applications, 2nd Ed..

[30]  K. Dahal,et al.  Intelligent Phishing Website Detection System using Fuzzy Techniques , 2008, 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications.

[31]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[32]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[33]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[34]  Weider D. Yu,et al.  A phishing vulnerability analysis of web based systems , 2008, 2008 IEEE Symposium on Computers and Communications.

[35]  Arun Vishwanath,et al.  Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks , 2016, Comput. Hum. Behav..

[36]  Meng Weng Wong,et al.  Sender ID: Authenticating E-Mail , 2006, RFC.

[37]  Eric Medvet,et al.  Visual-similarity-based phishing detection , 2008, SecureComm.

[38]  Fergus Toolan,et al.  Phishing detection using classifier ensembles , 2009, 2009 eCrime Researchers Summit.

[39]  B. B. Gupta,et al.  Defending against Distributed Denial of Service Attacks: Issues and Challenges , 2009, Inf. Secur. J. A Glob. Perspect..

[40]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[41]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[42]  Debra Tang Event detection in sensor networks , 2009 .

[43]  Ankit Kumar Jain,et al.  A novel approach to protect against phishing attacks at client side using auto-updated white-list , 2016, EURASIP Journal on Information Security.

[44]  G. Tally,et al.  Anti-Phishing: Best Practices for Institutions and Consumers , 2004 .

[45]  Nalin Asanka Gamagedara Arachchilage,et al.  Security awareness of computer users : a game based learning approach , 2012 .

[46]  C. Breen,et al.  Signaling systems for control of telephone switching , 1960 .

[47]  Kun Li,et al.  BaitAlarm: Detecting Phishing Sites Using Similarity in Fundamental Visual Features , 2013, 2013 5th International Conference on Intelligent Networking and Collaborative Systems.

[48]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[49]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.

[50]  Konstantin Beznosov,et al.  Phishing threat avoidance behaviour: An empirical investigation , 2016, Comput. Hum. Behav..

[51]  Saurabh Bagchi,et al.  Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[52]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[53]  Youssef Iraqi,et al.  Phishing Detection: A Literature Survey , 2013, IEEE Communications Surveys & Tutorials.

[54]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[55]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[56]  Nalin Asanka Gamagedara Arachchilage,et al.  Design a mobile game for home computer users to prevent from “phishing attacks” , 2011, International Conference on Information Society (i-Society 2011).

[57]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[58]  Viktor Mayer-Schönberger,et al.  Delete: The Virtue of Forgetting in the Digital Age , 2009 .

[59]  Jin Li,et al.  Identity-Based Encryption with Outsourced Revocation in Cloud Computing , 2015, IEEE Transactions on Computers.

[60]  D. Das,et al.  PhishGuard: A browser plug-in for protection from phishing , 2008, 2008 2nd International Conference on Internet Multimedia Services Architecture and Applications.

[61]  Mark Delany,et al.  Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) , 2007, RFC.

[62]  Bo An,et al.  Optimizing Personalized Email Filtering Thresholds to Mitigate Sequential Spear Phishing Attacks , 2016, AAAI.

[63]  Selvakumar Manickam,et al.  Phishing Dynamic Evolving Neural Fuzzy Framework for Online Detection Zero-day Phishing Email , 2013, ArXiv.

[64]  Choon Lin Tan,et al.  PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder , 2016, Decis. Support Syst..

[65]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[66]  Youssef Iraqi,et al.  A study of feature subset evaluators and feature subset searching methods for phishing classification , 2011, CEAS '11.

[67]  Thasphon Chuenchujit A taxonomy of phishing research , 2016 .

[68]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[69]  Claudio Soriente,et al.  Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking , 2016, SPSM@CCS.

[70]  Ponnurangam Kumaraguru,et al.  PhishAri : Automatic Realtime Phishing Detection on Twitter Anupama Aggarwal , 2012 .

[71]  Ali Yazdian Varjani,et al.  New rule-based phishing detection method , 2016, Expert Syst. Appl..

[72]  Nalin Asanka Gamagedara Arachchilage,et al.  Serious Games for Cyber Security Education , 2016, ArXiv.

[73]  Brij B. Gupta,et al.  A Recent Survey on DDoS Attacks and Defense Mechanisms , 2011 .

[74]  Chuanxiong Guo,et al.  Online Detection and Prevention of Phishing Attacks , 2006, 2006 First International Conference on Communications and Networking in China.