Associate Professor of Information, University of Wisconsin, Madison
How people detect phishing. Using email in the presence of adversaries.
Rick Wash is an expert on the human aspects of cybersecurity. He is an Associate Professor in the Information School at the University of Wisconsin–Madison.
He studies how people think about their interactions with modern technology, with an emphasis on the work people do to protect themselves from risks associated with using information technology and the Internet.
His research has won the Impact award at SOUPS for significant long-term impact on the usable security and privacy research and practice, a Google Security and Privacy Research award, and an NSF CAREER award. His work is supported by over $2 million from the US National Science Foundation. He was previously a professor at Michigan State University, and he completed his PhD at the School of Information at the University of Michigan.
Stopping phishing is hard, and needs both technical and human-centered solutions. Despite spending millions on anti-phishing training, we still don’t yet know: How do people detect that an email in their inbox is a phishing message? And how can we help them do it better? I will describe how individuals currently attempt to figure out when an email in their inbox is fraudulent. By comparing how security experts (successfully) detect phishing and how non-experts try to do so, I try to identify better ways to focus our phishing training.
I will describe how IT experts detect phishing emails in their own inboxes by noticing “weird” things about an email, slowly becoming uncomfortable, and only then following their own advice to investigate an email to determine if it is real. Then I will describe how non-experts use experience with legitimate emails to accomplish similar goals, and the important role that knowledge of prior phishing incidents plays. Finally, I will discuss how this human work integrates with and complements ways that computers are used detect phishing, and provide advice for better ways to train people to detect phishing.