Embedding Training Within Warnings Improves Skills of Identifying Phishing Webpages.

OBJECTIVE

Evaluate the effectiveness of training embedded within security warnings to identify phishing webpages.

BACKGROUND

More than 20 million malware and phishing warnings are shown to users of Google Safe Browsing every week. Substantial click-through rate is still evident, and a common issue reported is that users lack understanding of the warnings. Nevertheless, each warning provides an opportunity to train users about phishing and how to avoid phishing attacks.

METHOD

To test use of phishing-warning instances as opportunities to train users' phishing webpage detection skills, we conducted an online experiment contrasting the effectiveness of the current Chrome phishing warning with two training-embedded warning interfaces. The experiment consisted of three phases. In Phase 1, participants made login decisions on 10 webpages with the aid of warning. After a distracting task, participants made legitimacy judgments for 10 different login webpages without warnings in Phase 2. To test the long-term effect of the training, participants were invited back a week later to participate in Phase 3, which was conducted similarly as Phase 2.

RESULTS

Participants differentiated legitimate and fraudulent webpages better than chance. Performance was similar for all interfaces in Phase 1 for which the warning aid was present. However, training-embedded interfaces provided better protection than the Chrome phishing warning on both subsequent phases.

CONCLUSION

Embedded training is a complementary strategy to compensate for lack of phishing webpage detection skill when phishing warning is absent.

APPLICATION

Potential applications include development of training-embedded warnings to enable security training at scale.