Abstract
Phishing is considered as one of the most serious threats for the Internet and e-commerce. Phishing attacks abuse trust with the help of deceptive e-mails, fraudulent web sites and malware. In order to prevent phishing attacks some organizations have implemented Internet browser toolbars for identifying deceptive activities. However, the levels of usability and user interfaces are varying. Some of the toolbars have obvious usability problems, which can affect the performance of these toolbars ultimately. For the sake of future improvement, usability evaluation is indispensable. We will discuss usability of five typical anti-phishing toolbars: built-in phishing prevention in the Internet Explorer 7.0, Google toolbar, Netcraft Anti-phishing toolbar and SpoofGuard. In addition, we included Internet Explorer plug-in we have developed, Anti-phishing IEPlug. Our hypothesis was that usability of anti-phishing toolbars, and as a consequence also security of the toolbars, could be improved. Indeed, according to the heuristic usability evaluation, a number of usability issues were found. In this article, we will describe the anti-phishing toolbars, we will discuss anti-phishing toolbar usability evaluation approach and we will present our findings. Finally, we will propose advices for improving usability of anti-phishing toolbars, including three key components of anti-phishing client side applications (main user interface, critical warnings and the help system). For example, we found that in the main user interface it is important to keep the user informed and organize settings accordingly to a proper usability design. In addition, all the critical warnings an anti-phishing toolbar shows should be well designed. Furthermore, we found that the help system should be built to assist users to learn about phishing prevention as well as how to identify fraud attempts by themselves. One result of our research is also a classification of anti-phishing toolbar applications.
Similar content being viewed by others
References
Anti-phishing working group (APWG): Phishing attack Trends Report—March 2006 (2006). http://www.antiphishing.org/reports/apwg_report_mar_06.pdf. Cited 9 Nov 2006
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: SpoofGuard (2004). http://crypto.stanford.edu/SpoofGuard/. Cited 27 July 2006
Downs, J., Holbrook, M., Cranor, L.: Decision strategies and susceptibility to phishing. In: Proceedings of the 2006 symposium On usable privacy and security, pp. 79–90 (2006)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: The proceedings of the conference on human factors in computing systems (2006). http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf. Cited 11 Nov 2006
Dinev T. (2006). Why spoofing is serious internet fraud. Commun. ACM, 49(10): 76–82
FBI National Press Office: Web ‘Spoofing’ Scams Are a Growing Problem. In: Press Release, Washington D.C. (2003) http://www.fbi.gov/pressrel/pressrel03/spoofing072103.htm. Cited 10 Nov 2006
Gartner Inc.: Gartner survey shows frequent data security lapses and increased cyber attacks damage consumer trust in online commerce (2005). http://www.gartner.com/press_releases/asset_129754_11.html Cited 22 November 2006
Google: Google safe browsing (2006). http://www.google.com/support/firefox/bin/static.py?page=features.html&v=2.0f. Cited 10 Oct 2006
Gutmann P., Grigg I. (2005). Security usability. Secur. Priv. Mag. IEEE, 3(4): 56–58
Jakobsson, M.: Modeling and preventing phishing attacks. In: Phishing panel of financial cryptography (2005). http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf. Cited 1 Nov 2006
Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl auction query features. In: Proceedings of the 15th annual World Wide Web conference, pp. 513–522 (2006)
Li, L., Helenius, M.: Anti-phishing IEPlug (2006). http://www.cs.uta.fi/~ll79452/ap.html. Cited 1 Sep 2006
Netcraft: Netcraft anti-phishing toolbar (2006). http://toolbar.netcraft.com/. Cited 18 November 2006
Nielsen, J.: Heuristic evaluation online writings (1994). http://www.useit.com/papers/heuristic/. Cited 18 October 2006
Pierotti, D.: Usability techniques: heuristic evaluation—a system checklist (1998). http://www.stcsig.org/usability/topics/articles/he-checklist.html. Cited 18 October 2006
PhishTank: PhishTank—join the fight against phishing (2006). http://www.phishtank.com/. Cited 5 Nov 2006
Stop-phishing group (2006). http://www.indiana.edu/~phishing/?people=external. Cited 20 Oct 2006
Wu, M., Miller, R., Garfinkel, S.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the CHI 2006. 22–27 April 2006 Montréal, pp. 601–610 (2006)
Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding Phish: evaluating anti-phishing toolbars. In: Carnegie Mellon University, CyLab Technical Report. CMU-CyLab-06-018 (2006). http://www.cylab.cmu.edu/default.aspx?id=2255. Cited 15 Nov 2006
Author information
Authors and Affiliations
Corresponding author
Additional information
Linfeng Li is a student at the University of Tampere, Finland. Marko Helenius is Assistant Professor at the Department of Computer Sciences, University of Tampere, Finland.
Rights and permissions
About this article
Cite this article
Li, L., Helenius, M. Usability evaluation of anti-phishing toolbars. J Comput Virol 3, 163–184 (2007). https://doi.org/10.1007/s11416-007-0050-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0050-4