Phishing emails usually contain a message from a credible looking source requesting a user to click a link to a website where she/he is asked to enter a password or other conﬁdential information. Most phishing emails aim at withdrawing money from ﬁnancial institutions or getting access to private information. Phishing has increased enormously over the last years and is a serious threat to global security and economy. There are a number of possible countermeasures to phishing. These range from communication-oriented approaches like authentication protocols over blacklisting to content-based ﬁltering approaches.
We argue that the ﬁrst two approaches are currently not broadly implemented or exhibit deﬁcits. Therefore content-based phishing ﬁlters are
necessary and widely used to increase communication security. A number of features are extracted capturing the content and structural properties of the email. Subsequently a statistical classiﬁer is trained using these features on a training set of emails labeled as ham (legitimate), spam or phishing. This classiﬁer may then be applied to an email stream to estimate the classes of new incoming emails.
In this paper we describe a number of novel features that are particularly well-suited to identify phishing emails. These include statistical models for the low-dimensional descriptions of email topics, sequential analysis of email text and external links, the detection of embedded logos as well as indicators for hidden salting. Hidden salting is the intentional addition or distortion of content not perceivable by the reader. For empirical evaluation we have obtained a large realistic corpus of emails prelabeled as spam, phishing, and ham (legitimate). In experiments our methods outperform other published approaches for classifying phishing emails. We discuss the implications of these results for the practical application of this approach in the workﬂow of an email provider. Finally we describe a strategy how the ﬁlters may be updated and adapted to new types of phishing.