Internet fraudsters use various strategies to harm you and/or your company. A popular and widely used method is to send you messages containing fraudulent content. These messages can be dangerous in different ways. The message may ask you to make bank transfers, make (paid) calls, or the message contains dangerous links and/or dangerous attachments. These messages can be sent as e-mail but also via any other form of message. Emails with dangerous links are often called phishing emails.
What is our concept about?
We have developed this training and self-training concept in order to understand better the attack model 'fraudulent messages' and to learn how to protect yourself. It is roughly structured as follows:
- Introduction to the topic
- Detection of implausible, fraudulent messages
- Detection of dangerous links (including finding the URL behind the link, structure of the URL and tricks of the attackers)
- Detection of messages with dangerous attachments (including finding the format of the file, list of particularly dangerous file formats and tricks of the attackers)
The development of the NoPhish concept was started at TU Darmstadt. This happened within the project KMU Aware, funded by the Bundesministerium für Wirtschaft und Energie in the context of Initiative IT-Sicherheit in der Wirtschaft as well as the CRISP project funded by the Bundesministerium für Bildung und Forschung. The concept in turn has built on research work around the NoPhish App. The various measures as well as the concept are still being evaluated and further developed on the basis of the results. In addition, new measures are being developed. Currently, research around the NoPhish concept is financed by the BMBF within the framework of KASTEL.
How was the concept implemented?
(Currently not all the material is available in English, but we are working to provide more English translations)
The NoPhish concept was implemented in different measures. These are different detailed. Further information on the application can be found here (German only).
- Info Card - with the most important rules for detecting fraudulent messages in trouser pocket format.
- Poster - with the most important rules for detecting fraudulent messages to hang in the office or central locations.
- Challenge Poster (German only) - with different forms of (fraudulent) messages and the question: Is this message trustworthy? With the help of a QR code you can answer this question and you will be taken to a page with the resolution and other tips for detecting fraudulent messages.
- Video - with a general introduction to the topic and the most important rules and descriptive examples in 5 minutes. The video was developed together with Alexander Lehmann. There are currently 3 different versions of this video on YouTube. On the SECUSO channel as well as on Alexander Lehmann you can find old versions of the video. The new version, which was improved based on evaluation results, can be found on the YouTube channel of the KIT.
- Flyer - with a general introduction to the topic and the most important rules, with descriptive examples.
- Training and self-training material - everything around the topic of fraudulent news with many examples and further information for self-study or as a starting point for the dissemination of knowledge, e.g. through lectures in your own company, our training documents offer the ideal basis. These documents also contain exercises. Parts of these documents and exercises have been incorporated into an Android App.
- Quiz (German only)- Self test to detect fraudulent messages.
- If you are interested in using our materials in your own company / organization, please contact contact∂secuso.org so that we can clarify the general conditions.
- Most of the recommendations are not absolute as the internet is very complex. Therefore, in this unit you will often read terms such as 'likely', 'very likely', 'potentially possible'. The recommendations should serve as a solid decision-making aid to identify fraudulent messages.
- The (potentially) fraudulent messages used are either taken directly from fraudulent messages that were in circulation or based on these messages.
- The dangerous web addresses used should only serve as examples. In individual cases, however, it may be that the advertising areas used have been registered directly by the imitated company itself in order to prevent attempts to defraud, or that they have been registered by individuals or companies who do not intend to do so in any way.
- Phishing Detection: Developing and Evaluating a Five Minutes Security Awareness Video: Melanie Volkamer, Karen Renaud, Benjamin Reinheimer, Philipp Rack, Marco Ghiglieri, Peter Mayer, Alexandra Kunz, Nina Gerber. In: Proceedings of the 15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus), 2018.
- Don't be Deceived: The Message Might be Fake: Stephan Neumann, Benjamin Reinheimer, Melanie Volkamer. In: 14th International Conference On Trust, Privacy & Security In Digital Business (TrustBus), p. 199-214, 2017.
- NoPhish: Evaluation of a web application that teaches people being aware of phishing attacks: Alexandra Kunz, Melanie Volkamer, Simon Stockhardt, Sven Palberg, Tessa Lottermann, Eric Piegert. In: Lecture Notes in Informatics (LNI), 2016.
- Über die Wirksamkeit von Anti-Phishing-Training: Simon Stockhardt, Benjamin Reinheimer, Melanie Volkamer. In: Usable Security and Privacy Workshop in conjunction with Mensch und Computer 2015, 2015.
- Teaching Phishing-Security: Which Way is Best?: Simon Stockhardt, Benjamin Reinheimer, Melanie Volkamer, Peter Mayer, Alexandra Kunz, Philipp Rack and Daniel Lehmann. In: 31st International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2016.
- Learn To Spot Phishing URLs with the Android NoPhish App: Gamze Canova, Melanie Volkamer, Clemens Bergmann, Roland Borza, Benjamin Reinheimer, Simon Stockhardt, Ralf Tenberg. In: IFIP Advances in Information and Communication Technology, World Conference on Information Security Education this summer in conjunction with IFIP SEC 2015, Springer, 2015.
- NoPhish App Evaluation: Lab and Retention Study: Gamze Canova, Melanie Volkamer, Clemens Bergmann and Benjamin Reinheimer. In: Internet Society: NDSS Workshop on Usable Security 2015, February 2015.
- NoPhish: An Anti-Phishing Education App: Gamze Canova, Melanie Volkamer, Clemens Bergmann, Roland Borza. In: 10th International Workshop on Security and Trust Management in conjunction with ESORICS 2014, 2014.
There are tools that help you to review links easier:
- TORPEDO - Extension to the Thunderbird email client that helps you to identify dangerous links in emails.
- QR-Code Scanner App - Android app that allows you to scan QR codes with your smartphone. If there is a URL in the QR code, the web site will not be opened directly, instead the URL will be shown to you first for review.
Current or previous users
- Berlin transport company
- Office for community service in the Evang.-Luth. Church in Bavaria
- ASAP Holding GmbH
- Hessian Ministry of Environment, Climate Protection, Agriculture and Consumer Protection
- Federal Office of Administration
- MARKANT Germany
- Koenitz Porcelain GmbH
- Lemo Maschinenbau GmbH
- AVW group of companies
- City of Dessau-Roßlau
- Police headquarters deployment in Baden-Württemberg
- Police headquarters in South Hesse
- State Office for Geographic Information and Surveying Lower Saxony (LGLN)
- Bundeswehr Artillery Battalion 295