Weining Yang
Ninghui Li
ABSTRACT
The current approach to protect users from phishing attacks is to display a warning when the webpage is considered suspicious. We hypothesize that users are capable of making correct informed decisions when the warning also conveys the reasons why it is displayed. We chose to use traffic rankings of domains, which can be easily described to users, as a warning trigger and evaluated the effect of the phishing warning message and phishing training. The evaluation was conducted in a field experiment. We found that knowledge gained from the training enhances the effectiveness of phishing warnings, as the number of participants being phished was reduced. However, the knowledge by itself was not sufficient to provide phishing protection. We suggest that integrating training in the warning interface, involving traffic ranking in phishing detection, and explaining why warnings are generated will improve current phishing defense.
- 2014a. Global Phishing Survey 1H2014: Trends and Domain Name Use. (2014). https://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf.Google Scholar
- 2014b. Phishing Activity Trends Report. (2014). https://docs.apwg.org/reports/apwg_trends_report_q2_2014.pdf.Google Scholar
- 2015. Email authentication. (2015). https://support.google.com/mail/answer/180707?hl=en.Google Scholar
- 2016. Chrome Privacy White Paper. (2016). https://www.google.com/chrome/browser/privacy/whitepaper.html.Google Scholar
- Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness.. In Usenix Security. 257--272. Google ScholarDigital Library
- John R Anderson. 1983. The architecture of cognition. Psychology Press. Google ScholarDigital Library
- Lujo Bauer, Cristian Bravo-Lillo, LF Cranor, and Elli Fragkaki. 2013. Warning design guidelines. Pittsburgh, PA: Carnegie Mellon University (2013).Google Scholar
- L. E. Bourne and A. F. Healy. 2012. Training and Its Cognitive Underpinnings. In Training cognition: Optimizing Efficiency, Durability, and Generalizability, A. F. Healy and L. E. Bourne (Eds.). Psychology Press.Google Scholar
- Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. 2012. Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs. In Proceedings of the 2012 ACM conference on computer and communications security. ACM, 365--377. Google ScholarDigital Library
- Neil Chou, Robert Ledesma, Yuka Teraguchi, John C Mitchell, and others. 2004. Client-Side Defense Against Web-Based Identity Theft.. In NDSS.Google Scholar
- Jason W Clark and Damon McCoy. 2013. There Are No Free iPads: An Analysis of Survey Scams as a Business.. In LEET.Google Scholar
- Fergus IM Craik and Janine M Jennings. 1992. Human memory. Lawrence Erlbaum Associates, Inc, Chapter Handbook of aging and cognition.Google Scholar
- Lorrie Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop. UPSEC 8 (2008), 1--15.Google ScholarDigital Library
- Rachna Dhamija and J Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. ACM, 77--88. Google ScholarDigital Library
- Julie S Downs, Barbagallo Donato, and Acquisti Alessandro. 2015. Predictors of risky decisions: Improving judgment and decision making based on evidence from phishing attacks. In Neuroeconomics, judgment, and decision making, Evan A Wilhelms and Valerie F Reyna (Eds.). Psychology Press, 239--253.Google Scholar
- Julie S Downs, Mandy B Holbrook, and Lorrie Faith Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the second symposium on Usable privacy and security. ACM, 79--90. Google ScholarDigital Library
- W Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. 2008. Security automation considered harmful?. In Proceedings of the 2007 Workshop on New Security Paradigms. ACM, 33--42. Google ScholarDigital Library
- Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1065--1074. Google ScholarDigital Library
- Adrienne Porter Felt, Alex Ainslie, Robert W Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings: Comprehension and Adherence. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2893--2902. Google ScholarDigital Library
- J Paul Frantz. 1994. Effect of location and procedural explicitness on user processing of and compliance with product warnings. Human Factors: The Journal of the Human Factors and Ergonomics Society 36, 3 (1994), 532--546.Google ScholarCross Ref
- Stefan Görling. 2006. The myth of user education. In Virus Bulletin Conference, Vol. 11. 13--16.Google Scholar
- Amir Herzberg and Ahmad Gbara. 2004. Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. Technical Report. ryptology ePrint Archive, Report 2004/155. http://eprint.iacr.org/2004/155.Google Scholar
- Robert R Hoffman. 2014. The psychology of expertise: Cognitive research and empirical AI. Psychology Press. Google ScholarDigital Library
- Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: a real-world evaluation of anti-phishing training. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 3--15. Google ScholarDigital Library
- Kenneth R Laughery and Michael S Wogalter. 2006. Designing effective warnings. Reviews of human factors and ergonomics 2, 1 (2006), 241--271.Google Scholar
- Eric Lin, Saul Greenberg, Eileah Trotter, David Ma, and John Aycock. 2011. Does domain highlighting help people identify phishing sites?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2075--2084. Google ScholarDigital Library
- Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel. 2007. On the effectiveness of techniques to detect phishing sites. In DIMVA, Vol. 7. Springer, 20--39. Google ScholarDigital Library
- Justin Ma, Lawrence K Saul, Stefan Savage, and Geoffrey M Voelker. 2009a. Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 1245--1254. Google ScholarDigital Library
- Justin Ma, Lawrence K Saul, Stefan Savage, and Geoffrey M Voelker. 2009b. Identifying suspicious URLs: an application of large-scale online learning. In Proceedings of the 26th Annual International Conference on Machine Learning. ACM, 681--688. Google ScholarDigital Library
- Kathryn Parsons, Agata McCormac, Malcolm Pattinson, Marcus Butavicius, and Cate Jerram. 2015. The design of phishing studies: Challenges for researchers. Computers & Security (2015). Google ScholarDigital Library
- Robert W Proctor and Addie Dutta. 1995. Skill acquisition and human performance. Sage Publications, Inc.Google Scholar
- Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 373--382. Google ScholarDigital Library
- Steve Sheng, Brad Wardman, Gary Warner, Lorrie Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. In Sixth Conference on Email and Anti-Spam (CEAS). California, USA.Google Scholar
- Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. 2011. On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings. In Proceedings of the Seventh Symposium on Usable Privacy and Security. 3--15. Google ScholarDigital Library
- Colin Whittaker, Brian Ryner, and Marria Nazif. 2010. Large-Scale Automatic Classification of Phishing Pages.. In NDSS, Vol. 10.Google Scholar
- Christopher D Wickens. 2014. Effort in human factors performance and decision making. Human Factors: The Journal of the Human Factors and Ergonomics Society (2014), 1--8.Google Scholar
- Michael S Wogalter, Dave DeJoy, and Kenneth R Laughery. 2005. Warnings and risk communication. CRC Press.Google Scholar
- Michael S Wogalter, Russell J Sojourner, and John W Brelsford. 1997. Comprehension and retention of safety pictorials. Ergonomics 40, 5 (1997), 531--542.Google ScholarCross Ref
- Min Wu, Robert C Miller, and Simson L Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 601--610. Google ScholarDigital Library
- Guang Xiang, Jason Hong, Carolyn P Rose, and Lorrie Cranor. 2011. Cantina+: A feature-rich machine learning framework for detecting phishing web sites. ACM Transactions on Information and System Security (TISSEC) 14, 2 (2011), 21. Google ScholarDigital Library
- Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. 2006. Phinding phish: Evaluating anti-phishing tools. ISOC.Google Scholar
Index Terms
- Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment
Recommendations
Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing SystemsPhishing emails often disguise a link's actual URL. Thus, common anti-phishing advice is to check a link's URL before clicking, but email clients do not support this well. Automated phishing detection enables email clients to warn users that an email is ...
How Experts Detect Phishing Scam Emails
CSCWPhishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
A Sender-Centric Approach to Detecting Phishing Emails
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber SecurityEmail-based online phishing is a critical security threat on the Internet. Although phishers have great flexibility in manipulating both the content and structure of phishing emails, phishers have much less flexibility in completely concealing the ...
Comments