research-article

What is this URL's Destination? Empirical Evaluation of Users' URL Reading

Authors:

Maria K. WoltersAuthors Info & Claims

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

Pages 1 - 12

https://doi.org/10.1145/3313831.3376168

Published: 23 April 2020 Publication History

Abstract

Common anti-phishing advice tells users to mouse over links, look at the URL, and compare to the expected destination, implicitly assuming that they are able to read the URL. To test this assumption, we conducted a survey with 1929 participants recruited from the Amazon Mechanical Turk and Prolific Academic platforms. Participants were shown 23 URLs with various URL structures. For each URL, participants were asked via a multiple choice question where the URL would lead and how safe they feel clicking on it would be. Using latent class analysis, participants were stratified by self-reported technology use. Participants were strongly biased towards answering that the URL would lead to the website of the organization whose name appeared in the URL, regardless of its position in the URL structure. The group with the highest technology use was only minorly better at URL reading.

Supplementary Material

PDF File (paper041aux.pdf)

Survey text.

Download
296.90 KB

M4V File (paper041pv.m4v)

Preview video

Download
12.79 MB

MP4 File (a41-albakry-presentation.mp4)

Download
35.37 MB

References

[1]

Alan Agresti. 2002. Categorical Data Analysis (2 ed.). John Wiley, New York, NY.

[2]

Aiping Xiong, Robert W. Proctor, Weining Yang and Ninghui Li. 2017. Is Domain Highlighting Actually Helpful in Identifying Phishing Web Pages? Aiping. Human Factors (2017). http://journals.sagepub.com/ doi/pdf/10.1177/0018720816684064

[3]

Sara Albakry, Kami Vaniea, and Maria Wolters. 2020. Opinions on Weblinks. (2020).

[4]

Mohamed Alsharnouby, Furkan Alaca, and Sonia Chiasson. 2015. Why Phishing Still Works. Int. J. Hum.-Comput. Stud. 82, C (Oct. 2015), 69--82.

Digital Library

[5]

Demetris Antoniades and Thomas Karagiannis. 2011. we.b: The web of short URLs. In e International World Wide Web Conference Committee (IW3C2). http://bit.ly/dv82ka.

[6]

Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. 2015. Fitting Linear Mixed-Effects Models Using lme4. Journal of Statistical Software 67, 1 (2015), 1--48.

[7]

Tim Berners-Lee. 2000. Frequently Asked Questions. World Wide Web Consortium (2000).

[8]

T. Berners-Lee, L. Masinter, and M. McCahill. 1994. RFC1738: Uniform Resource Locators (URL). (December 1994). https://www.w3.org/Addressing/rfc1738.txt https://www.w3.org/Addressing/rfc1738.txt.

Digital Library

[9]

Gamze Canova, Melanie Volkamer, Clemens Bergmann, and Roland Borza. 2014. NoPhish: an anti-phishing education app. In International Workshop on Security and Trust Management. Springer, 188--192.

[10]

Gamze Canova, Melanie Volkamer, Clemens Bergmann, and Benjamin Reinheimer. 2015. NoPhish app evaluation: lab and retention study. In NDSS workshop on usable security.

[11]

Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. 2011a. Phi.Sh/$oCiaL: The Phishing Landscape Through Short URLs. In Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference (CEAS '11). ACM, NY, NY, USA, 92--101.

Digital Library

[12]

Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. 2011b. Phi.sh/$oCiaL: The Phishing Landscape through Short URLs. In CEAS. ACM. http://www.barracudalabs.com/downloads/

[13]

Chromium. 2017. Chromium Project: IDN in Google Chrome. (2017). https://www.chromium.org/developers/ design-documents/idn-in-google-chrome Accessed 28 Aug, 2017.

[14]

Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 581--590.

Digital Library

[15]

Brandon E. Gavett, Rui Zhao, Samantha E. John, Cara A. Bussell, Jennifer R. Roberts, and Chuan Yue. 2017. Phishing suspiciousness in older and younger adults: The role of executive functioning. PLOS ONE 12, 2 (feb 2017), e0171620.

[16]

Andrew Gelman and Jennifer Hill. 2007. Data Analysis Using Regression and Multilevel/Hierarchical Models. Cambridge University Press, Cambridge, UK.

[17]

Andrew Gelman and Yu-Sung Su. 2018. arm: Data Analysis Using Regression and Multilevel/Hierarchical Models. https://CRAN.R-project.org/package=arm R package version 1.10--1.

[18]

Samuel Gibbs. 2017. Facebook and Google were conned out of $100m in phishing scheme | Technology | The Guardian. (2017). https://www.theguardian.com/technology/2017/apr/28/ facebook-google-conned-100m-phishing-scheme

[19]

Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. 2010. @spam: The Underground on 140 Characters or Less * General Terms. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 27--37. http://apiwiki.twitter.com/Twitter-API-Documentation

Digital Library

[20]

Neha Gupta, Anupama Aggarwal, and Ponnurangam Kumaraguru. 2014. bit.ly/malicious: Deep Dive into Short URL based e-Crime Detection. In eCrime Researchers Summit, eCrime, Vol. 2014-Janua. 14--24.

[21]

Cormac Herley. 2009. So Long, And No Thanks for the Externalities: The rational rejection of security advice by users. In Proceedings of NSPW'09.

Digital Library

[22]

Jason Hong. 2012. The State of Phishing Attacks. Comm. ACM 55, 1 (Jan. 2012), 74--81.

Digital Library

[23]

Torsten Hothorn, Kurt Hornik, Mark van de Wiel, and Achim Zeileis. 2008. Implementing a class of permutation tests: The coin package. Journal of Statistical Software 28, 8 (2008), 1--23.

[24]

Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. 2014. Privacy Attitudes of Mechanical Turk Workers and the U.S. Public. In Symposium On Usable Privacy and Security (SOUPS '14). 37--49.

[25]

Ponnurangam Kumaraguru and Lorrie Faith Cranor. 2005. Privacy indexes: A survey of Westin's studies. Technical Report. Carnegie Mellon University.

[26]

Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2008. Lessons From a Real World Evaluation of Anti-Phishing Training. e-Crime Researchers Summit, Anti-Phishing Working Group (October 2008). http://precog.iiitd. edu.in/Publications_files/eCrime_APWG_08.pdf

[27]

Nhien-An Le-Khac and Tahar Kechadi. 2015. Security Threats of URL Shortening: A User's Perspective. Journal of Advances in Computer Networks 3, 3 (2015).

[28]

Eric Lin, Saul Greenberg, Eileah Trotter, David Ma, and John Aycock. 2011. Does Domain Highlighting Help People Identify Phishing Sites?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2075--2084. http://grouplab.cpsc. ucalgary.ca/grouplab/uploads/Publications/ Publications/2011-DomainHighlighting.CHI.pdf

Digital Library

[29]

Drew A. Linzer and Jeffrey B. Lewis. 2011. poLCA: An R Package for Polytomous Variable Latent Class Analysis. Journal of Statistical Software 42, 10 (2011), 1--29. http://www.jstatsoft.org/v42/i10/

[30]

Federico Maggi, Alessandro Frossi, Stefano Zanero, Gianluca Stringhini, Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna. 2013. Two Years of Short URLs Internet Measurement: Security Threats and Countermeasures. In Proceedings of the 22nd international conference on World Wide Web - WWW '13. 861--872. http://point.to/redir.html

Digital Library

[31]

Max-Emanuel Maurer and Lukas Höfer. 2012. Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing. In CSS. Springer, 414--426.

[32]

Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, and Stefano Zanero. 2014. Stranger Danger: Exploring the Ecosystem of Ad-based URL Shortening Services. Proceedings of the 23rd international conference on World wide web WWW '14 (2014), 51--62.

Digital Library

[33]

Eyal Peer, Laura Brandimarte, Sonam Samat, and Alessandro Acquisti. 2017. Beyond the Turk: Alternative platforms for crowdsourcing behavioral research. Journal of Experimental Social Psychology 70 (2017), 153--163.

[34]

PhishLabs. 2018. 2018 Phishing Trends & Intelligence Rport: Hacking the Human. Technical Report. Ecrime Management Strategies, Inc.

[35]

Ponemon. 2018. Cost of Cyber Crime Study: Insights on the security investments that make a difference. Technical Report.

[36]

Elissa M Redmiles, Amelia R Malone, and Michelle L Mazurek. 2016. I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 272--288.

[37]

R. Reeder, I. Ion, and S. Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice for Non-tech-savvy Users. IEEE Security Privacy PP, 99 (2017), 1--1.

Digital Library

[38]

Joel Ross, Lilly Irani, M. Six Silberman, Andrew Zaldivar, and Bill Tomlinson. 2010. Who Are the Crowdworkers?: Shifting Demographics in Mechanical Turk. In CHI '10 Extended Abstracts on Human Factors in Computing Systems (CHI EA '10). ACM, NY, NY, USA, 2863--2872.

Digital Library

[39]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, NY, NY, USA, 88--99.

Digital Library

[40]

The Federal Bureau of Investigation (FBI), Internet Crime Complaint Center. 2017. 2017 Internet Crime Report. Technical Report. https://pdf.ic3.gov/2017_IC3Report.pdf.

[41]

Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. (2007). http://lorrie.cranor.org/pubs/ndss-phish-tools-final.pdf

Cited By

Berens BSchaub FMossano MVolkamer M(2024)Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support ToolProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642843(1-60)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642843
Kanaoka AIsohara T(2024)Enhancing Smishing Detection in AR Environments: Cross-Device Solutions for Seamless Reality2024 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW62533.2024.00108(565-572)Online publication date: 16-Mar-2024
https://doi.org/10.1109/VRW62533.2024.00108
Tsoukaladelis CNikiforakis N(2024)Manufactured Narratives: On the Potential of Manipulating Social Media to Politicize World Events2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00007(17-27)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00007
Show More Cited By

Index Terms

What is this URL's Destination? Empirical Evaluation of Users' URL Reading

Recommendations

Secure Short URL Generation Method that Recognizes Risk of Target URL

All the information and data on the Internet are connected based on URL. Although many people use URL to share and convey the information, it is difficult to transmit the information when URL is long and special characters are mixed. Short URL service ...
A framework for incremental deep web crawler based on URL classification
WISM'11: Proceedings of the 2011 international conference on Web information systems and mining - Volume Part II

With the Web grows rapidly, more and more data become available in the Deep Web.But users have to key in a set of keywords in order to access the pages from some web sites. Traditional search engines only index and retrieve Surface Web pages through ...
Influence of URL Formatting on Users' Phishing URL Detection
EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable Security

Despite technical advances in anti-phishing protection, in many cases the detection of phishing URLs largely depends on users manually inspecting the links found in suspicious emails. One solution proposed to support users in doing so is to use a URL ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

April 2020

10688 pages

ISBN:9781450367080

DOI:10.1145/3313831

General Chairs:
Regina Bernhaupt
Eindhoven University of Technology, Netherlands
,
Florian 'Floyd' Mueller
Monash University, Australia
,
David Verweij
Newcastle University, UK
,
Josh Andres
RMIT, Australia
,
Program Chairs:
Joanna McGrenere
University of British Columbia, Canada
,
Andy Cockburn
University of Canterbury, New Zealand
,
Ignacio Avellino
University of Maryland Baltimore County, USA
,
Alix Goguey
Grenoble Alpes University, France
,
Pernille Bjørn
University of Copenhagen, Denmark
,
Shengdong (Shen) Zhao
National University of Singapore, Singapore
,
Briane Paul Samson
Future University Hakodate, Japan & De La Salle University, Philippines
,
Rafal Kocielnik
University of Washington, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

UK National Cyber Security Center
EPSRC

Conference

CHI '20

Sponsor:

SIGCHI

CHI '20: CHI Conference on Human Factors in Computing Systems

April 25 - 30, 2020

HI, Honolulu, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
1,125
Total Downloads

Downloads (Last 12 months)137
Downloads (Last 6 weeks)15

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Berens BSchaub FMossano MVolkamer M(2024)Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support ToolProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642843(1-60)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642843
Kanaoka AIsohara T(2024)Enhancing Smishing Detection in AR Environments: Cross-Device Solutions for Seamless Reality2024 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW62533.2024.00108(565-572)Online publication date: 16-Mar-2024
https://doi.org/10.1109/VRW62533.2024.00108
Tsoukaladelis CNikiforakis N(2024)Manufactured Narratives: On the Potential of Manipulating Social Media to Politicize World Events2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00007(17-27)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00007
Berens BMossano MVolkamer M(2024)Taking 5 minutes protects you for 5 monthsComputers and Security10.1016/j.cose.2023.103620137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103620
Zheng SBecker IKelley PKapadia A(2023)Checking, nudging or scoring? evaluating e-mail user security tools76Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632190(57-76)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632190
A. HASEGAWA AAKIYAMA MYAMASHITA NINOUE DMORI T(2023)Analysis of Non-Experts' Security- and Privacy-Related Questions on a Q&A SiteIEICE Transactions on Information and Systems10.1587/transinf.2022ICP0006E106.D:9(1380-1396)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022ICP0006
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Zheng SBecker I(2023)Phishing to improve detectionProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617121(334-343)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617121
Mossano MKulyk OBerens BHäußler EVolkamer M(2023)Influence of URL Formatting on Users' Phishing URL DetectionProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617111(318-333)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617111
Drury VDrees JMeyer U(2023)Easier in Reverse: Simplifying URL Reading for Phishing URLs via Reverse Domain Name NotationProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3604989(1-10)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3604989
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents