You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Serge Egelman
Lorrie Faith Cranor
Jason Hong
10.1184/R1/6626570.v1
https://kilthub.cmu.edu/articles/journal_contribution/You_ve_Been_Warned_An_Empirical_Study_of_the_Effectiveness_of_Web_Browser_Phishing_Warnings/6626570
Many popular web browsers now include active phishing
warnings since research has shown that passive warnings
are often ignored. In this laboratory study we examine the
effectiveness of these warnings and examine if, how, and
why they fail users. We simulated a spear phishing attack
to expose users to browser warnings. We found that 97%
of our sixty participants fell for at least one of the phishing
messages that we sent them. However, we also found that
when presented with the active warnings, 79% of participants
heeded them, which was not the case for the passive
warning that we tested—where only one participant heeded
the warnings. Using a model from the warning sciences we
analyzed how users perceive warning messages and offer
suggestions for creating more effective phishing warnings.
2008-01-01 00:00:00
User/Machine Systems
User Interfaces
Security and Protection
Phishing
warning messages
mental models
usable privacy and security