Justin Petelka, University of Washington; Benjamin Maximilian Berens, SECUSO, Karlsruhe Institute of Technology; Carlo Sugatan, University of Michigan; Melanie Volkamer, SECUSO, Karlsruhe Institute of Technology; Florian Schaub, University of Michigan
Phishing warning researchers have proposed two forms of hyperlink restrictions for reducing phishing click-through rates: focused attention, which prevents users from proceeding to a suspicious URL until they click the uncovered link inside the warning; and time delay, which disables link clicking for a short period of time. Both measures aim to draw user attention to the warning and nudge them to carefully evaluate the respective link's URL. However, the effectiveness of these measures has so far not been comparatively evaluated. We conducted a mixed-methods online experiment (n=1,320) to understand differences in the effectiveness of focused attention and time delay both independently and together. Our study used an instrumented email inbox environment, in which participants were asked to assess emails and email hyperlinks. We found that, while both focused attention and time delay reduced click-through rates independently, the strength of these effects were significantly different from each other with focused attention being more effective than time delay. Combining both measures reduced CTR even further. We also found that participants who saw a warning with a time delay were more likely to hover over hyperlinks for longer than those who saw a focused attention warning. We discuss the implications of our findings for the design of anti-phishing warnings.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
