Guidelines are based on scientific sources.
| Name | Recommendations for improving the design of phishing indicators |
| Sources | (Egelman et al., 2008) |
| Synonyms | None |
| Context | Web Browser Phishing Warnings |
| Item 1 | Interrupting the primary task “Phishing indicators need to be designed to interrupt the user’s task. We found that the passive indicator, which did not interrupt the user’s task, was not significantly different than not providing any warning. The active warnings were effective because they facilitated attention switch and maintenance.” [Principle] Visibility |
| Item 2 | Providing clear choices “Phishing indicators need to provide the user with clear options on how to proceed, rather than simply displaying a block of text. The users that noticed the passive Internet Explorer warning, read it but ignored it because they did not understand what they were supposed to do. They understood it had something to do with security, but they did not know how to proceed. In contrast, the active warnings presented choices and recommendations which were largely heeded. Wu found similar results with regard to providing users with clear choices (Wu, 2006).” [Principle] Understandability |
| Item 3 | Failing safely “Phishing indicators must be designed such that one can only proceed to the phishing website after reading the warning message. Users of the active Internet Explorer warning who did not read the warning or choices could only close the window to get rid of the message. This prevented them from accessing the page without reviewing the warning’s recommendations. However, users of the passive Internet Explorer warning had the option of clicking the familiar ‘X’ in the corner to dismiss it without reading it, and accessing the page anyway.” [Principle] Path of Least Resistance |
| Item 4 | Preventing habituation “Phishing indicators need to be distinguishable from less serious warnings and used only when there is a clear danger. Users ignored the passive indicators because they looked like many other warnings that users have ignored without consequences, thus they appear to be “crying wolf.” Even the active Internet Explorer warning was not read in a few cases because users mistook it for other IE warnings. More people read the Firefox warnings because they are designed unlike any other warnings. Dynamic warning messages may help prevent habituation (Brustoloni and Villamarín-Salomón, 2007).” [Principle] Convenience |
| Item 5 | Altering the phishing website Phishing indicators need to distort the look and feel of the website such that the user does not place trust in it. This can be accomplished by altering its look or simply not displaying it at all. The overall look and feel of a website is usually the primary factor when users make trust decisions (Fogg et al., 2001). When the website was displayed alongside the passive indicators, users ignored the warnings because they said that they trusted the look of the website. |
| Examples | None |
| Related Guidelines | Guidelines used to redesign warnings Warning Design Guidelines |
| Tags | phishing, warnings |
| Log history | [1/30/2019]: Added to repository |
Brustoloni, J.C., Villamarín-Salomón, R., 2007. Improving security decisions with polymorphic and audited dialogs, in: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS ’07. ACM, New York, NY, USA, pp. 76–85. doi:10.1145/1280680.1280691
Egelman, S., Cranor, L.F., Hong, J., 2008. You’Ve been warned: An empirical study of the effectiveness of web browser phishing warnings, in: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’08. ACM, New York, NY, USA, pp. 1065–1074. doi:10.1145/1357054.1357219
Fogg, B.J., Marshall, J., Laraki, O., Osipovich, A., Varma, C., Fang, N., Paul, J., Rangnekar, A., Shon, J., Swani, P., Treinen, M., 2001. What makes web sites credible?: A report on a large quantitative study, in: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’01. ACM, New York, NY, USA, pp. 61–68. doi:10.1145/365024.365037
Wu, M., 2006. Fighting phishing at the user interface (PhD thesis). Massachusetts Institute of Technology.