1. Introduction

A phishing attack is typically carried out using an email or an instant message, in an attempt to lure recipients to a fake web site to disclose personal credentials. To defend against phishing attacks, a number of countermeasures have been proposed and developed. Server-side defenses employ SSL certificates, user selected site-images, and other security indicators to help users verify the legitimacy of web sites. Client-side defenses equip web browsers with automatic phishing detection features or add-ons to warn users away from suspected phishing sites. However, recent usability studies have demonstrated that neither server-side security indicators nor client-side toolbars and warnings are successful in preventing vulnerable users from being deceived [6], [21], [23], [26], [28]. This is mainly because (1) phishers can convincingly imitate the appearance of legitimate web sites, (2) users tend to ignore security indicators or warnings, and (3) users do not necessarily interpret security cues appropriately. Educational defenses [12], [16], [24] and takedown defenses [13], [18], [39] have also been studied. However, these defenses cannot completely foil phishing attacks and will take a long time to be effective on a large scale.