ABSTRACT
Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested---where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective warning messages within the phishing context.
Supplemental Material
Available for Download
Slides from the presentation
Supplemental material for You've been warned: an empirical study of the effectiveness of web browser phishing warnings
- Amer, T. S., and Maris, J. B. Signal words and signal icons in application control and information technology exception messages -- hazard matching and habituation effects. Tech. Rep. Working Paper Series-06-05, Northern Arizona University, Flagstaff, AZ, October 2006.Google Scholar
- Bank of America. How Bank of America SiteKey Works for Online Banking Security. http://www.bankofamerica.com/privacy/sitekey/, 2007.Google Scholar
- Brustoloni, J. C., and Villamarín-Salomón, R. Improving security decisions with polymorphic and audited dialogs. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security (New York, NY, USA, 2007), ACM Press, pp. 76--85. Google ScholarDigital Library
- Certification Authority/Browser Forum. Extended validation ssl certificates, Accessed: July 27, 2007. http://cabforum.org/.Google Scholar
- Cranor, L. F. What do they "indicate?": Evaluating security and privacy indicators. Interactions 13, 3 (2006), 45--47. Google ScholarDigital Library
- Dhamija, R., and Tygar, J. D. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (New York, NY, USA, July 6-8 2005), ACM Press. Google ScholarDigital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. Why phishing works. In CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems (New York, NY, USA, 2006), ACM Press, pp. 581--590. Google ScholarDigital Library
- Downs, J. S., Holbrook, M., and Cranor, L. Decision Strategies and Susceptibility to Phishing. In Proceedings of The 2006 Symposium on Usable Privacy and Security (Pittsburgh, PA, July 12-14, 2006). Google ScholarDigital Library
- Florencio, D., and Herley, C. A large-scale study of web password habits. In WWW '07: Proceedings of the 16th international conference on World Wide Web (New York, NY, USA, 2007), ACM Press, pp. 657--666. Google ScholarDigital Library
- Fogg, B., Marshall, J., Laraki, O., Osipovich, A., Varma, C., Fang, N., Paul, J., Rangekar, A., Shon, J., Swani, P., and Treinen, M. What Makes Web Sites Credible? A Report on a Large Quantitative Study. In Proceedings of the ACM Computer-Human Interaction Conference (Seattle, WA, March 31 - April 4, 2001), ACM. Google ScholarDigital Library
- Gartner, Inc. Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years. http://www.gartner.com/it/page.jsp?id=498245, November 9 2006.Google Scholar
- Hellier, E., Wright, D. B., Edworthy, J., and Newstead, S. On the stability of the arousal strength of warning signal words. Applied Cognitive Psychology 14 (2000), 577--592.Google ScholarCross Ref
- Jackson, C., Simon, D., Tan, D., and Barth, A. An evaluation of extended validation and picture-in-picture phishing atttacks. In Proceedings of the 2007 Usable Security (USEC'07) Workshop (February 2007). http://www.usablesecurity.org/papers/jackson.pdf. Google ScholarDigital Library
- Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., and Nunge, E. Protecting people from phishing: the design and evaluation of an embedded training email system. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems (New York, NY, USA, 2007), ACM Press, pp. 905--914. Google ScholarDigital Library
- Moore, T., and Clayton, R. An empirical analysis of the current state of phishing attack and defence. In Proceedings of the 2007 Workshop on The Economics of Information Security (WEIS2007) (May 2007). http://www.cl.cam.ac.uk/ twm29/weis07-phishing.pdf.Google Scholar
- Oberheide, J. Google safe browsing, November 6 2006. http://jon.oberheide.org/blog/2006/11/13/google-safe-browsing/.Google Scholar
- OpenDNS. PhishTank Annual Report. http://www.phishtank.com/, October 2007.Google Scholar
- Refsnes Data. Browser statistics, Accessed: April 4, 2007. http://www.w3schools.com/browsers/browsers_stats.asp.Google Scholar
- Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (May 2007). Google ScholarDigital Library
- Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L., Hong, J., and Nunge, E. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security (Pittsburgh, PA, July 18-20, 2007), ACM Press. Google ScholarDigital Library
- Wogalter, M. S. Communication-Human Information Processing (C-HIP) Model. In Handbook of Warnings, M. S. Wogalter, Ed. Lawrence Erlbaum Associates, 2006, pp. 51--61.Google ScholarCross Ref
- Wu, M. Fighting Phishing at the User Interface. PhD thesis, Massachusetts Institute of Technology, August 2006. Google ScholarDigital Library
- Wu, M., Miller, R. C., and Garfinkel, S. L. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems Held in Montreal (2006), ACM Press, pp. 601--610. Google ScholarDigital Library
- Ye, Z. E., and Smith, S. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium (2002), pp. 263--279. Google ScholarDigital Library
- Yee, K.-P., and Sitaker, K. Passpet: Convenient password management and phishing protection. In SOUPS '06: Proceedings of the Second Symposium on Usable Privacy and Security (New York, NY, USA, 2006), ACM Press, pp. 32--43. Google ScholarDigital Library
- Zhang, Y., Egelman, S., Cranor, L. F., and Hong, J. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS 2007) (28th February - 2nd March, 2007). http://lorrie.cranor.org/pubs/toolbars.html.Google Scholar
Index Terms
- You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Recommendations
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityIn this paper we describe the design and evaluation of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the ...
Decision strategies and susceptibility to phishing
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPhishing emails are semantic attacks that con people into divulging sensitive information using techniques to make the user believe that information is being requested by a legitimate source. In order to develop tools that will be effective in combating ...
School of phish: a real-world evaluation of anti-phishing training
SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and SecurityPhishGuru is an embedded training system that teaches users to avoid falling for phishing attacks by delivering a training message when the user clicks on the URL in a simulated phishing email. In previous lab and real-world experiments, we validated ...
Comments