These warnings fight email phishing scams best

New research compares different kinds of warnings alerting email users to potential phishing scams.

Just when we think we have a handle on the tricks data thieves have up their sleeves to hack our devices in an attempt to steal our information, someone comes along with a new way to fool us, and phishing schemes on the computer can catch even the savviest of users.

Organizations that provide email services, including the commercial email clients that consumers use every day, have put numerous measures in place to fight phishing attempts, and work to educate users about avoiding suspicious links in email. Among the efforts are various warnings that alert users of potentially suspicious links.

In a study involving 700 participants ages 20 to 71, researchers evaluated three warning design features to help users more effectively assess phishing risk and avoid suspicious websites. They compared them to the more commonly used static email banner—often a colored band or box using a bold color like red that appears as a warning across the top of an email page. The three features for comparison are:

  1. Warning placement, or moving phishing warnings close to the suspicious link in the email.
  2. Forced attention to the warning by deactivating the suspicious link in the email body and forcing the user to click the unmasked URL to proceed.
  3. Warning activation, which calls for the warning to show up only when the user hovers over a link.

They found that when compared with banner warnings, link-focused phishing warnings reduced the chance of participants clicking through to a phishing link. Forced attention warnings were the most effective.

“Detecting phishing emails is difficult for people and the common advice to ‘check the link before you click’ is good but not really supported by email clients,” says Florian Schaub, assistant professor at the School of Information at the University of Michigan.

“Our research shows that well-designed phishing warnings can help consumers better detect phishing links by clearly identifying which links in an email are suspicious, prominently showing the suspicious link’s destination, and forcing users to click on the warning if they want to still continue to the link’s destination,” Schaub says.

The researchers will share their work at the CHI Conference on Human Factors in Computing in Glasgow, Scotland.

Source: University of Michigan