Why does phishing still work?

Add to my custom PDF

Why phishing still works: User strategies for combating phishing attacks

Phishing is an ever-present threat. When users` ability to detect phishing was studied nearly a decade ago the results were worrying. Today, people are more familiar with phishing attacks. Improved web browsers help prevent phishing by providing security indicators such as the SSL lock, security certificates and warnings.

Alsharnouby, Alaca and Chiasson evaluated the effectiveness of recent modifications in browser design that assist users to identify fraudulent websites. They also investigated whether users have developed improved detection strategies and mental models of phishing. The researchers examined human behaviour, in particular what the user looked at and for how long, with a device that measures eye movements and infers the point on the screen that the user is looking at based on reflection from eyes. This was the first study that used eye-tracking data to identify the security indicators that captured attention of users determining the legitimacy of websites.

The 21 study participants were first emailed a pre-session questionnaire to collect information to tweak the test websites. They then took part in an in-lab session examining 24 websites. They had to judge whether each website was genuine, say why and how sure they were. The interactions of participants with each website, captured with eye-tracking data, along with the time taken to judge, were recorded. Finally, a semi-structured interview was held to understand the participants’ mental models, knowledge and experiences. The findings were made more reliable by combining the data collection on the decisionmaking processes of users and their eye gaze on security cues. For example, one participant stated that they rely on the URL indicator to decide the safety of a website, while the eye tracking data showed otherwise. A decade of user education and browser security indicators enhancements has improved phishing detection rates by a mere 6%. Security is usually a secondary task for everyday users. Even in this best-case scenario where users were asked to identify fraudulent websites, making security their primary task, only 53% of participants were successful. Further, participants frequently identified forged websites with faulty reasoning. For example, a website was identified as fake based on outdated content, however it was an exact copy of the current website. Users` phishing detection strategies, in order of popularity can be categorised as: evaluating website content, brute-forcing website functionality by testing site for completeness, paying attention to the URL, using a search engine to verify, and relying exclusively on SSL.

The most efficient phishing detection strategy was a combination of using a search engine and brute forcing website functionality. But putting these strategies into practice requires users to prioritize security in real world use. Surprisingly, participants spent less than a minute glancing at the security indicators and the remaining time looking at the easily forgeable contents of the webpage. Furthermore, the presence of security hints grabbed attention but their absence went unnoticed. Even when the users observed the visual cues, they had interpreted them in different ways. This highlights some possible security improvements:

User-friendly URLs - Participants often glanced at the URL but didn’t understand it. Confusion caused by URLs showing different domains for different sections of one website could be reduced.

Visual aids for browsing - Phishing websites can link to genuine websites making the determination of safety more complicated. A visual indicator could be created that notifies of a transition from an unsecure to a secure domain. The reverse is already addressed by many websites.

Moving authentication to the web browser - Web browsers should be responsible for essential tasks such as user authentication. This would require collaboration between browser and web developers.

Automate as much as possible - Security indicators are not reliable, which makes the user task of detecting phishing very complicated. Automate as much as possible to reduce complexity and ease the burden on users.

Reliably detecting phishing requires that users prioritize and put effort into security in the real world. Users currently make poor use of security indicators. Even when they are understood by users, these security indicators are a poor solution, as fake websites are able to satisfactorily imitate indicators of security. Under the same conditions, a genuine website displaying genuine security warnings was judged to be fake. Thus, in absence of reliable indicators and tools, users should not be entrusted with detecting phishing attacks and we should look toward more automated phishing detection.

Phishing still happens because users have ad-hoc strategies backed by poor tools. Better tools and more automation is required to make a difference to phishing.