Anti-phishing training for children works, but not for long

Childeren getting trained in recognizing ‘phishing’ are better capable of distinguishing real emails en websites from fake ones. But after a few weeks, they’re back at the level before training. Cybersecurity awareness should be a structural element in education, University of Twente researchers say.

Young children are highly self-learning when it comes to internet on their smartphones and tablets. Of course, the question then arises if they also learn how to recognize the downsides of actively being online. Especially for the age group of 8 to 13 years, the UT researchers developed a test and a training around ‘phishing’: emails and websites that look official, but ask for private data. From the discussions among 353 pupils at six schools in The Netherlands, in every school class there’s a pupil knowing an example of relatives being the victim of phishing – having lost money in this way, for example. Some of the pupils have seen the special TV advertising campaign warning against phishing.

Eye-opener for teachers

The test shows a mediocre score: children don’t recognize more than six out of ten phishing examples. After a dedicated training, they get more aware and the recognition percentage goes up with 14 percent. The children learn to check the email and web addresses and critically read the text. For their teachers, the test was an eye-opener as well, especially the way you can have a fast check if an email or webaddress is suspect. Apart from that, pupils learned to look at signals like exaggerated urgency (‘if you don’t respond immediately, then…’).

Although the children who did the test, perform better directly after the training, after four weeks they seem to be back at the pre-training level. The knowledge acquired is not all gone, they still perform better in recognizing real emails. But clearly, the training needs some sort of follow-up. Especially because phishing techniques get smarter every day and they can also appear in the online games children play. Attention to phishing can be part of a structured school programme on online awareness, including topics like privacy and cyberbullying. Universities and IT security companies could play an active role in this, like in the ‘Safe and Secure Online’ initiative.

The paper ‘How effective is anti-phishing training for children?’ by Elmer Lastdrager, Inés Carvajal Gallardo, Pieter Hartel and Marianne Junger, was presented at the Symposium on Usable Privacy and Security (SOUPS2017) in Santa Clara. The paper won the Distinguished Paper Award there.

Wiebe van der Veen
Press relations (away Tue afternoon)