What makes Web sites credible?: a report on a large quantitative study
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Communications of the ACM - Ontology: different ways of representing the same concept
Gathering evidence: use of visual security cues in web browsers
GI '05 Proceedings of Graphics Interface 2005
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Communications of the ACM
You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Why and How to Perform Fraud Experiments
IEEE Security and Privacy
Teaching Johnny not to fall for phish
ACM Transactions on Internet Technology (TOIT)
What instills trust? a qualitative study of phishing
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
A usability test of whitelist and blacklist-based anti-phishing application
Proceeding of the 16th International Academic MindTrek Conference
Beyond the blacklist: modeling malware spread and the effect of interventions
Proceedings of the 2012 workshop on New security paradigms
Sophisticated phishers make more spelling mistakes: using URL similarity against phishing
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
"Who decides?": security and privacy in the wild
Proceedings of the 25th Australian Computer-Human Interaction Conference: Augmentation, Application, Innovation, Collaboration
Hi-index | 0.01 |
Phishers are fraudsters that mimic legitimate websites to steal user's credenfitial information and exploit that information for identity theft and other criminal activities. Various anti-phishing techniques attempt to mitigate such attacks. Domain highlighting is one such approach recently incorporated by several popular web browsers. The idea is simple: the domain name of an address is highlighted in the address bar, so that users can inspect it to determine a web site's legitimacy. Our research asks a basic question: how well does domain highlighting work? To answer this, we showed 22 participants 16 web pages typical of those targeted for phishing attacks, where participants had to determine the page's legitimacy. In the first round, they judged the page's legitimacy by whatever means they chose. In the second round, they were directed specifically to look at the address bar. We found that participants fell into 3 types in terms of how they determined the legitimacy of a web page; while domain highlighting was somewhat effective for one user type, it was much less effective for others. We conclude that domain highlighting, while providing some benefit, cannot be relied upon as the sole method to prevent phishing attacks.