Phishing attacks exploit human vulnerabilities. They play on our feelings of greed, our instinct to help others, or our need to protect what we have. Phishers often use the same social engineering strategies that con artists have used in the ofﬂine world for generations. And despite years of consumer education efforts, users continue to be scammed by ofﬂine con artists. In fact, in the ﬁrst half of 2005, victims of telemarketing scams lost an average of $4100 – more than double the average loss in 2004 . The continued “success” of con artists in the ofﬂine environment demonstrates the effectiveness of social engineering in manipulating human judgment. Relying on human judgment to combat phishing attacks – which are often social engineering attacks – is a curious choice. But that is exactly what has happened. In many anti-phishing schemes, users are responsible for detecting and avoiding phishing sites.