Train Employees on Anti-Phishing with Anti-Phishing Phil

If your network contains all the standard security precautions, outsiders hacking into your network isn't the problem. As the famous quotation from the comic strip Pogo says, "We've met the enemy, he is us."

Techies and security experts have a technical term to describe the action of attempting to con a person into revealing confidential information -- social engineering. This isn't limited to the user taking action on a computer network. A delivery person could walk in and access company confidential information or someone could call a user claiming to be tech support and request the user's sign in information.

The most effective tool in battling the effects of social engineering is education. This especially applies to phishing scams because phishers count on users to give away information without bothering to check the site or source's credentials.

Enter training programs like Anti-Phishing Phil. These programs aim to educate employees about phishing and what to do to avoid being hooked into the scam.

Anti-Phishing Phil takes a different and much-needed approach to user education -- through a game. How many business courses have you taken that were fun and engaging?

The game has impressive backing as its developers include members of Carnegie Mellon University Usable Privacy and Security Laboratory, with funding from the US National Science Foundation (Cyber Trust initiative) and ARO/CyLab.

Wombat Security Technologies is commercializing the game. The company can customize Phil to integrate a company's name, URL and brand. The game's claim is that it only takes 10 minutes for employees and customers to learn the basics of recognizing phishing attacks with Phil's help. Companies can deploy Phil on the intranet.

The game requires running on any web browser with Flash 8 installed. It also works in Flash 9 in Firefox, and usually Internet Explorer 7. If the game doesn't work right with IE7, upgrade Flash.

You play Phil, a young fish swimming in Interweb Bay. Phish Guru (or Father, depending which edition you play) teaches you how to find food and duck dangers around InterWeb Bay. Use the mouse to move around the bay hunting for worms to eat. Before you can eat the worm, you must decide whether to eat it or reject it based on its URL. Press "E" to eat or "R" to reject.

You earn points for eating healthy worms and avoiding the bad ones. If you're not sure about a URL, press the "T" key so Phish Guru will teach you. The site uses URLs of well-known sites such as eBay, Amazon, National Geographic, banks, and so on. Of course, a URL isn't always a simple as www.nationalgeographic.com -- it could be www3.nationalgeographic.com (it's edible).

After finishing round one, Phish Guru teaches a lesson. Lessons cover URLs having several parts and whether Wombankonline.com and wombank.com are legitimate. Plenty of valid URLs go beyond the www.url.com address or use a variation like the Wombank example. These lessons show how you can figure out which one is legitimate -- if not both.