Our partners from KTH conducted a study on how persons identify phishing websites and wrote an article called “Why Phishing Works on Smartphones: A Preliminary Study” on it, which has been accepted for presentation at the 54th Hawaii International Conference on System Sciences (HICSS). The abstract is as follows:
Phishing is a form of fraud where an attacker attempts to acquire sensitive information from a target by posing as trustworthy. One strategy to fool the target is spoofing of a legitimate website. But why do people fall for phishing, and what security indicators are utilized or not utilized when deciding the legitimacy of a website? Hitherto, two studies have been conducted in 2006 and 2015. As time has passed since then, we like to check if people are meanwhile more certain in identifying spoofed websites. Therefore, 20 participants were observed when they analyzed and classified websites as legitimate or spoofed. On average participants had a success rate of 69 \%, like previous studies’ results. The URL was used as an indicator by most of the participants (80 \%), indicating user behavior and ease of identifying spoofed and legitimate websites is not very different on a smartphone compared to a desktop. Almost all participants used the content of the website at least once when deciding if a website was spoofed or legitimate. These findings will be used to conduct a bigger study to create more resilient results.