Can you catch a phish?

If you’re looking for a free and fun way to train people in your organization about avoiding phishing attacks, you might want to point them at the Phishing Game.

The game was developed by PhishMe, a maker of security training software, and is being offered as a public service to consumers shopping on the Internet for the holidays. That doesn’t mean, though, that the game is not without some merit for anyone interested in picking up some pointers in identifying and avoiding phishing attacks.

Before you start playing the game, you’re asked for some basic information about yourself–age, gender (which includes an “I’m not sure” option), computer knowledge (basic Internet user, set up a home network or IT professional) and phishing experience (never heard about it, heard about it, received some and know victim of it). You don’t have provide PhishMe with any information, though, to play the game.

The game board resembles the one on the TV show Jeopardy. There are categories across the top of the board–Phishing Basics, URL Dissection and Test Your Knowledge. Under each category are three questions worth 100, 200 or 300 points.

So for 100 points under Phishing Basics you’re asked if the statement “Anti-virus software and firewalls protect against Phishing” is true or false. Under URL Dissection for 200 points, you’re given three URLs-http://64.22.108.26/login.php, http://0x40166c1a/login.php and https://0100.026.0154.032/login.php-and asked which is the most safe. And for 300 points under Test Your Knowledge, you’re given a sample email and asked if it is legitimate, a likely phishing message because it does not use HTTPS or a likely phish because it describes an unlikely scenario.

Whether you answer a question right or wrong, the game tells you what you needed to know to answer the question correctly. For example, under URL Dissection for 100 points, you’re given an URL-http://google.com.search.freedomains.org/safebank.com-and asked where it’s going to–google.com, freedomains.org or safebank.com. Regardless of your answer to the question, the game will tell you after you make a choice, “The domain is at the last part of the URL.”

Although the game has a short play life–it doesn’t take long to memorize all the right answers–it does provide some valuable basics about recognizing phishing attacks.

The free phishing game offering is just a taste of PhishMe’s enterprise edition. With the company version, administrators can flood their systems with mock phishing attacks. Users duped by the attacks can then be identified and be targeted for additional training so they’re not fooled when the real thing reaches their mailboxes.

Since the holiday season is prime time for phishers angling for guppies, PhishMe decided that it was the perfect opportunity to create a free offering of its training software for consumers.

          “There is a crass saying in the security industry that you ‘can’t fix stupid,’ meaning that uninformed employees will always put your organization at risk,” PhishMe CEO Rohyt Belani said in a statement.

“At PhishMe we not only disagree with this sentiment, we have made it our mission to help companies educate and train their employees, so that they can minimize the risk of their company falling prey to these user-oriented attacks,” he continued. “We are launching a free version of the PhishMe Consumer Edition games during the peak Internet shopping period to help consumers at home or while they are at work.”

Belani urged organizations to educate their workers about online scams and suggested these tips to fine tune their employees’ phishing antennae.

• Don’t take candy from strangers. Be suspicious of unsolicited offers or emails, even if the email is personalized to you.
• If it seems uncharacteristic, check with the source. Phishers are getting smarter about using known contacts or corporate brands to trick people into sharing information or clicking links–as a recent “speak phishing” campaign targeting email service providers illustrates.
• Don’t provide your username or password in an email or over the phone. Your corporate IT department, as well as most reputable companies, will NEVER ask you for this information through these channels.
• Don’t click links you don’t understand, unless you want to lose company data or worse yet, your identity.
• Confirm the source of file attachments to emails before opening them. File attachments are one of the most reliable mechanisms of propagating malware and other things go bump inside your computer.