I. Introduction
One of the most severe and challenging threats to Internet security is phishing, which uses spoofed websites to steal users' passwords and online identities. To defend against phishing attacks, researchers have proposed various blacklistbased, heuristics-based, and whitelist-based solutions (Section VI), organizations and communities such as APWG [39] and PhishTank [42] have provided phishing reporting and verification services; many vendors have also provided secure browsing systems such as Google Safe Browsing, Microsoft SmartScreen Filter, McAfee SiteAdvisor, and Norton Safe Web. However, phishing attacks have also been quickly evolving to evade the detection and defense [43], and the battle between phishers and defenders will be long-standing.