URL Inspection Tasks: Helping Users Detect Phishing Links in Emails

TL;DR

This paper introduces URL inspection tasks as interactive challenges to improve user detection of phishing links in emails, significantly reducing successful attacks by enhancing user understanding and attention.

Contribution

The study develops and evaluates three novel URL inspection tasks inspired by CAPTCHAs, demonstrating their effectiveness in phishing prevention across diverse user groups.

Findings

Tasks significantly reduce successful phishing attempts.

Highest efficacy observed for complex URLs like typo-squats.

Slowing users and emphasizing URL structure improves detection.

Abstract

The most widespread type of phishing attack involves email messages with links pointing to malicious content. Despite user training and the use of detection techniques, these attacks are still highly effective. Recent studies show that it is user inattentiveness, rather than lack of education, that is one of the key factors in successful phishing attacks. To this end, we develop a novel phishing defense mechanism based on URL inspection tasks: small challenges (loosely inspired by CAPTCHAs) that, to be solved, require users to interact with, and understand, the basic URL structure. We implemented and evaluated three tasks that act as ``barriers'' to visiting the website: (1) correct click-selection from a list of URLs, (2) mouse-based highlighting of the domain-name URL component, and (3) re-typing the domain-name. These tasks follow best practices in security interfaces and warning design. We assessed the efficacy of these tasks through an extensive on-line user study with 2,673 participants from three different cultures, native languages, and alphabets. Results show that these tasks significantly decrease the rate of successful phishing attempts, compared to the baseline case. Results also showed the highest efficacy for difficult URLs, such as typo-squats, with which participants struggled the most. This highlights the importance of (1) slowing down users while focusing their attention and (2) helping them understand the URL structure (especially, the domain-name component thereof) and matching it to their intent.