Pittsburgh-based Wombat Security develops phishing solutions for the government and beyond.
Despite the latest software and educational initiatives, phishing attacks continue to intensify. Gartner Inc., an IT research company in Stamford, Conn., estimates these attacks cost Americans $3 billion a year. In a recent survey, Gartner also discovered that 3.6 million adults lost money to phishing between September 2006 and August 2007, compared to 2.3 million the previous year.
The latest wave of attacks, known as spear phishing, sends phishing emails that appear legitimate to some or all employees or members within an organization. While traditional phishing scammers want to steal information from individuals, spear phishers want access into an organization's entire computer system.
"This form of electronic espionage is more difficult to quantify and is worse than regular phishing attacks," says Dr. Norman Sadeh, CEO, chairman, and co-founder of Pittsburgh-based Wombat Security Technologies. "It creates an even bigger problem because it can result in the leakage of extremely sensitive corporate or government data."
One strategy for combating phishing is through education. Typically, organizations post messages on their site or email employees warnings about phishing. Studies have repeatedly shown that this method is ineffective.
"These attacks have become increasingly worse and the traditional security solutions are not working well," he says. "No one reads these messages, and even if they do, users are unlikely to apply that knowledge. When you're reading a phishing email, you're in a completely different frame of mind. Whatever you've learned from these out-of-context materials is not going to be very relevant because your brain is unable to activate that knowledge at the right time."
That prompted Sadeh, along with his two co-founders, Dr. Jason Hong, and Dr. Lorrie Cranor, to develop a novel training technology to prevent further phishing attacks. Their company, founded to commercialize products originally developed at Carnegie Mellon University (CMU) as part of one of the largest anti-phishing research projects in the country, created several different types of training products.
"We've used principles from learning science to develop training materials that are much more efficient and effective," Sadeh explains. "One basic idea of learning science is that if you really want to train someone, you don't describe things in the abstract. You try to create situations that are representative of the context in which users are expected to apply their training”
One of Wombat’s solutions is an online training game, Anti-Phishing Phil™, which teaches users how to identify phishing URLs and explains the dangers of phishing. Try it out here.
"It's fun and people love to play games," says Sadeh. "The chances of people paying attention are much higher than the chance of someone reading the training material posted on company Web sites. We're much more successful at getting people to pay attention and much more effective in getting them to remember what they learned."
The software has become such a hit that the U.S. State Department recently purchased the training game to protect its over 55,000 employees.
“We’re very pleased,” says Sadeh. “This is a big deal. The State Department is going to employ the technology worldwide.”
Another solution from Wombat is PhishPatrol™, a phishing email filter that uses advanced machine learning techniques to catch phishing emails. This product is a plug-in that users can add onto existing filters.
"Many vendors who sell spam filters claim that their filters also catch phishing emails," says Sadeh. "While they do catch some, they also let a large number go through. They'll also send some legitimate emails to your junk folder, so the user still has to sort through the emails to decide which ones are bad. Our family of filters is specifically geared to catching phishing emails. We have a very high success rate, and we won't filter out something that isn't a bad email, and that's the difference."
A third solution is PhishGuru™, an anti-phishing training and assessment tool that allows organizations to send simulated phishing messages to employees.
"We've been successful with this embedded training solution," says Sadeh. "We'll send you fake phishing emails in your inbox. If you recognize these as phishing emails and don't click on the link, then good, you're trained and don't need any additional training. But if you do click on these links, we're going to train you, and show you what you should have noticed, and why you shouldn't have clicked on the link."
That's what learning science refers to as a teachable moment.
"This is the very point in time when you should be able to apply that knowledge," says Sadeh. "That's the best possible moment to teach you not to fall for these attacks. Our studies have shown that when you train people in this manner, you reduce by about two-thirds the chance that they'll fall for these types of attacks again."
Sadeh credits his company's initial success to Idea Foundry, a Pittsburgh non-profit that supplies resources to start-ups in Western-Pennsylvania. Wombat received seed money and advisory services through a fellowship, which usually includes $100,000 in cash and up to $75,000 in services.
"We had access to a team of experts who are working with early start-ups to help identify ways of getting as much traction as possible, provide us with additional resources, and identify people who are going to help us fill gaps in our organization," says Sadeh. "Just as important is the advice we received from their CEO, Michael Matesic. He has worked with so many start-ups and is well connected."
Sadeh says that the funding and the services have helped to fuel the company's growth.
"The cash allowed us to be aggressive in packaging our solutions, enabled us to have office space, and hire someone to help us market the product," he says."All of these things wouldn't have been possible without the support of Idea Foundry. They have been a tremendous help and are extremely effective."