Visible to the public Is domain highlighting actually helpful in identifying phishing webpages?Conflict Detection Enabled

TitleIs domain highlighting actually helpful in identifying phishing webpages?
Publication TypeJournal Article
Year of Publication2017
AuthorsAiping Xiong, Robert W. Proctor, Ninghui Li, Weining Yang
JournalHuman Factors: The Journal of the Human Factors and Ergonomics Society
KeywordsA Human Information-Processing Analysis of Online Deception Detection, cybersecurity, decision making, information processing, phishing, warnings
Abstract

To evaluate the effectiveness of domain highlighting in helping users identify whether Web pages are legitimate or spurious. As a component of the URL, a domain name can be overlooked. Consequently, browsers highlight the domain name to help users identify which Web site they are visiting. Nevertheless, few studies have assessed the effectiveness of domain highlighting, and the only formal study confounded highlighting with instructions to look at the address bar. We conducted two phishing detection experiments. Experiment 1 was run online: Participants judged the legitimacy of Web pages in two phases. In Phase 1, participants were to judge the legitimacy based on any information on the Web page, whereas in Phase 2, they were to focus on the address bar. Whether the domain was highlighted was also varied. Experiment 2 was conducted similarly but with participants in a laboratory setting, which allowed tracking of fixations. Participants differentiated the legitimate and fraudulent Web pages better than chance. There was some benefit of attending to the address bar, but domain highlighting did not provide effective protection against phishing attacks. Analysis of eye-gaze fixation measures was in agreement with the task performance, but heat-map results revealed that participants' visual attention was attracted by the highlighted domains. Failure to detect many fraudulent Web pages even when the domain was highlighted implies that users lacked knowledge of Web page security cues or how to use those cues. Potential applications include development of phishing prevention training incorporating domain highlighting with other methods to help users identify phishing Web pages.

DOI10.1177/0018720816684064
Citation Keynode-34190
Refereed DesignationRefereed