Why phishing still works: User strategies for combating phishing attacks

• Users successfully detected only 53% of phishing websites.
• Gaze time on browser chrome elements correlates to increased ability to detect phishing.
• Users׳ technical proficiency is not correlated with the ability to detect phishing.
• Users spend little time gazing at security indicators when assessing legitimacy of websites.

We have conducted a user study to assess whether improved browser security indicators and increased awareness of phishing have led to users׳ improved ability to protect themselves against such attacks. Participants were shown a series of websites and asked to identify the phishing websites. We use eye tracking to obtain objective quantitative data on which visual cues draw users׳ attention as they determine the legitimacy of websites. Our results show that users successfully detected only 53% of phishing websites even when primed to identify them and that they generally spend very little time gazing at security indicators compared to website content when making assessments. However, we found that gaze time on browser chrome elements does correlate to increased ability to detect phishing. Interestingly, users׳ general technical proficiency does not correlate with improved detection scores.