Can a breezy online game help prevent phishing?

Lorrie Faith Cranor says experts have done a poor job teaching Internet users how to defend themselves against the kind of Internet fraud knows as phishing (that's when scammers try to lure you via email to a spoofed Web site that looks legitimate - typically a bank or credit card company - in order to harvest your bank account or credit card number).

In the game, players control a swimming ocean fish that encounters bait. As the fish nears its prey, a URL address appears, forcing players to decide whether the address is for a site designed to steal their money.

Cranor, associate research professor at Carnegie Mellon University, has developed a simple online game, Anti-Phishing Phil, that teaches players how to tell a good Web site address from a fraudulent one

Following is wavLength's interview with Cranor:

CRANOR: Some of them (phishers) do something very simple. They use a URL that looks nothing like the address of the real site. And so they may send you an email that says they're Citibank but the address they give you might be "fraudster.com" or something like that. And so the first thing the game teaches you is pay attention to the address because some of them are really easy to spot if you just know to look.

Then we have fraudsters who try to be much more clever. And so they will try to come up with something that looks really similar to the actually address. So instead of saying "Citibank.com" they'll and an i-n-g on the end and they'll say "Citibanking.com." That's kind of subtle. You have to look at it carefully to spot that.

We also see people who will have a really long address. At the very end of the address you'll see the brand name you're looking for. So you'll see the address that might be "fraudster.com-slash-here-and-there-and-everywhere-and-AmericanExpress.com." What you don't realize that the "American Express" you saw in there wasn't actually American Express's Web site. Really "fraudster.com" is the Web site. One of the things we show in the game is how you can figure out which is the part of the URL you should be looking at.

wavLength: But this isn't the only way in which people are fooled. I played the game and got fooled by one address, but I have a feeling if it were a real-life scenario there would have been other warning signs. Isn't that usually the case?

CRANOR: There are other things you can look for other than the address. We are working on developing other types of educational materials as well. The big message we talk about is if you're not sure is don't click on a link in an email, and don't provide your personal information to somebody who contacted you via email. What you should do instead is go to the company through the way you normally go to the company - typing in the URL yourself, call the phone number that is on your bank statement or credit card. Contact them that way and see if there really is something you should be doing.

wavLength: One of the big warning signs is that even if phishers have a realistic-looking Web site, they ask you to do things that real banks and online merchants would never ask, right?

CRANOR: Yeah, they will make the message sound really urgent - 'If you don't take action immediately we will close your account.' Real banks don't do that sort of thing. And they will often ask you to provide all kinds of personal information that a real bank is not going to ask you to do via email. So you should really think carefully about whether this is something my bank would really ask me to do when you get that kind of message.