Fighting Phishing with Trusted Email

Abstract

Phishing is the combination of social engineering and technical exploits designed to convince a victim to provide personal information, usually for the monetary gain of the attacker (phisher). Attempts to stop phishing by preventing a user from interacting with a malicious web site have shown to be ineffective. We introduce a method to aid in the prevention of phishing by combining automatic and transparent email signing with an email client plugin. The plugin can detect unsigned spoofed messages. In this manner, the user is prevented (or at least discouraged) from visiting malicious web sites, thus stopping the data-gathering phase of the phishing attack before it begins. We describe the system, implementation, weaknesses, and our ongoing user experiments.