Why phishing still works: User strategies for combating phishing attacks

We have conducted a user study to assess whether improved browser security indicators and increased awareness of phishing have led to users’ improved ability to protect themselves against such attacks. Participants were shown a series of websites and asked to identify the phishing websites. We use eye tracking to obtain objective quantitative data on which visual cues draw users’ attention as they determine the legitimacy of websites. Our results show that users successfully detected only 53% of phishing websites even when primed to identify them and that they generally spend very little time gazing at security indicators compared to website content when making assessments. However, we found that gaze time on browser chrome elements does correlate to increased ability to detect phishing. Interestingly, users’ general technical proficiency does not correlate with improved detection scores.