Write review about this article with references in APA format
In their 2018 Internet Security Threat Report, Symantec (2018) states that "Spear phishing is the number one infection vector employed by 71 percent of organized groups in 2017.
Spear phishing relies on duping the recipient into opening an attachment or following a malicious link and its popularity illustrates how often the person sitting behind a computer can be the weakest link in an organization's security."
This is one of the many reasons that both Ifinedo (2014) and Dodge Jr. et al. (2007) have also asserted that users are the weakest link in IS security. Harrison et al. (2015) found that training to increase users' attention to phishing was not effective because it tended to make users more suspicious of all emails temporarily and more likely to categorize both real and fake emails as phishing. They concluded that a better approach was to teach users to pay attention to a few key elements in the message, such as knowing where to find the actual sender's address and noting red flags like hyperlinks.
On a more technological level, though, the research by Chuchra & Seth (2015) may prove interesting. They detailed an innovative approach for storing passwords. In their process, the password is hashed and then used as a key to encrypt an image selected by the user. This encrypted image is what is stored. The benefits outlined by Chuchra & Seth (2015) were that the stored image eliminated many database attacks, such as SQL Injection.
However, I think this could also help with phishing attempts. Man-in-the-middle attacks would be more difficult, but still be successful. In this scenario, the adversary would have to build their fake login page dynamically to present the user with the images provided by the real site so that the user could pick the correct image.
This would stop an offline attack because it would require the adversary to know not only the password, but the image to be decrypted. About the only real way I can see to resolve the "Mafia owned ISP" scenario is to ensure all communications are handled through a secure channel in which a trusted certificate authority is used. The best advice one can give a user with respect to phishing is "Be serious! Be alert! Your adversary the Devil is prowling around like a roaring lion, looking for anyone he can devour." (1 Peter 5:8, HCSB) Unless you're absolutely sure with whom you are communicating, it must be treated with suspicion and the responses must be provided with an abundance of caution.
Sources:
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
Dodge Jr., R, Carver, C., & Ferguson, A. (2007). Phishing for user security awareness. Computers & Security, 26(1), 73-80.
Chuchra, R. & Seth, R. K. (2015). Modeling Implementation of TSEA - Three Step Encryption Algorithm for Enhancing Password Security.
International Journal of Computer Applications, 126(13), 1-6. DOI: 10.5120/ijca2015905879 Harrison, B., Svetieva, E., & Vishwanath, A. (2015).
Individual processing of phishing emails: How attention and elaboration protect against phishing. Online Information Review, 40(2), 265-281. DOI: 10.1108/OIR-04-2015-0106 Internet Security Threat Report. Vol. 23. (2018). Symantec.