research-article

I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible

Authors:

Kholoud Althobaiti,

Kami VanieaAuthors Info & Claims

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

Article No.: 695, Pages 1 - 17

https://doi.org/10.1145/3411764.3445574

Published: 07 May 2021 Publication History

Abstract

Judging the safety of a URL is something that even security experts struggle to do accurately without additional information. In this work, we aim to make experts’ tools accessible to non-experts and assist general users in judging the safety of URLs by providing them with a usable report based on the information professionals use. We designed the report by iterating with 8 focus groups made up of end users, HCI experts, and security experts to ensure that the report was usable as well as accurately interpreted the information. We also conducted an online evaluation with 153 participants to compare different report-length options. We find that the longer comprehensive report allows users to accurately judge URL safety (93% accurate) and that summaries still provide benefit (83% accurate) compared to domain highlighting (65% accurate).

Supplementary Material

Supplementary Materials (3411764.3445574_supplementalmaterials.zip)

Download
2.86 MB

References

[1]

Sara Albakry and Kami Vaniea. 2018. Automatic Phishing Detection vesus User Training, Is there a Middle Ground Using XAI?. In Proceedings of the SICSA Workshop on Reasoning, Learning and Explainability(CEUR Workshop Proceedings, Vol. 2151), Kyle Martin, Nirmalie Wiratunga, and Leslie S. Smith (Eds.). CEUR-WS.org, Aberdeen, Scotland, UK, 1–2. http://ceur-ws.org/Vol-2151/Paper_P2.pdf

[2]

Sara Albakry, Kami Vaniea, and Maria K. Wolters. 2020. What is this URL’s Destination? Empirical Evaluation of Users’ URL Reading. In CHI ’20: CHI Conference on Human Factors in Computing Systems, Regina Bernhaupt, Florian ’Floyd’ Mueller, David Verweij, Josh Andres, Joanna McGrenere, Andy Cockburn, Ignacio Avellino, Alix Goguey, Pernille Bjøn, Shengdong Zhao, Briane Paul Samson, and Rafal Kocielnik (Eds.). ACM, Honolulu, HI, USA, 1–12. https://doi.org/10.1145/3313831.3376168

Digital Library

[3]

Hazim Almuhimedi, Adrienne Porter Felt, Robert W. Reeder, and Sunny Consolvo. 2014. Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning. In Tenth Symposium on Usable Privacy and Security, SOUPS, Lorrie Faith Cranor, Lujo Bauer, and Robert Biddle (Eds.). USENIX Association, Menlo Park, CA, USA, 113–128.

[4]

Mohamed Alsharnouby, Furkan Alaca, and Sonia Chiasson. 2015. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies 82 (2015), 69–82. https://doi.org/10.1016/j.ijhcs.2015.05.005

Digital Library

[5]

Kholoud Althobaiti, Ghaidaa Rummani, and Kami Vaniea. 2019. A Review of Human- and Computer-Facing URL Phishing Features. In European Symposium on Security and Privacy Workshops, EuroS&P Workshops. IEEE, Stockholm, Sweden, 182–191. https://doi.org/10.1109/EuroSPW.2019.00027

[6]

Kholoud Althobaiti, Kami Vaniea, and Serena Zheng. 2018. Faheem: Explaining URLs to people using a Slack bot. In 2018 Symposium on Digital Behaviour Intervention for Cyber Security (AISB 2018), April 5 2018. University of Liverpool, Liverpool, UK, 1–8. http://aisb2018.csc.liv.ac.uk/PROCEEDINGS%20AISB2018/Digital%20Behaviour%20Interventions%20for%20CyberSecurity%20-%20AISB2018.pdf

[7]

Nalin Asanka Gamagedara Arachchilage and Steve Love. 2014. Security awareness of computer users: A phishing threat avoidance perspective. Comput. Hum. Behav. 38(2014), 304–312. https://doi.org/10.1016/j.chb.2014.05.046

Digital Library

[8]

Krishna Bhargrava, Douglas Brewer, and Kang Li. 2009. A study of URL redirection indicating spam. In Sixth conference on e-mail and anti-spam CEAS. Steve Sheng’s Publications, California, USA, 1–4. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.536.2821&rep=rep1&type=pdf

[9]

Jim Blythe, L. Jean Camp, and Vaibhav Garg. 2011. Targeted risk communication for computer security. In Proceedings of the 16th International Conference on Intelligent User Interfaces, IUI. ACM, Palo Alto, CA, USA, 295–298. https://doi.org/10.1145/1943403.1943449

Digital Library

[10]

Giovanni Bottazzi, Emiliano Casalicchio, Davide Cingolani, Fabio Marturana, and Marco Piu. 2015. MP-Shield: A Framework for Phishing Detection in Mobile Devices. In 15th International Conference on Computer and Information Technology, CIT; 14th International Conference on Ubiquitous Computing and Communications, IUCC; 13th International Conference on Dependable, Autonomic and Secure Computing, DASC; 13th International Conference on Pervasive Intelligence and Computing, PICom, Yulei Wu, Geyong Min, Nektarios Georgalas, Jia Hu, Luigi Atzori, Xiaolong Jin, Stephen A. Jarvis, Lei (Chris) Liu, and Ramón Agüero Calvo (Eds.). IEEE, Liverpool, United Kingdom, 1977–1983. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.293

[11]

Sergey Brin and Lawrence Page. 1998. The Anatomy of a Large-Scale Hypertextual Web Search Engine. Computer Networks 30, 1-7 (1998), 107–117. https://doi.org/10.1016/s0169-7552(98)00110-x

Digital Library

[12]

Gamze Canova, Melanie Volkamer, Clemens Bergmann, and Benjamin Reinheimer. 2015. NoPhish App Evaluation: Lab and Retention Study. In Internet Society, 8 February 2015(Usec ’15, Vol. 453). The Internet Society, San Diego, CA, USA, 1–10. http://dx.doi.org/10.14722/usec.2015.23009

[13]

Sidharth Chhabra, Anupama Aggarwal, Fabrício Benevenuto, and Ponnurangam Kumaraguru. 2011. Phi.sh/$oCiaL: the phishing landscape through short URLs. In The 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, CEAS. ACM, Perth, Australia, 92–101. https://doi.org/10.1145/2030376.2030387

Digital Library

[14]

CMBuild. 2013. Archive of dmoz.org. https://dmoz-odp.org/Reference/ Accessed Dec. 2020.

[15]

Lucian Constantin. 2019. Attackers Host Phishing Pages on Azure. https://securityboulevard.com/2019/03/attackers-host-phishing-pages-on-azure/ Accessed Jun. 2019.

[16]

Lorrie Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop. In Usability, Psychology, and Security, UPSEC’08, Elizabeth F. Churchill and Rachna Dhamija (Eds.). USENIX Association, San Francisco, CA, USA, 1–15. http://www.usenix.org/events/upsec08/tech/full%5Fpapers/cranor/cranor.pdf

[17]

Rachna Dhamija, J. D. Tygar, and Marti A. Hearst. 2006. Why phishing works. In Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI, Rebecca E. Grinter, Tom Rodden, Paul M. Aoki, Edward Cutrell, Robin Jeffries, and Gary M. Olson (Eds.). ACM, Montréal, Québec, Canada, 581–590. https://doi.org/10.1145/1124772.1124861

Digital Library

[18]

Hermann Ebbinghaus. 2013. Memory: a contribution to experimental psychology. Annals of neurosciences 20, 4 (Oct. 2013), 155–156. https://doi.org/10.5214/ans.0972.7531.200408

[19]

Let’s Encrypt. 2019. Free SSL/TLS Certificates. https://letsencrypt.org/ Accessed Dec. 2020.

[20]

J Erkkila. 2011. Why we fall for phishing. In Proceedings of the 2011 CHI Conference on Human Factors in Computing Systems(Chi ’11). ACM, ancouver, BC, Canada, 1–8. https://juerkkil.iki.fi/files/writings/phishing%5F2011.pdf

[21]

FBI. 2020. 2019 Internet Crime Report, Data Reflects an Evolving Threat and the Importance of Reporting. Technical Report. The Federal Bureau of Investigation, Internet Crime Complaint Center. https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120 Accessed Aug. 2020.

[22]

Matheesha Fernando and Nalin Asanka Gamagedara Arachchilage. 2020. Why Johnny can’t rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks?CoRR abs/2004.13262(2020), 1–12. arxiv:2004.13262 [cs.CR] https://arxiv.org/abs/2004.13262

[23]

Fortinet. 2021. Web Filter Categories. https://www.fortiguard.com/webfilter/categories Accessed Aug. 2020.

[24]

Lorenzo Franceschi-Bicchierai. 2016. How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts. https://motherboard.vice.com/en%5Fus/article/mg7xjb/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts Accessed Aug. 2020.

[25]

Evgeniy Gabrilovich and Alex Gontmakher. 2002. The homograph attack. Commun. ACM 45, 2 (2002), 128. https://doi.org/10.1145/503124.503156

Digital Library

[26]

Sujata Garera, Niels Provos, Monica Chew, and Aviel D. Rubin. 2007. A Framework for Detection and Measurement of Phishing Attacks. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (Alexandria, Virginia, USA) (Worm ’07). Association for Computing Machinery, New York, NY, USA, 1–8. https://doi.org/10.1145/1314389.1314391

Digital Library

[27]

Dan J. Graham, Jacob L. Orquin, and Vivianne H.M. Visschers. 2012. Eye tracking and nutrition label use: A review of the literature and recommendations for label enhancement. Food Policy 37, 4 (2012), 378–382. https://doi.org/10.1016/j.foodpol.2012.03.004

[28]

Chris Grier, Kurt Thomas, Vern Paxson, and Chao Michael Zhang. 2010. spam: the underground on 140 characters or less. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, October 4-8, 2010. ACM, Chicago, Illinois, USA, 27–37. https://doi.org/10.1145/1866307.1866311

Digital Library

[29]

Neha Gupta, Anupama Aggarwal, and Ponnurangam Kumaraguru. 2014. bit.ly/malicious: Deep dive into short URL based e-crime detection. In APWG Symposium on Electronic Crime Research, eCrime. IEEE, Birmingham, AL, USA, 14–24. https://doi.org/10.1109/ecrime.2014.6963161

[30]

Srishti Gupta and Ponnurangam Kumaraguru. 2014. Emerging phishing trends and effectiveness of the anti-phishing landing page. In 2014 APWG Symposium on Electronic Crime Research, eCrime. IEEE, Birmingham, AL, USA, 36–47. https://doi.org/10.1109/ecrime.2014.6963163

[31]

Masayuki Higashino. 2019. A Design of an Anti-Phishing Training System Collaborated with Multiple Organizations. In Proceedings of the 21st International Conference on Information Integration and Web-based Applications & Services, iiWAS 2019, December 2-4, 2019. ACM, Munich, Germany, 589–592. https://doi.org/10.1145/3366030.3366086

Digital Library

[32]

FBI’s Internet Crime Complaint Center (IC3). 2017. 2017 Internet Crime Report. Technical Report. The Federal Bureau of Investigation (FBI), Internet Crime Complaint Center. https://pdf.ic3.gov/2017%5FIC3Report.pdf Accessed Aug. 2020.

[33]

Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. ”...No one Can Hack My Mind”: Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium On Usable Privacy and Security, SOUPS, Lorrie Faith Cranor, Robert Biddle, and Sunny Consolvo(Eds.). USENIX Association, Ottawa, Canada, 327–346. https://www.usenix.org/conference/soups2015/proceedings/presentation/ion

[34]

Daniel Jampen, Gürkan Gür, Thomas Sutter, and Bernhard Tellenbach. 2020. Don’t click: towards an effective anti-phishing training. A comparative literature review. Human-centric Computing and Information Sciences 10 (2020), 33. https://doi.org/10.1186/s13673-020-00237-7

Digital Library

[35]

Bernhard Jenny and Nathaniel Vaughn Kelso. 2007. Color Design for the Color Vision Impaired. Cartographic Perspectives 58 (2007), 61–67. https://doi.org/10.14714/CP58.270

[36]

Joseph Johnson. 2019. UK: number of internet users who are students 2011-2019. https://www.statista.com/statistics/940040/number-of-student-internet-users-in-the-uk/

[37]

Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. 2014. Privacy Attitudes of Mechanical Turk Workers and the U.S. Public. In 10th Symposium on USAble Privacy and Security, SOUPS, Lorrie Faith Cranor, Lujo Bauer, and Robert Biddle (Eds.). USENIX Association, Menlo Park, CA, USA, 37–49. https://www.usenix.org/conference/soups2014/proceedings/presentation/kang

[38]

Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. 2009. A ”nutrition label” for privacy. In Proceedings of the 5th Symposium on USAble Privacy and Security, SOUPS. ACM, Mountain View, California, USA, 1–a12. https://doi.org/10.1145/1572532.1572538

Digital Library

[39]

Timothy Kelley and Bennett I. Bertenthal. 2016. Attention and past behavior, not security knowledge, modulate users’ decisions to login to insecure websites. Inf. Computer Security 24, 2 (2016), 164–176. https://doi.org/10.1108/ics-01-2016-0002

[40]

Mahmoud Khonji, Youssef Iraqi, and Andrew Jones. 2013. Phishing Detection: A Literature Survey. IEEE Communications Surveys Tutorials 15, 4 (2013), 2091–2121. https://doi.org/10.1109/surv.2013.032213.00009

[41]

Iacovos Kirlappos and Martina Angela Sasse. 2012. Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security and Privacy 10, 2 (2012), 24–32. https://doi.org/10.1109/MSP.2011.179

Digital Library

[42]

Philipp Koehn, Huda Khayrallah, Kenneth Heafield, and Mikel L. Forcada. 2018. Findings of the WMT 2018 Shared Task on Parallel Corpus Filtering. In Proceedings of the Third Conference on Machine Translation: Shared Task Papers, WMT 2018, October 31 - November 1, 2018. Association for Computational Linguistics, Belgium, Brussels, 726–739. https://doi.org/10.18653/v1/w18-6453

[43]

Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of Phish: A Real-world Evaluation of Anti-phishing Training. In Proceedings of the 5th Symposium on USAble Privacy and Security (Mountain View, California, USA) (Soups ’09). ACM, New York, NY, USA, Article 3, 12 pages. https://doi.org/10.1145/1572532.1572536

Digital Library

[44]

Ponnurangam Kumaraguru, Yong Rhee, Alessandro Acquisti, Lorrie Faith Cranor, Jason I. Hong, and Elizabeth Nunge. 2007. Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the 2007 Conference on Human Factors in Computing Systems, CHI, Mary Beth Rosson and David J. Gilmore (Eds.). ACM, San Jose, California, USA, 905–914. https://doi.org/10.1145/1240624.1240760

Digital Library

[45]

Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason I. Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 2 (2010), 7:1–7:31. https://doi.org/10.1145/1754393.1754396

Digital Library

[46]

Sangho Lee and Jong Kim. 2013. WarningBird: A Near Real-Time Detection System for Suspicious URLs in Twitter Stream. IEEE Transactions on Dependable and Secure Computing 10, 3 (2013), 183–195. https://doi.org/10.1109/tdsc.2013.3

Digital Library

[47]

Chunlin Liu, Lidong Wang, Bo Lang, and Yuan Zhou. 2018. Finding Effective Classifier for Malicious URL Detection. In Proceedings of the 2nd International Conference on Management Engineering, Software Engineering and Service Sciences (Wuhan, China) (Icmss 2018). Association for Computing Machinery, New York, NY, USA, 240–244. https://doi.org/10.1145/3180374.3181352

Digital Library

[48]

Netcraft Ltd.2019. Internet Security and Data Mining. https://www.netcraft.com/ Accessed Jun. 2020.

[49]

Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Identifying suspicious URLs: an application of large-scale online learning. In Proceedings of the 26th Annual International Conference on Machine Learning, ICML 2009, June 14-18, 2009(ACM International Conference Proceeding Series, Vol. 382), Andrea Pohoreckyj Danyluk, Léon Bottou, and Michael L. Littman (Eds.). ACM, Montreal, Quebec, Canada, 681–688. https://doi.org/10.1145/1553374.1553462

Digital Library

[50]

Samuel Marchal, Kalle Saari, Nidhi Singh, and N. Asokan. 2016. Know Your Phish: Novel Techniques for Detecting Phishing Sites and Their Targets. In 36th International Conference on Distributed Computing Systems, ICDCS. IEEE, Nara, Japan, 323–333. https://doi.org/10.1109/icdcs.2016.10

[51]

Ulrike Meyer and Vincent Drury. 2019. Certified Phishing: Taking a Look at Public Key Certificates of Phishing Websites. In Fifteenth Symposium on USAble Privacy and Security, SOUPS. USENIX Association, Santa Clara, CA, USA, 210–223. https://www.usenix.org/conference/soups2019/presentation/drury

[52]

Microsoft. 2018. Microsoft Security Intelligence Report, Volumne 23. Technical Report. Microsoft. https://www.microsoft.com/en-us/security/intelligence-report Accessed Aug. 2018.

[53]

Gaurav Misra, Nalin Asanka Gamagedara Arachchilage, and Shlomo Berkovsky. 2017. Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks. In Eleventh International Symposium on Human Aspects of Information Security & Assurance, HAISA, Proceedings, Steven Furnell and Nathan L. Clarke (Eds.). University of Plymouth, Adelaide, Australia, 41–51. http://www.cscan.org/openaccess/?paperid=349

[54]

Mattia Mossano, Kami Vaniea, Lukas Aldag, Reyhan Düzgün, Peter Mayer, and Melanie Volkamer. 2020. Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector. In European Symposium on Security and Privacy Workshops, EuroS&P Workshops. IEEE, Genoa, Italy, 130–139. https://doi.org/10.1109/EuroSPW51379.2020.00026

[55]

Rennie Naidoo. 2015. Analysing Urgency and Trust Cues Exploited in Phishing Scam Designs. In 10th International Conference on Cyber Warfare and Security, ICCWS. Academic Conferences International Limited, The University of Venda and The Council for Scientific and Industrial Research, South Africa, 216–222. search.proquest.com/conference-papers-proceedings/analysing-urgency-trust-cues-exploited-phishing/docview/1781336050/se-2?accountid=10673

[56]

James Nicholson, Lynne M. Coventry, and Pam Briggs. 2018. Introducing the Cybersurvival Task: Assessing and Addressing Staff Beliefs about Effective Cyber Protection. In Fourteenth Symposium on USAble Privacy and Security, SOUPS, August 12-14, 2018. USENIX Association, Baltimore, MD, USA, 443–457. https://www.usenix.org/conference/soups2018/presentation/nicholson

[57]

Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Gary Warner. 2018. Inside a phisher’s mind: Understanding the anti-phishing ecosystem through phishing kit analysis. In 2018 APWG Symposium on Electronic Crime Research, eCrime 2018, May 15-17, 2018. IEEE, San Diego, CA, USA, 1–12. https://doi.org/10.1109/ecrime.2018.8376206

[58]

LLC OpenDNS. 2019. PhishTank: Join the fight against phishing. https://www.phishtank.com/ Accessed Dec. 2020.

[59]

OpenPhish. 2019. OpenPhish: Phishing Intelligence. https://openphish.com Accessed Dec. 2020.

[60]

Charles A. O’Reilly. 1980. Individuals and Information Overload in Organizations: Is More Necessarily Better?The Academy of Management Journal 23, 4 (1980), 684–696. http://www.jstor.org/stable/255556

[61]

Gilchan Park, Lauren M. Stuart, Julia M. Taylor, and Victor Raskin. 2014. Comparing machine and human ability to detect phishing emails. In 2014 IEEE International Conference on Systems, Man, and Cybernetics, SMC 2014, October 5-8, 2014. IEEE, San Diego, CA, USA, 2322–2327. https://doi.org/10.1109/smc.2014.6974273

[62]

Cofense PhishMe. 2017. Enterprise Phishing Resiliency and Defense Report. Technical Report. PhishMe, Inc. https://cofense.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf Accessed Aug. 2020.

[63]

Swapan Purkait. 2012. Phishing counter measures and their effectiveness - literature review. Information Management & Computer Security 20, 5 (2012), 382–420. https://doi.org/10.1108/09685221211286548

[64]

Issa Qabajeh, Fadi A. Thabtah, and Francisco Chiclana. 2018. A recent review of conventional vs. automated cybersecurity anti-phishing techniques. Computer Science Review 29 (2018), 44–55. https://doi.org/10.1016/j.cosrev.2018.05.003

[65]

Florian Quinkert, Tobias Lauinger, William K. Robertson, Engin Kirda, and Thorsten Holz. 2019. It’s Not what It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains. In 7th Conference on Communications and Network Security, CNS 2019, June 10-12, 2019. IEEE, Washington, DC, USA, 259–267. https://doi.org/10.1109/cns.2019.8802671

[66]

Elissa M. Redmiles, Amelia R. Malone, and Michelle L. Mazurek. 2016. I Think They’re Trying to Tell Me Something: Advice Sources and Selection for Digital Security. In IEEE Symposium on Security and Privacy, SP. IEEE Computer Society, San Jose, CA, USA, 272–288. https://doi.org/10.1109/SP.2016.24

[67]

Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, CHI, Regan L. Mandryk, Mark Hancock, Mark Perry, and Anna L. Cox(Eds.). ACM, Montreal, QC, Canada, 512. https://doi.org/10.1145/3173574.3174086

Digital Library

[68]

Robert W. Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE Security & Privacy 15, 5 (2017), 55–64. https://doi.org/10.1109/msp.2017.3681050

Digital Library

[69]

Joshua Reynolds, Deepak KuMar., Zane Ma, Rohan Subramanian, Meishan Wu, Martin Shelton, Joshua Mason, Emily Stark, and Michael Bailey. 2020. Measuring Identity Confusion with Uniform Resource Locators. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems(CHI ’20). ACM, Honolulu, HI, USA, 1–12. https://doi.org/10.1145/3313831.3376298

Digital Library

[70]

Doyen Sahoo, Chenghao Liu, and Steven C. H. Hoi. 2019. Malicious URL Detection using Machine Learning: A Survey. arxiv:1701.07179 [cs.LG] http://arxiv.org/abs/1701.07179

[71]

Maria Sameen, Kyunghyun Han, and Seong Oun Hwang. 2020. PhishHaven - An Efficient Real-Time AI Phishing URLs Detection System. IEEE Access 8(2020), 83425–83443. https://doi.org/10.1109/ACCESS.2020.2991403

[72]

Nuttapong Sanglerdsinlapachai and Arnon Rungsawang. 2010. Using Domain Top-page Similarity Feature in Machine Learning-Based Web Phishing Detection. In Third International Conference on Knowledge Discovery and Data Mining, WKDD. IEEE, Phuket, Thailand, 187–190. https://doi.org/10.1109/wkdd.2010.108

Digital Library

[73]

Tara Seals. 2017. ost of user security training tops $290K per year.https://www.infosecurity-magazine.com/news/cost-of-user-security-training Accessed Nov. 2020.

[74]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason I. Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on USAble Privacy and Security, SOUPS 2007, July 18-20, 2007(ACM International Conference Proceeding Series, Vol. 229), Lorrie Faith Cranor (Ed.). ACM, Pittsburgh, Pennsylvania, USA, 88–99. https://doi.org/10.1145/1280680.1280692

Digital Library

[75]

Hossein Siadati, Sean Palka, Avi Siegel, and Damon McCoy. 2017. Measuring the Effectiveness of Embedded Phishing Exercises. In 10th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2017, August 14, 2017. USENIX Association, Vancouver, BC, Canada, 8. https://www.usenix.org/conference/cset17/workshop-program/presentation/siadatii

[76]

Gabor Szathmari. 2020. Why Outdated Anti-Phishing Advice Leaves You Exposed (Part 2). https://blog.ironbastion.com.au/why-outdated-anti-phishing-advice-leaves-you-exposed-part-2/

[77]

Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Márk Félegyházi, and Chris Kanich. 2014. The Long ”Taile” of Typosquatting Domain Names. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, USA, 191–206. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/szurdi

[78]

Rashid Tahir, Ali Raza, Faizan Ahmad, Jehangir Kazi, Fareed Zaffar, Chris Kanich, and Matthew Caesar. 2018. It’s All in the Name: Why Some URLs are More Vulnerable to Typosquatting. In Conference on Computer Communications, INFOCOM 2018, April 16-19, 2018. IEEE, Honolulu, HI, USA, 2618–2626. https://doi.org/10.1109/infocom.2018.8486271

Digital Library

[79]

Nikolaos Tsalis, Nikos Virvilis, Alexios Mylonas, Theodore K. Apostolopoulos, and Dimitris Gritzalis. 2014. Browser Blacklists: The Utopia of Phishing Protection. In E-Business and Telecommunications - 11th International Joint Conference, ICETE, Revised Selected Papers(Communications in Computer and Information Science, Vol. 554), Mohammad S. Obaidat, Andreas Holzinger, and Joaquim Filipe (Eds.). Springer, Vienna, Austria, 278–293. https://doi.org/10.1007/978-3-319-25915-4_15

[80]

Verizon. 2017. 2017 Data Breach Investigations Report. Technical Report. Verizon. https://www.verizonenterprise.com/resources/reports/rp%5FDBIR%5F2018%5FReport%5Fexecsummary%5Fen%5Fxg.pdf Accessed Jun. 2018.

[81]

Verizon. 2019. 2019 DataEnterprise Phishing Resiliency and Defense Repor Breach Investigations Report. Technical Report. Verizon. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf Accessed Jun. 2020.

[82]

Melanie Volkamer, Karen Renaud, Benjamin Reinheimer, and Alexandra Kunz. 2017. User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn. Computer Security 71(2017), 100–113. https://doi.org/10.1016/j.cose.2017.02.004

Digital Library

[83]

Stephen Waddell. 2020. CatchPhish: A URL and Anti-Phishing Research Platform. Master’s thesis. University of Edinburgh. https://groups.inf.ed.ac.uk/tulips/projects/19-20/waddell-2020.pdf

[84]

Rick Wash. 2020. How Experts Detect Phishing Scam Emails. Proc. ACM Human Computer Interaction 4, CSCW2 (2020), 160:1–160:28. https://doi.org/10.1145/3415231

Digital Library

[85]

Patrickson Weanquoi, Jaris Johnson, and Jinghua Zhang. 2017. Using a Game to Teach About Phishing. In Proceedings of the 18th Annual Conference on Information Technology Education and the 6th Annual Conference on Research in Information Technology, Stephen J. Zilora, Tom Ayers, and Daniel S. Bogaard (Eds.). ACM, Rochester, New York, USA, 75. https://doi.org/10.1145/3125659.3125669

Digital Library

[86]

Emma J. Williams, Joanne Hinds, and Adam N. Joinson. 2018. Exploring susceptibility to phishing in the workplace. International Journal of Human Computer Studies 120 (2018), 1–13. https://doi.org/10.1016/j.ijhcs.2018.06.004

[87]

Ryan T. Wright and Kent Marett. 2010. The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal of Management Information Systems 27, 1 (2010), 273–303. http://www.jmis-web.org/articles/1038

Digital Library

[88]

Min Wu, Robert C. Miller, and Simson L. Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI 2006, April 22-27, 2006. ACM, Montréal, Québec, Canada, 601–610. https://doi.org/10.1145/1124772.1124863

Digital Library

[89]

Guang Xiang, Jason I. Hong, Carolyn Penstein Rosé, and Lorrie Faith Cranor. 2011. CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites. ACM Trans. Inf. Syst. Secur. 14, 2 (2011), 21:1–21:28. https://doi.org/10.1145/2019599.2019606

Digital Library

[90]

Aiping Xiong, Robert W. Proctor, Weining Yang, and Ninghui Li. 2017. Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages?Hum. Factors 59, 4 (2017), 640–660. https://doi.org/10.1177/0018720816684064

[91]

Jun Yang, Pengpeng Yang, Xiaohui Jin, and Qian Ma. 2017. Multi-Classification for Malicious URL Based on Improved Semi-Supervised Algorithm. In IEEE International Conference on Computational Science and Engineering, CSE 2017, and IEEE International Conference on Embedded and Ubiquitous Computing, EUC, Volume 1. IEEE Computer Society, Guangzhou, China, 143–150. https://doi.org/10.1109/CSE-EUC.2017.34

Cited By

Rashid FRanaweera NDoyle BSeneviratne S(2025)LLMs are one-shot URL classifiers and explainersComputer Networks10.1016/j.comnet.2024.111004258(111004)Online publication date: Feb-2025
https://doi.org/10.1016/j.comnet.2024.111004
Moore LMori THasegawa AKelley PKapadia A(2024)Negative effects of social triggers on user security and privacy behaviorsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696931(605-622)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696931
Berens BSchaub FMossano MVolkamer M(2024)Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support ToolProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642843(1-60)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642843
Show More Cited By

Index Terms

I Don’t Need an Expert! Making URL Phishing Features Human Comprehensible

Index terms have been assigned to the content through auto-classification.

Recommendations

How Experts Detect Phishing Scam Emails
CSCW

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
eCrime '07: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit

Educational materials designed to teach users not to fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded training methodology using learning science principles in which phishing education ...
Protecting people from phishing: the design and evaluation of an embedded training email system
CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occurring with increasing frequency and are causing considerable harm to victims. In this paper we describe the design and evaluation of an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

May 2021

10862 pages

ISBN:9781450380966

DOI:10.1145/3411764

General Chairs:
Yoshifumi Kitamura
Tohoku University, Japan
,
Aaron Quigley
University of New South Wales, Australia
,
Program Chairs:
Katherine Isbister
University of California Santa Cruz, USA
,
Takeo Igarashi
The University of Tokyo, Japan
,
Publications Chairs:
Pernille Bjørn
University of Copenhagen, Denmark
,
Steven Drucker
Microsoft Research, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 May 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

The UKRI Centre for Doctoral Training in Natural Language Processing

Conference

CHI '21

Sponsor:

SIGCHI

CHI '21: CHI Conference on Human Factors in Computing Systems

May 8 - 13, 2021

Yokohama, Japan

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
994
Total Downloads

Downloads (Last 12 months)183
Downloads (Last 6 weeks)54

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rashid FRanaweera NDoyle BSeneviratne S(2025)LLMs are one-shot URL classifiers and explainersComputer Networks10.1016/j.comnet.2024.111004258(111004)Online publication date: Feb-2025
https://doi.org/10.1016/j.comnet.2024.111004
Moore LMori THasegawa AKelley PKapadia A(2024)Negative effects of social triggers on user security and privacy behaviorsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696931(605-622)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696931
Berens BSchaub FMossano MVolkamer M(2024)Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support ToolProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642843(1-60)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642843
Alsubaei FAlmazroi AAyub N(2024)Enhancing Phishing Detection: A Novel Hybrid Deep Learning Framework for Cybercrime ForensicsIEEE Access10.1109/ACCESS.2024.335194612(8373-8389)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351946
Berens BMossano MVolkamer M(2024)Taking 5 minutes protects you for 5 monthsComputers and Security10.1016/j.cose.2023.103620137:COnline publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103620
Thomopoulos GLyras DFidas C(2024)A systematic review and research challenges on phishing cyberattacks from an electroencephalography and gaze-based perspectivePersonal and Ubiquitous Computing10.1007/s00779-024-01794-928:3-4(449-470)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s00779-024-01794-9
Kazamia SCulnane CGardham DPrior STreharne H(2024)Phish and Tips:Human Aspects of Information Security and Assurance10.1007/978-3-031-72559-3_14(200-214)Online publication date: 28-Nov-2024
https://doi.org/10.1007/978-3-031-72559-3_14
Zheng SBecker IKelley PKapadia A(2023)Checking, nudging or scoring? evaluating e-mail user security tools76Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632190(57-76)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632190
Zhuo SBiddle RBetts LArachchilage NKoh YLottridge DRussello G(2023)A Large-Scale Study of Device and Link Presentation in Email Phishing SusceptibilityProceedings of the 35th Australian Computer-Human Interaction Conference10.1145/3638380.3638434(78-85)Online publication date: 2-Dec-2023
https://dl.acm.org/doi/10.1145/3638380.3638434
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten