Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages?

Aiping Xiong, Robert W. Proctor, Weining Yang, Ninghui Li

Research output: Contribution to journalReview article

6 Citations (Scopus)

Abstract

Objective: To evaluate the effectiveness of domain highlighting in helping users identify whether Web pages are legitimate or spurious. Background: As a component of the URL, a domain name can be overlooked. Consequently, browsers highlight the domain name to help users identify which Web site they are visiting. Nevertheless, few studies have assessed the effectiveness of domain highlighting, and the only formal study confounded highlighting with instructions to look at the address bar. Method: We conducted two phishing detection experiments. Experiment 1 was run online: Participants judged the legitimacy of Web pages in two phases. In Phase 1, participants were to judge the legitimacy based on any information on the Web page, whereas in Phase 2, they were to focus on the address bar. Whether the domain was highlighted was also varied. Experiment 2 was conducted similarly but with participants in a laboratory setting, which allowed tracking of fixations. Results: Participants differentiated the legitimate and fraudulent Web pages better than chance. There was some benefit of attending to the address bar, but domain highlighting did not provide effective protection against phishing attacks. Analysis of eye-gaze fixation measures was in agreement with the task performance, but heat-map results revealed that participants' visual attention was attracted by the highlighted domains. Conclusion: Failure to detect many fraudulent Web pages even when the domain was highlighted implies that users lacked knowledge of Web page security cues or how to use those cues. Application: Potential applications include development of phishing prevention training incorporating domain highlighting with other methods to help users identify phishing Web pages.

Original languageEnglish (US)
Pages (from-to)640-660
Number of pages21
JournalHuman Factors
Volume59
Issue number4
DOIs
StatePublished - Jun 1 2017

Fingerprint

Illegitimacy
Names
Cues
Websites
Task Performance and Analysis
Hot Temperature
experiment
legitimacy
heat
instruction
Experiments
performance

All Science Journal Classification (ASJC) codes

  • Human Factors and Ergonomics
  • Applied Psychology
  • Behavioral Neuroscience

Cite this

Xiong, Aiping ; Proctor, Robert W. ; Yang, Weining ; Li, Ninghui. / Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages?. In: Human Factors. 2017 ; Vol. 59, No. 4. pp. 640-660.
@article{77bf6bd138324f578964eb44960f41f3,
title = "Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages?",
abstract = "Objective: To evaluate the effectiveness of domain highlighting in helping users identify whether Web pages are legitimate or spurious. Background: As a component of the URL, a domain name can be overlooked. Consequently, browsers highlight the domain name to help users identify which Web site they are visiting. Nevertheless, few studies have assessed the effectiveness of domain highlighting, and the only formal study confounded highlighting with instructions to look at the address bar. Method: We conducted two phishing detection experiments. Experiment 1 was run online: Participants judged the legitimacy of Web pages in two phases. In Phase 1, participants were to judge the legitimacy based on any information on the Web page, whereas in Phase 2, they were to focus on the address bar. Whether the domain was highlighted was also varied. Experiment 2 was conducted similarly but with participants in a laboratory setting, which allowed tracking of fixations. Results: Participants differentiated the legitimate and fraudulent Web pages better than chance. There was some benefit of attending to the address bar, but domain highlighting did not provide effective protection against phishing attacks. Analysis of eye-gaze fixation measures was in agreement with the task performance, but heat-map results revealed that participants' visual attention was attracted by the highlighted domains. Conclusion: Failure to detect many fraudulent Web pages even when the domain was highlighted implies that users lacked knowledge of Web page security cues or how to use those cues. Application: Potential applications include development of phishing prevention training incorporating domain highlighting with other methods to help users identify phishing Web pages.",
author = "Aiping Xiong and Proctor, {Robert W.} and Weining Yang and Ninghui Li",
year = "2017",
month = "6",
day = "1",
doi = "10.1177/0018720816684064",
language = "English (US)",
volume = "59",
pages = "640--660",
journal = "Human Factors",
issn = "0018-7208",
publisher = "SAGE Publications Inc.",
number = "4",

}

Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages? / Xiong, Aiping; Proctor, Robert W.; Yang, Weining; Li, Ninghui.

In: Human Factors, Vol. 59, No. 4, 01.06.2017, p. 640-660.

Research output: Contribution to journalReview article

TY - JOUR

T1 - Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages?

AU - Xiong, Aiping

AU - Proctor, Robert W.

AU - Yang, Weining

AU - Li, Ninghui

PY - 2017/6/1

Y1 - 2017/6/1

N2 - Objective: To evaluate the effectiveness of domain highlighting in helping users identify whether Web pages are legitimate or spurious. Background: As a component of the URL, a domain name can be overlooked. Consequently, browsers highlight the domain name to help users identify which Web site they are visiting. Nevertheless, few studies have assessed the effectiveness of domain highlighting, and the only formal study confounded highlighting with instructions to look at the address bar. Method: We conducted two phishing detection experiments. Experiment 1 was run online: Participants judged the legitimacy of Web pages in two phases. In Phase 1, participants were to judge the legitimacy based on any information on the Web page, whereas in Phase 2, they were to focus on the address bar. Whether the domain was highlighted was also varied. Experiment 2 was conducted similarly but with participants in a laboratory setting, which allowed tracking of fixations. Results: Participants differentiated the legitimate and fraudulent Web pages better than chance. There was some benefit of attending to the address bar, but domain highlighting did not provide effective protection against phishing attacks. Analysis of eye-gaze fixation measures was in agreement with the task performance, but heat-map results revealed that participants' visual attention was attracted by the highlighted domains. Conclusion: Failure to detect many fraudulent Web pages even when the domain was highlighted implies that users lacked knowledge of Web page security cues or how to use those cues. Application: Potential applications include development of phishing prevention training incorporating domain highlighting with other methods to help users identify phishing Web pages.

AB - Objective: To evaluate the effectiveness of domain highlighting in helping users identify whether Web pages are legitimate or spurious. Background: As a component of the URL, a domain name can be overlooked. Consequently, browsers highlight the domain name to help users identify which Web site they are visiting. Nevertheless, few studies have assessed the effectiveness of domain highlighting, and the only formal study confounded highlighting with instructions to look at the address bar. Method: We conducted two phishing detection experiments. Experiment 1 was run online: Participants judged the legitimacy of Web pages in two phases. In Phase 1, participants were to judge the legitimacy based on any information on the Web page, whereas in Phase 2, they were to focus on the address bar. Whether the domain was highlighted was also varied. Experiment 2 was conducted similarly but with participants in a laboratory setting, which allowed tracking of fixations. Results: Participants differentiated the legitimate and fraudulent Web pages better than chance. There was some benefit of attending to the address bar, but domain highlighting did not provide effective protection against phishing attacks. Analysis of eye-gaze fixation measures was in agreement with the task performance, but heat-map results revealed that participants' visual attention was attracted by the highlighted domains. Conclusion: Failure to detect many fraudulent Web pages even when the domain was highlighted implies that users lacked knowledge of Web page security cues or how to use those cues. Application: Potential applications include development of phishing prevention training incorporating domain highlighting with other methods to help users identify phishing Web pages.

UR - http://www.scopus.com/inward/record.url?scp=85019741846&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85019741846&partnerID=8YFLogxK

U2 - 10.1177/0018720816684064

DO - 10.1177/0018720816684064

M3 - Review article

C2 - 28060529

AN - SCOPUS:85019741846

VL - 59

SP - 640

EP - 660

JO - Human Factors

JF - Human Factors

SN - 0018-7208

IS - 4

ER -