Phishing prevention: a multi-layered approach

Drury, Vincent Jakob; Meyer, Ulrike Michaela (Thesis advisor); Fahl, Sascha (Thesis advisor)

Aachen : RWTH Aachen University (2023)
Dissertation / PhD Thesis

Dissertation, RWTH Aachen University, 2023


Phishing attacks have been a relevant and ongoing threat for several decades, resulting in monetary loss for private users and serving as a first step in attacks on larger organizations. Despite decades of research into automated detection, education, and design interventions to prevent phishing attacks, current solutions fall short of providing adequate and general protection to users and businesses against the evolving threat. In particular, we identify research gaps for anti-phishing learning games, which currently lack personalization and mainly offer rather simple game mechanics, the user interface (UI) design of email clients, which do not highlight information that is relevant to phishing email detection, and automated phishing website classification, where the focus is on detection after the attack was executed, instead of aiming to disrupt attacks before they reach potential victims. This thesis addresses these gaps and showcases the effectiveness of human-centered and technical phishing-prevention techniques based on a categorization of phishing URLs and a kill chain model, thus contributing to a multi-layered defense strategy where each layer addresses different attacks. Our main contributions in the research area of anti-phishing education are the evaluation of baseline detection capabilities for a new categorization of phishing URLs, as well as the comparative evaluation of four new learning games in two user studies. The result of these user studies motivate, which categories of URLs to focus on to optimize future educational interventions, and give insights into the effect of different game mechanics and personalization on the classification capabilities of users who played the learning games. We further demonstrate, that accurately reflecting the diversity of phishing attacks and measuring service familiarity in user studies is essential to ensure representative results. In the area of design interventions, we evaluate the effect of using Reverse Domain Name (RDN) notation for URLs and changing the UI of email clients on the classification performance of untrained users. Both studies reveal advantages of the proposed changes over the baseline and motivate further studies of the interventions' effect on awareness outside of a lab setting. For automated phishing detection, we evaluate the detection of phishing websites on certificate transparency (CT) logs, which are publicly available stores of certificates. We show, how data cleaning and class imbalance during training, and the inclusion of additional certificate information in the classification task can have an effect on classification performance, resulting in classifiers that approach acceptable levels of false positives to be practical in the real world. In all, our results exemplify the advantages and disadvantages of several broader approaches to phishing prevention, and demonstrate how combining these approaches can provide a more comprehensive defense than each of its parts taken by itself.


  • Department of Computer Science [120000]
  • Research Group IT-Security [123520]