After months of not falling for one, an “anti-phishing” training email that got sent out back in August got me at my University of Victoria email address. Here’s what I knew and why it still got me:
The email was from an external email address and mentioned that it was sent to the department assistants to be forwarded to the students. I have a filter set up to send emails from the department mailing list directly to a separate folder. This ended up in my Inbox. Strike number one.
I looked up the name of the person who sent the email at the UVic website (which was purported to be from someone in the Business faculty), and couldn’t find the person. That shouldn’t have gotten me either because I know that even associate professors who prefer to use their non @uvic email addresses with students during their courses have a UVic email address and are listed in the directory. Strike two.
Worst of all, I got complacent. I am married to an SRE (site reliability engineer) and I know what not to do. I still clicked on the link to the “secure” form because I thought that it was safe enough because he’s got our home network pretty well protected with enterprise-level hardware and he’s risk-averse to hell and back. Imagine my surprise and dismay when I clicked on the link only to be directed to a webpage which informed me that I had fallen for their trap. And that’s me out on 3 strikes.
It doesn’t have to be this way, though. In their 2018 review of conventional versus automated cybersecurity anti-phishing techniques, Qabajeh et al. wrote about a researcher named Dr. Nalin Asanka Gamagedara Arachchilage who back in 2011 developed a video game with Melissa Cole with the aim of teaching users how to determine which links are real and which are phishing traps through the metaphor of simulated fish in a simulated pond:
The game is based on a scenario of a character of a small fish and ‘his’ teacher who live in a big pond. The main character of the game is the small fish, who wants to eat worms to become a big fish. However he should be careful of phishers those who try to trick him with fake worms. This represents phishing attacks by developing threat perception. Each worm is associated with a website address, so called Unified Resource Locator (URL) which appears as a dialog box. The small fish’s job is to eat all the real worms which associate legitimate website addresses and reject fake worms which associate with fake web site addresses before the time is up. This attempts to develop the severity and susceptibility of the phishing threat in the game design.(Arachchilage & Cole, 2011)
Since then, Arachchilage has not rested on his laurels regarding the use of the theory and framework of game development to improve the use of security and privacy tools by the average Internet user. As a lecturer at the School of Computer Science at the University of Auckland in New Zealand, he has turned his game-making eye towards tools for detecting fake news and improving coding behaviour in software developers. Unfortunately, as far as I can tell, he has not yet approached an indie studio to help develop his frameworks and ideas into actual video games that can be purchased through a place like GoG, Humble Bundle, or Steam.
So here’s the actual moral of the story, my friends: Do not get complacent when it comes to the skills you’ve learned to keep yourself safe, both on the Internet and in the real world.