Do Users Attend to Highlighted Domains in Identifying Phishing Webpages?
Primary Investigator:
Robert Proctor
Aiping Xiong, Weining Yang, Robert W. Proctor, Ninghui Li
Abstract
Domain highlighting has been implemented by popular browsers with the aim of helping users identify which sites they are visiting. However, the effectiveness of domain highlighting is based on the assumptions that users naturally attend to the address bar, they use the domain name to judge the website’s legitimacy, and they can recognize the legitimate domain names. We conducted an eye-tracking experiment to test the effectiveness of domain highlighting and verify these assumptions. 32 participants were recruited to judge the legitimacy of webpages (half authentic and half fraudulent) based on any information on the webpage in the first phase, whereas in the second phase they were told to focus on the address bar. Whether the domain was highlighted or not was varied between-subjects. The results showed some benefit of attending to the address bar, but domain highlighting itself did not provide effective protection. Heat-map results revealed that participants’ visual attention distribution was impacted by the domain highlighting. Thus, the failure to detect many phishing webpages even when the domain was highlighted suggests that users lack knowledge of legitimate domain names or how to use them.