Fishing for phishers. Improving Internet users' sensitivity to visual deception cues to prevent electronic fraud

- Spoof websites usually present typographical deviations from the legitimate version due to technical reasons.
- Training Internet users to detect those deviations may protect them against scams.
- Sensitivity to typographic changes increased after easy-to-hard discriminative training.
- This training is a promising anti-phishing approach that may complement others.

Phishing is a form of electronic fraud in which attackers attempt to steal sensitive information by posing as a legitimate entity. To maintain the attack unnoticed, phishers typically use fake sites that accurately mimic real ones. However, there are usually subtle visual discrepancies between these spoof sites and their legitimate counterparts that may help Internet users to identify their deceptive nature. Among all the potential visual cues, we choose to focus on typography, because it is often hard for phishers to use exactly the same font as in the original website. Thus, Experiment 1 assessed the effectiveness of visual discrimination training to help people detect typographical discrepancies between fake and legitimate websites. Results showed higher sensitivity to differences when undergraduate students were previously trained with easier versions of the discrimination task (i.e., involving more noticeable differences in typography) than when they were trained with the difficult target discrimination from the start (easy-to-hard effect). These results were replicated with a broader and more representative sample of anonymous Internet users in Experiment 2. Implications for the design of strategies to prevent electronic fraud are discussed.