posted on 2008-01-01, 00:00authored bySerge Egelman, Lorrie Faith Cranor, Jason Hong
Many popular web browsers now include active phishing
warnings since research has shown that passive warnings
are often ignored. In this laboratory study we examine the
effectiveness of these warnings and examine if, how, and
why they fail users. We simulated a spear phishing attack
to expose users to browser warnings. We found that 97%
of our sixty participants fell for at least one of the phishing
messages that we sent them. However, we also found that
when presented with the active warnings, 79% of participants
heeded them, which was not the case for the passive
warning that we tested—where only one participant heeded
the warnings. Using a model from the warning sciences we
analyzed how users perceive warning messages and offer
suggestions for creating more effective phishing warnings.