Zheng, Sarah; Becker, Ingolf; (2022) Presenting Suspicious Details in User-Facing E-mail Headers Does Not Improve Phishing Detection. In: Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022). USENIX Association: Boston, MA, USA.

Preview

Text Becker_efs_manuscript.pdf - Accepted Version Download (738kB) | Preview

Abstract

Phishing requires humans to fall for impersonated sources. Sender authenticity can often be inferred from e-mail header information commonly displayed by e-mail clients, such as sender and recipient details. People may be biased by convincing e-mail content and overlook these details, and subsequently fall for phishing. This study tests whether people are better at detecting phishing e-mails when they are only presented with user-facing e-mail headers, instead of full emails. Results from a representative sample show that most phishing e-mails were detected by less than 30% of the participants, regardless of which e-mail part was displayed. In fact, phishing detection was worst when only e-mail headers were provided. Thus, people still fall for phishing, because they do not recognize online impersonation tactics. No personal traits, e-mail characteristics, nor URL interactions reliably predicted phishing detection abilities. These findings highlight the need for novel approaches to help users with evaluating e-mail authenticity.

Download activity - last month

Export as XMLJSONCSV

Download activity - last 12 months

Export as CSVXMLJSON

Downloads by country - last 12 months

Export as CSVJSONXML

Archive Staff Only

View Item