NoPhish Concept: Awareness/Education/Training concept for the detection of phishing and fraudulent messages
Internet fraudsters use various strategies to harm you and/or your company. A popular and widely used method is to send you messages containing fraudulent content. These messages can be dangerous in different ways. The message may ask you to make bank transfers, make (paid) calls, or the message contains dangerous links and/or dangerous attachments. These messages can be sent as e-mail but also via any other form of message. Emails with dangerous links are often called phishing emails.
"Ich bin der Forschungsgruppe SECUSO am KIT in Karlsruhe besonders dankbar, denn sie stellen sehr gute Awareness-Materialien zur Verfügung, um sich gegen Betrüger im Internet zu schützen." (Arne Schönbohm, Präsident des BSI)
What is our concept about?
To better understand the attack form 'fraudulent messages' and learn how to protect themselves, we have developed awareness, education and training measures. The concept covers four topics:
- Introduction to the topic
- Detection of implausible, fraudulent messages
- Detection of dangerous links (including finding the URL behind the link, structure of the URL and tricks of the attackers)
- Detection of messages with dangerous attachments (including finding the format of the file, list of particularly dangerous file formats and tricks of the attackers)
The development of the NoPhish concept was started at TU Darmstadt. This happened within the project KMU Aware, funded by the Bundesministerium für Wirtschaft und Energie in the context of Initiative IT-Sicherheit in der Wirtschaft as well as the CRISP project funded by the Bundesministerium für Bildung und Forschung. The concept in turn has built on research work around the NoPhish App. The various measures as well as the concept are still being evaluated and further developed on the basis of the results. In addition, new measures are being developed. Currently, research around the NoPhish concept is supported by funding from the topic Engineering Secure Systems of the Helmholtz Association (HGF) and by KASTEL Security Research Labs.
You can find a more detailed description here.
How was the concept implemented?
(Currently not all the material is available in English, but we are working to provide more English translations)
The NoPhish concept was implemented in different measures. These are different detailed. Further information on the application can be found here (German only).
- Info card - with the most important rules for detecting fraudulent messages in trouser pocket format.
- Poster - with the most important rules for detecting fraudulent messages to hang in the office or central locations.
- Challenge Poster (German only) - with different forms of (fraudulent) messages and the question: Is this message trustworthy? With the help of a QR code you can answer this question and you will be taken to a page with the resolution and other tips for detecting fraudulent messages.
- Videos - With a general introduction to the topic, the most important rules and descriptive examples. We have put all this together with Alexander Lehmann in our two five-minute NoPhish videos.
- Flyer - with a general introduction to the topic and the most important rules, with descriptive examples.
- Training and self-training material - everything around the topic of fraudulent news with many examples and further information for self-study or as a starting point for the dissemination of knowledge, e.g. through lectures in your own company, our training documents offer the ideal basis. These documents also contain exercises. Parts of these documents and exercises have been incorporated into an Android App.
- Quiz - Self test to detect fraudulent messages.
- Online-Game (German only) - "Phishing Master", the slightly different serious game to detect fraudulent messages.
- STAR, a humanoid robot that interactively discusses fraudulent messages with users. A video of a possible process can be found here.
Hints:
- If you are interested in using our materials in your own company / organization, please have a look at the following document.
- Most of the recommendations are not absolute as the internet is very complex. Therefore, in this unit you will often read terms such as 'likely', 'very likely', 'potentially possible'. The recommendations should serve as a solid decision-making aid to identify fraudulent messages.
- The (potentially) fraudulent messages used are either taken directly from fraudulent messages that were in circulation or based on these messages.
- The dangerous web addresses used should only serve as examples. In individual cases, however, it may be that the advertising areas used have been registered directly by the imitated company itself in order to prevent fraud attempts, or that they have been registered by individuals or companies who do not intend to commit fraud in any way..
Publications
- Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support Tool
Berens, B.; Schaub, F., Mossano, M.; Volkamer, M.
2024, Mai Conference on Human Factors in Computing Systems (CHI 2024), Honolulu, Hawai'i, USA, 11.-16.05 Mai 2024 - Taking 5 minutes protects you for 5 months: Evaluating an anti-phishing awareness video
Berens, B. M.; Mossano, M.; Volkamer, M.
2024. Computers & Security, 137, Art.-Nr.: 103620. doi:10.1016/j.cose.2023.103620 - The Phishing Master Anti-Phishing Game
Dietmann, H.; Länge, T.; Matheis, P.; Pawelek, A. A.; Berens, B.; Mossano, M.; Veit, M.; Mayer, P.; Volkamer, M.
2022, Dezember 8. Annual Computer Security Applications Conference (ACSAC 2022), Austin, TX, USA, 5.–9. Dezember 2022 - Phishing awareness and education – When to best remind?
Berens, B. M.; Dimitrova, K.; Mossano, M.; Volkamer, M. 2022. Symposium on Usable Security and Privacy (USEC),San Diego, CA, April 23, 2022 - NoPhish-Challenge-Karten – Evaluation in der Praxis
Aldag, L.; Berens, B.; Burgdorf, M.; Lorenz, A.; Thiery, M.-C.; Volkamer, M. 2021. Datenschutz und Datensicherheit - DuD, 45 (11), 721–726. doi:10.1007/s11623-021-1523-1 - Evaluation der interaktiven NoPhish Präsenzschulung
Berens, B.; Aldag, L.; Volkamer, M. 2021. Mensch und Computer 2021 Workshopband. - An investigation of phishing awareness and education over time: When and how to best remind users.
Reinheimer, B. M.; Aldag, L.; Mayer, P.; Mossano, M.; Düzgün, R.; Lofthouse, B.; von Landesberger, T.; Volkamer, M. 2020. Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS), 259–284, USENIX Association - Erklärvideo “Online-Betrug” – Nach nur fünf Minuten Phishing E-Mails nachweislich signifikant besser erkennen.
Volkamer, M.; Renaud, K.; Reinheimer, B.; Rack, P.; Ghiglieri, M.; Gerber, N.; Mayer, P.; Kunz, A. 2019. IT-Sicherheit als Voraussetzung für eine erfolgreiche Digitalisierung : Tagungsband zum 16. Deutschen IT-Sicherheitskongress, 307–318, SecuMedia Verlag, Gau-Algesheim - Phishing Detection: Developing and Evaluating a Five Minutes Security Awareness Video: Volkamer, M.; Renaud, K.; Reinheimer, B. M.; Rack, P.; Ghiglieri, M.; Mayer, P.; Kunz, A.; Gerber, N.
2018. Trust, Privacy and Security in Digital Business - 15th International Conference (TrustBus), Regensburg, Germany, September 5–6, 2018. Ed.: S. Furnell, 119–134, Springer, Cham - Don't be Deceived: The Message Might be Fake: Neumann, S.; Reinheimer, B.; Volkamer, M. 2017. Trust, Privacy and Security in Digital Business - 14th International Conference (TrustBus), Lyon, France, August 30-31, 2017, 199–214, Springer, Cham.
- NoPhish: Evaluation of a web application that teaches people being aware of phishing attacks: Kunz, A.; Volkamer, M.; Stockhardt, S.; Palberg, S.; Lottermann, T.; Piegert, E. 2016. 46. Jahrestagung der Gesellschaft fur Informatik - 46th Annual Meeting of the German Informatics Society, INFORMATIK 2016, Klagenfurt; Austria, 26th 2016 - 30th September 2016, 509–518, Gesellschaft für Informatik, Bonn
- Über die Wirksamkeit von Anti-Phishing-Training: Stockhardt, S.; Reinheimer, B.; Volkamer, M. 2015. Mensch und Computer 2015 Workshopband. Ed. A. Weisbecker, 647–655, Oldenbourg Wissenschaftsverlag, Stuttgart
- Teaching Phishing-Security: Which Way is Best?: Stockhardt, S.; Reinheimer, B.; Volkamer, M.; Mayer, P.; Kunz, A.; Rack, P.; Lehmann, D. 2016. 31st International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2016, Ghent, Belgium, May 30th - June 1st, 2016, 135–149, Springer, Cham.
- Learn To Spot Phishing URLs with the Android NoPhish App: Canova, G.; Volkamer, M.; Bergmann, C.; Borza, R.; Reinheimer, B.; Stockhardt, S.; Tenberg, R. 2015. Information Security Education Across the Curriculum (IFIP): 9th IFIP WG 11.8 World Conference, WISE 9, Hamburg, Germany, May 26-28, 2015: Proceedings, 87–100, Springer, Cham.
- NoPhish App Evaluation: Lab and Retention Study: Canova, G.; Volkamer, M.; Bergmann, C.; Reinheimer, B. 2015. NDSS Workshop on Usable Security (USEC), San Diego, California, February 8-11, 2015, 10 S., Internet Society, Reston, VA
- NoPhish: An Anti-Phishing Education App: Canova, G.; Volkamer, M.; Bergmann, C.; Borza, R. 2014. 13th International Workshop, STM 2017, Oslo, Norway, September 14–15, 2017: Proceedings. Ed.: Giovanni Livraga, Chris Mitchell, 188–192, Springer International Publishing, Cham.
Additional Tools
There are tools that help you to review links easier:
- TORPEDO - Extension to the Thunderbird email client that helps you to identify dangerous links in emails.
- QR-Code Scanner App - Android app that allows you to scan QR codes with your smartphone. If there is a URL in the QR code, the web site will not be opened directly, instead the URL will be shown to you first for review.
Current reference users and organization that refer to our material (53)
- Authorities/institutions
- Bundeskanzleramt
- Bundesverwaltungsamt
- Bundesamt für Sicherheit in der Informationstechnik (BSI)
- United Nations African Union Mission in Darfur (UNAMID)
- Polizeipräsidium Einsatz in Baden-Württemberg
- Polizeipräsidium Südhessen
- Landesamt für Geoinformation und Landesvermessung Niedersachsen (LGLN)
- Verbraucherzentrale NRW e.V.
- Artilleriebataillon 295 der Bundeswehr
- Stadt Dessau-Roßlau
- Stadt Hamm
- Landkreis Marburg-Biedenkopf
- Stadtwerke Jena
- Amt für Gemeindedienst in der Evang.-Luth. Kirche in Bayern
- Landeshauptstadt Stuttgart
- Stadt Elmshorn
- Evangelische Landeskirche in Württemberg
- Stadtverwaltung Neuwied
- Landesverwaltungsamt Sachsen-Anhalt
- Justiz Niedersachsen
- Higher education institutions
- Karlsruher Institut für Technologie
- Eberhard Karls Universität Tübingen
- Ruhr-Universität Bochum
- Informations- und Mediendienste (ZIM) der Universität Duisburg-Essen
- Hochschule Koblenz
- Universität Kassel
- Universität Würzburg
- Technische Universität Braunschweig
- Hochschule Konstanz (HTWG)
- Fernuniversität Hagen
- Hochschule Worms
- Universität Bamberg
- Universität Mannheim
- FH Münster
- Universität Freiburg
- Universität zu Köln
- Pädagogische Hochschule Karlsruhe
- Technische Universität Darmstadt
- TU Dortmund
- Europa-Universität Viadrina
- Bergische Universität Wuppertal
- Universität Jena
- Companies
- Berliner Verkehrsbetriebe
- ASAP Holding GmbH
- HEAG
- MARKANT Handels- und Industriewaren-Vermittlungs AG
- eligo
- Könitz Porzellan GmbH
- Lemo Maschinenbau GmbH
- AVW Unternehmensgruppe
- Bayern1 Radio
- Welivesecurity by ESET
- dvs.net IT-Service GmbH