Why phishing works

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

• Publication year

  2006

• Venue

  International Conference on Human Factors in Computing Systems

• Publication date

  2006-04-22

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/1124772.1124861
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Do security toolbars actually prevent phishing attacks?

  2006cited by this paper
• The battle against phishing: Dynamic Security Skins

  2005cited by this paper
• Phishing Attack Victims Likely Targets for Identity Theft

  2005cited by this paper
• Authentication for humans: the design and evaluation of usable security systems

  2005cited by this paper
• An overview of online trust: Concepts, elements, and implications

  2005cited by this paper
• How do users evaluate the credibility of Web sites?: a study with over 2,500 participants

  2003cited by this paper
• Users' conceptions of web security

  2002cited by this paper
• Reflections on the dimensions of trust and trustworthiness among online consumers

  2002cited by this paper
• Evidence of the Effect of Trust Building Technology in Electronic markets: Price Premiums and Buyer Behavior

  2002cited by this paper
• Users' conceptions of risks and harms on the web: a comparative study

  2002cited by this paper
• Electronic Commerce and Consumer Privacy: Establishing Online Trust in the U.S. Digital Economy

  2002cited by this paper
• Users' conceptions of web security: a comparative study

  2002cited by this paper
• A Trust Model for Consumer Internet Shopping

  2001cited by this paper
• What makes Web sites credible?: a report on a large quantitative study

  2001cited by this paper
• Affective design of E-commerce user interfaces: how to maximise perceived trustworthiness

  2001cited by this paper
• A B-to-C Trust Model for On-line Exchange

  2001cited by this paper
• To Trust or Not to Trust? A Model of Internet Trust from the Customer's Point of View

  2001cited by this paper

• Sharing passwords with strangers – A laboratory study

  2026cites this paper
• AegisUI: Behavioral Anomaly Detection for Structured User Interface Protocols in AI Agent Systems

  2026cites this paper
• Evaluating Large Language Models’ Ability to Automate Spear Phishing

  2026cites this paper
• Analyzing instance representation in cognitive models of phishing decision-making

  2026cites this paper
• Clouding the Mirror: Stealthy Prompt Injection Attacks Targeting LLM-based Phishing Detection

  2026cites this paper
• Enhancing organizational cybersecurity: A framework for mitigating email phishing attacks

  2025cites this paper
• EnLeM: ensemble learning-based model to detect phishing websites

  2025cites this paper
• The Mediating Role of Explainable AI on Phishing Susceptibility

  2025cites this paper
• Two-step email spam detection: comparing machine and deep learning accuracy

  2025cites this paper
• Disrupting the scammer lifecycle: A dynamically-consistent numerical analysis of a compartment model for scam-victim dynamics

  2025cites this paper
• Enhanced Predictive Clustering of User Profiles: A Model for Classifying Individuals Based on Email Interaction and Behavioral Patterns

  2025cites this paper
• The nexus of mindfulness, affect, and information processing in phishing identification: An empirical examination

  2025cites this paper
• Understanding the Role of Demographic and Psychological Factors in Users’ Susceptibility to Phishing Emails: A Review

  2025cites this paper
• Card-Not-Present Fraud resulting from Smishing Attacks: An Experimental Study

  2025cites this paper
• Zero-Training Fraud Detection in a Large Messaging Platform?

  2025cites this paper
• Semantic Superiority vs. Forensic Efficiency: A Comparative Analysis of Deep Learning and Psycholinguistics for Business Email Compromise Detection

  2025cites this paper
• E-PhishGEN: Unlocking Novel Research in Phishing Email Detection

  2025cites this paper
• Cost-Sensitive User Modeling for Predicting Phishing Susceptibility

  2025cites this paper
• Phishing reporting in organizations: What motivates employees to take action?

  2025cites this paper
• Emerging Threats and Fortifying Defenses in Digital Age (A Review of cyber-security threats)

  2025cites this paper
• Integrating Sociocultural Intelligence Into Cybersecurity: A LESCANT-Based Approach for Phishing and Social Engineering Detection

  2025cites this paper
• Enhancing Cyberspace Security with Phishing Detection and Defense Using Machine Learning Models

  2025cites this paper
• AI-deepfake scams and the importance of a holistic communication security strategy

  2025cites this paper
• The Role of Cognitive Skills in Phishing Detection: A Comparative Study Between Chess Players and Non-Chess Players

  2025cites this paper
• Context-Aware Phishing-Resistant Authentication for Federated Identity in Internet of Things Platforms

  2025cites this paper
• Reinforced Disentangled HTML Representation Learning with Hard-Sample Mining for Phishing Webpage Detection

  2025cites this paper
• Real-Time, Evidence-Based Alerts for Protection From Phishing Attacks

  2025cites this paper
• Enhancing Phishing Defenses: The Impact of Timing and Explanations in Warnings for Email Clients

  2025cites this paper
• Phishing Experiments in the Wild: Lessons for Ubiquitous and Context-Aware Security

  2025cites this paper
• URL Inspection Tasks: Helping Users Detect Phishing Links in Emails

  2025cites this paper
• Real-Time Phishing URL Detection by using XGBoost and Google Safe Browsing API

  2025cites this paper
• Detection of Phishing Websites using Feature Selection and Image Embeddings

  2025cites this paper
• Enhancing Mobile Security Through Haptic Feedback: A Multi-Participant Investigation into Mitigating Social Engineering Attacks on Android Devices

  2025cites this paper
• Exploring Millennial Security Awareness of Data Protection, Cybercrime, and Privacy Management in Indonesia

  2025cites this paper
• Detecting and Preventing Phishing Attacks: An Approach to Improve Cybersecurity

  2025cites this paper
• Phishing Attacks in the Age of Generative Artificial Intelligence: A Systematic Review of Human Factors

  2025cites this paper
• Improving Phishing Resilience with AI-Generated Training: Evidence on Prompting, Personalization, and Duration

  2025cites this paper
• Introduction to Human-Computer Interaction

  2025cites this paper
• Decoding Scam Calls: A Linguistic Analysis of Fraudulent Manipulation Tactics

  2025cites this paper
• Cybersecurity is Stressful: The Impact of Stress on Identifying Phishing Attacks

  2025cites this paper
• Infrastructure Patterns in Toll Scam Domains: A Comprehensive Analysis of Cybercriminal Registration and Hosting Strategies

  2025cites this paper
• D-PhishNet: A dual-branch network for URL and HTML feature fusion in phishing webpage detection

  2025cites this paper
• Improving Mobile Security with Visual Trust Indicators for Smishing Detection

  2025cites this paper
• Can You Walk Me Through It? Explainable SMS Phishing Detection using LLM-based Agents

  2025cites this paper
• Evaluating Large Language Models for Phishing Detection, Self-Consistency, Faithfulness, and Explainability

  2025cites this paper
• Understanding the Efficacy of Phishing Training in Practice

  2025cites this paper
• Department-Specific Security Awareness Campaigns: A Cross-Organizational Study of HR and Accounting

  2025cites this paper
• Emotional Manipulation in Phishing Emails: Experimental Study of Affective Responses and Human Classification Errors in a Simulated Email Environment

  2025cites this paper
• LLMs unlock new paths to monetizing exploits

  2025cites this paper
• AntiPhishStack: LSTM-based Stacked Generalization Model for Optimized Phishing URL Detection

  2024cites this paper
• Enhancing Phishing Resilience in Academia: The Mediating Role of Anti-Phishing Tools on Student Awareness and Behavior

  2024cites this paper
• The (Relative) Impact of Email Cues on the Perceived Threat of Phishing Attacks: A User Perspective on Phishing Deceptiveness

  2024cites this paper
• Prompt Engineering or Fine-Tuning? A Case Study on Phishing Detection with Large Language Models

  2024cites this paper
• SpearBot: Leveraging Large Language Models in a Generative-Critique Framework for Spear-Phishing Email Generation

  2024cites this paper
• Detection of Phishing Attacks in Iranian E-Banking Websites Using a Neuro-Fuzzy System

  2024cites this paper
• Protecting Onion Service Users Against Phishing

  2024cites this paper
• PROTECTION OF ONE’S OWN PERSONAL DATA – CONCEPTUALISATION AND MEASUREMENT

  2024cites this paper
• Deep Dive into Client-Side Anti-Phishing: A Longitudinal Study Bridging Academia and Industry

  2024cites this paper
• Human Factor in Cybersecurity: Behavioral Insights into Phishing and Social Engineering Attacks

  2024cites this paper
• Discovering the Correlation Between Phishing Susceptibility Causing Data Biases and Big Five Personality Traits Using C-GAN

  2024cites this paper
• Securing the Digital Frontier: Legal Analysis of Cybersecurity, Data Privacy and Cyber Forensics in India

  2024cites this paper
• The cyber-industrialization of catfishing and romance fraud

  2024cites this paper
• Evaluating Large Language Models' Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects

  2024cites this paper
• 'Protect and Fight Back': A Case Study on User Motivations to Report Phishing Emails

  2024cites this paper
• Phishing Recognition Software based on Machine Learning

  2024cites this paper
• A case study on phishing detection with a machine learning net

  2024cites this paper
• SMILE4VIP: Intervention to Support Visually Impaired Users Against Phishing

  2024cites this paper
• Phishing Webpage Detection via Multi-Modal Integration of HTML DOM Graphs and URL Features Based on Graph Convolutional and Transformer Networks

  2024cites this paper
• The Imitation Game: Exploring Brand Impersonation Attacks on Social Media Platforms

  2024cites this paper
• CLASSIFICATION AND METHODS OF DETECTION OF PHISHING ATTACKS

  2024cites this paper
• Browser‐in‐the‐middle attacks: A comprehensive analysis and countermeasures

  2024cites this paper
• Social Engineering and Human Factors in Penetration Testing

  2024cites this paper
• The Evolution of China's Cyber-Espionage Tactics: From Traditional Espionage to AI-Driven Cyber Threats against Critical Infrastructure in the West

  2024influential citation
• UWB-Auth: A UWB-based Two Factor Authentication Platform

  2024cites this paper
• Development of a Phishing Detection System Using Support Vector Machine

  2024cites this paper
• A comprehensive survey on mobile browser security issues, challenges and solutions

  2024cites this paper
• Behind Closed Doors: Insider Threats in the World of Cybersecurity

  2024influential citation
• Optimising IT Security Research via a Low Cost, Instantly Available, Cloud Based Cyber Range

  2024cites this paper
• SoK (or SoLK?): On the Quantitative Study of Sociodemographic Factors and Computer Security Behaviors

  2024influential citation
• "Are Adversarial Phishing Webpages a Threat in Reality?" Understanding the Users' Perception of Adversarial Webpages

  2024cites this paper
• Privacy-Aware Decision Making: The Effect of Privacy Nudges on Privacy Awareness and the Monetary Assessment of Personal Information

  2024cites this paper
• Internet-Based Social Engineering Psychology, Attacks, and Defenses: A Survey

  2024cites this paper
• Pretend security policy using ontology matching system

  2024cites this paper
• Eyes on phishing emails: an eye-tracking study

  2024cites this paper
• Devising and Detecting Phishing Emails Using Large Language Models

  2024cites this paper
• The influence of affective processing on phishing susceptibility

  2024cites this paper
• Two-Factor Authentication for Keyless Entry System via Finger-Induced Vibrations

  2024cites this paper
• Developing a Multi-Layered Defence System to Safeguard Data against Phishing Attacks

  2024cites this paper
• Machine Learning Based Improved Phishing Detection using Adversarial Auto Encoder

  2023cites this paper
• Enhancing Cybersecurity: The Crucial Role of Self-Regulation, Information Processing, and Financial Knowledge in Combating Phishing Attacks

  2023cites this paper
• The Design and Evaluation of an Online Interactive Anti-phishing Training Method

  2023cites this paper
• Cybersecurity Empirics: Evaluating Machine Learning Techniques for Phishing Detection

  2023cites this paper
• Understanding the Viability of Gmail's Origin Indicator for Identifying the Sender

  2023cites this paper
• A Quantitative Study of SMS Phishing Detection

  2023cites this paper
• What Influences People’s Adoption of Cognitive Cybersecurity?

  2023cites this paper
• A comprehensive examination of email spoofing: Issues and prospects for email security

  2023cites this paper
• A New Cyber Risk: How Teens Expose Corporations in WFH Era

  2023cites this paper
• A Large-Scale Study of Phishing PDF Documents

  2023cites this paper
• Influence of URL Formatting on Users' Phishing URL Detection

  2023cites this paper
• Not only E.T. Phones Home: Analysing the Native User Tracking of Mobile Browsers

  2023cites this paper