A Review of Human- and Computer-Facing URL Phishing Features

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Khamis

2021

Self Cite

Figure 1: We evaluate and discuss the suitability of using Virtual Reality (VR) to conduct human-centred usability and security evaluations of real-world authentication systems. To this end, we replicated a recently introduced authentication scheme called CueAuth [52] (➊) into VR (➋). We then evaluate the usability and security of our replica and compare the results to the real-world evaluation of CueAuth [52].

Section: Overview Of Studiesmentioning

confidence: 99%

RepliCueAuth: Validating the Use of a Lab-Based Virtual Reality Setup for Evaluating Authentication Systems

Mathis

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Khamis

2021

Self Cite

“…One of the most effective methods of determining if an e-mail is legitimate or not is looking at the embedded links and comparing the domain of the URLs to the one expected from the organisation supposedly sending the email [5]. Unfortunately, users are currently not very skilled at doing such comparisons unaided [3], [5], [31], [56]. These results might be not too surprising, as information on how to check for the destination of a link before clicking it or how to check the domain of a webpage before entering sensitive data was missing completely from almost all of the analysed webpages.…”

Section: Discussionmentioning

confidence: 99%

Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector

Mossano

2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

Aldag

et al. 2020

Self Cite

Phishing is currently one of the biggest threats in cybersecurity for both the business and the private contexts. A large percentage of phishing attacks are blocked by automated technical solutions, but unfortunately there is often a delay between when phishing emails enter inboxes and when the technical solutions are able to detect and filter them out. To close this gap, it is common practice for companies to implement mandatory phishing awareness measures for their employees. But what about the private context? We aimed at answering that question by analysing 94 anti-phishing webpages from eight different countries and four organisation types. Our analysis revealed not only contradicting recommendations, but also that most of them are rather abstract (e.g. check the URL before clicking on the link without telling what to look for) and lack guidance on advanced phishing techniques (e.g. clone phishing). We discuss the problems faced by readers of these webpages and outline both immediate recommendations to the web designer and ways forward to improve the current situation as future work.

“…To do so, we started with a grid-based report structure inspired by the Privacy Nutrition Labels work by Kelly et al [38]. The grid presents the user with information about the URL, drawn from existing research on the URL features that are likely to be the most useful to humans [5], and is annotated with explanations aimed at helping users interpret the information. We then iterated on its design with the assistance of 8 focus groups consisting of end users, security experts, and design experts to simplify the interface and improve the explanation of features.…”

Section: Take Down Policymentioning

confidence: 99%

“…In a review of URL phishing features used by humans and by automated systems, Althobaiti et al [5] observed that the domain part of the URL is the most used feature in human-based detection because they can compare it against their expectations. It is less useful for computers because the computer has to guess if the URL matches the content of the communication.…”

Section: Deciding If a Url Goes Where The User Thinks It Goesmentioning

confidence: 99%

“…Its effectiveness depends on the user's ability to recall and apply these learned lessons in later situations, which can be challenging since people tend to forget unused information [18,64], necessitating periodical training [34]. Even if they can remember, attackers also continuously adjust their tactics over time, invalidating some of the learned information [5,22].…”

Section: User Trainingmentioning

confidence: 99%

See 1 more Smart Citation

I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible

Althobaiti

Meng

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

2021

Self Cite

Judging the safety of a URL is something that even security experts struggle to do accurately without additional information. In this work, we aim to make experts' tools accessible to non-experts and assist general users in judging the safety of URLs by providing them with a usable report based on the information professionals use. We designed the report by iterating with 8 focus groups made up of end users, HCI experts, and security experts to ensure that the report was usable as well as accurately interpreted the information. We also conducted an online evaluation with 153 participants to compare different report-length options. We find that the longer comprehensive report allows users to accurately judge URL safety (93% accurate) and that summaries still provide benefit (83% accurate) compared to domain highlighting (65% accurate).