skip to main content
10.1145/3638380.3638434acmotherconferencesArticle/Chapter ViewAbstractPublication PagesozchiConference Proceedingsconference-collections
short-paper

A Large-Scale Study of Device and Link Presentation in Email Phishing Susceptibility

Published: 10 May 2024 Publication History

Abstract

Phishing is one of the most prevalent social engineering attacks that targets both organisations and individuals. It is crucial to understand how email presentation impacts users’ reactions to phishing attacks. We hypothesised that device type and email presentation could potentially play a role, particularly in how links are displayed, which might influence susceptibility. In collaboration with the IT Services unit of a large organisation for a phishing training exercise, we conducted a study to explore the effects of device type and link presentation. Our findings revealed no significant difference in users’ susceptibility to phishing when using mobile devices versus computers. However, the masking of phishing links as buttons or hypertext appeared to be influential in shaping users’ behaviour. More specifically, users were significantly more likely to click on phishing links when masked as hypertext. These findings suggest that link presentation plays a significant role in users’ susceptibility to phishing attacks.

References

[1]
Kholoud Althobaiti, Nicole Meng, and Kami Vaniea. 2021. I don’t need an expert! making URL phishing features human comprehensible. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1–17.
[2]
Simon Bell and Peter Komisarczuk. 2020. An Analysis of Phishing Blacklists: Google Safe Browsing, OpenPhish, and PhishTank. In Proceedings of the Australasian Computer Science Week Multiconference (Melbourne, VIC, Australia) (ACSW ’20). Association for Computing Machinery, New York, NY, USA, Article 3, 11 pages. https://doi.org/10.1145/3373017.3373020
[3]
Ron Bitton, Andrey Finkelshtein, Lior Sidi, Rami Puzis, Lior Rokach, and Asaf Shabtai. 2018. Taxonomy of mobile users’ security awareness. Computers & Security 73 (2018), 266–293.
[4]
Email Blaster. [n. d.]. Desktop vs Mobile - Which is best for your email marketing campaign?= https://www.emailblasteruk.com/blog/desktop-vs-mobile-which-is-best/.
[5]
Mark Blythe, Helen Petrie, and John A Clark. 2011. F for fake: four studies on how we fall for phish. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 3469–3478.
[6]
Frank Breitinger, Ryan Tully-Doyle, and Courtney Hassenfeldt. 2020. A survey on smartphone user’s security choices, awareness and education. Computers & Security 88 (2020), 101647.
[7]
Pavlo Burda, Luca Allodi, and Nicola Zannone. 2021. Dissecting social engineering attacks through the lenses of cognition. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 149–160.
[8]
Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. 581–590.
[9]
Matt Dixon, James Nicholson, Dawn Branley-Bell, Pam Briggs, and Lynne Coventry. 2022. Holding Your Hand on the Danger Button: Observing User Phish Detection Strategies Across Mobile and Desktop. Proceedings of the ACM on Human-Computer Interaction 6, MHCI (2022), 1–22.
[10]
Adrienne Porter Felt and David Wagner. 2011. Phishing on mobile devices. (2011).
[11]
Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. 2021. SoK: Still Plenty of Phish in the Sea—A Taxonomy of User-Oriented Phishing Interventions and Avenues for Future Research. In Seventeenth Symposium on Usable Privacy and Security ({ SOUPS} 2021). 339–358.
[12]
Sujata Garera, Niels Provos, Monica Chew, and Aviel D Rubin. 2007. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode. 1–8.
[13]
Murat Koyuncu and Tolga Pusatli. 2019. Security awareness level of smartphone users: An exploratory case study. Mobile Information Systems 2019 (2019).
[14]
Van Lam Le, Ian Welch, Xiaoying Gao, and Peter Komisarczuk. 2013. Anatomy of drive-by download attack. In Proceedings of the Eleventh Australasian Information Security Conference-Volume 138. 49–58.
[15]
Tanya McGill and Nik Thompson. 2017. Old risks, new challenges: exploring differences in security between home computer and mobile device use. Behaviour & Information Technology 36, 11 (2017), 1111–1124.
[16]
Gareth Norris, Alexandra Brookes, and David Dowell. 2019. The psychology of internet fraud victimisation: A systematic review. Journal of Police and Criminal Psychology 34, 3 (2019), 231–245.
[17]
Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th USENIX Security Symposium.
[18]
Justin Petelka, Yixin Zou, and Florian Schaub. 2019. Put your warning where your link is: Improving and evaluating email phishing warnings. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 1–15.
[19]
Michelle Steves, Kristen Greene, and Mary Theofanos. 2020. Categorizing human phishing difficulty: a Phish Scale. Journal of Cybersecurity 6, 1 (2020).
[20]
Silas Formunyuy Verkijika. 2019. “If you know what to do, will you take action to avoid mobile phishing attacks”: Self-efficacy, anticipated regret, and gender. Computers in Human Behavior 101 (2019), 286–296.
[21]
Melanie Volkamer, Karen Renaud, Benjamin Reinheimer, and Alexandra Kunz. 2017. User experiences of torpedo: Tooltip-powered phishing email detection. Computers & Security 71 (2017), 100–113.
[22]
Rick Wash. 2020. How Experts Detect Phishing Scam Emails. Proceedings of the ACM on Human-Computer Interaction 4, CSCW2 (2020), 1–28.
[23]
Oliver Wiese, Joscha Lausch, Jakob Bode, and Volker Roth. 2018. Beware the downgrading of secure electronic mail. In Proceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust. 1–9.
[24]
Emma J Williams and Danielle Polage. 2019. How persuasive is phishing email? The role of authentic design, influence and current events in email judgements. Behaviour & Information Technology 38, 2 (2019), 184–197.
[25]
Sijie Zhuo, Robert Biddle, Yun Sing Koh, Danielle Lottridge, and Giovanni Russello. 2022. SoK: Human-Centered Phishing Susceptibility. ACM Trans. Priv. Secur. (dec 2022). https://doi.org/10.1145/3575797

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
OzCHI '23: Proceedings of the 35th Australian Computer-Human Interaction Conference
December 2023
733 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 May 2024

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. UI design
  2. devices
  3. link visual presentation
  4. phishing susceptibility

Qualifiers

  • Short-paper
  • Research
  • Refereed limited

Conference

OzCHI 2023
OzCHI 2023: OzCHI 2023
December 2 - 6, 2023
Wellington, New Zealand

Acceptance Rates

Overall Acceptance Rate 362 of 729 submissions, 50%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 63
    Total Downloads
  • Downloads (Last 12 months)63
  • Downloads (Last 6 weeks)5
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media