Abstract We have conducted a user study to assess whether improved browser security indicators and increased awareness of phishing have led to users' improved ability to protect themselves against such attacks. Participants were shown a series of websites and asked to identify the phishing websites. We use eye tracking to obtain objective quantitative data on which visual cues draw users' attention as they determine the legitimacy of websites. Our results show that users successfully detected only 53% of phishing websites even when primed to identify them and that they generally spend very little time gazing at security indicators compared to website content when making assessments. However, we found that gaze time on browser chrome elements does correlate to increased ability to detect phishing. Interestingly, users' general technical proficiency does not correlate with improved detection scores.

Additional Metadata
Keywords Eye tracking, Phishing, Usable security, User study
Persistent URL dx.doi.org/10.1016/j.ijhcs.2015.05.005
Journal International Journal of Human Computer Studies
Citation
Alsharnouby, M. (Mohamed), Alaca, F. (Furkan), & Chiasson, S. (2015). Why phishing still works: User strategies for combating phishing attacks. International Journal of Human Computer Studies, 82, 69–82. doi:10.1016/j.ijhcs.2015.05.005