Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings
Published in Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019
Petelka, J., Zou, Y., and Schaub, F. (2019). "Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings". In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems.. https://doi.org/10.1145/3290605.3300748
Abstract - Phishing emails often disguise a link’s actual URL. Thus, common anti-phishing advice is to check a link’s URL before clicking, but email clients do not support this well. Automated phishing detection enables email clients to warn users that an email is suspicious, but current warnings are often not specific. We evaluated the effects on phishing susceptibility of (1) moving phishing warnings close to the suspicious link in the email, (2) displaying the warning on hover interactions with the link, and (3) forcing attention to the warning by deactivating the original link, forcing users to click the URL in the warning. We assessed the effectiveness of such link-focused phishing warning designs in a between-subjects online experiment (n=701). We found that link-focused phishing warnings reduced phishing click-through rates compared to email banner warnings; forced attention warnings were most effective. We discuss the implications of our findings for phishing warning design.