"Oh, sh*t! I actually opened the document!": An Empirical Study of the Experiences with Suspicious Emails in Virtual Reality Headsets
Filipo Sharevski, Jennifer Vander Loop, Sarah Ferguson
TL;DR
This study examines how users perceive and respond to suspicious emails when accessed through VR headsets (Apple Vision Pro and Meta Quest 3) using their own Gmail accounts. It employs mild deception by covertly sending false-positive phishing emails to test warning effectiveness and user actions during VR email sorting. The findings show that warnings can reduce interaction but VR ergonomics and immersion introduce misclick susceptibility, underscoring the need for VR-aware warning designs and training approaches. The work provides design recommendations for VR banner warnings and highlights the potential of VR-based phishing awareness training in productivity settings.
Abstract
This paper reports on a study exploring user experiences with suspicious emails and associated warnings when accessed through virtual reality (VR) headsets in realistic settings. A group of (n=20) Apple Vision Pro and another group of (n=20) Meta Quest 3 users were invited to sort through their own selection of Google mail suspicious emails through the VR headset. We asked them to verbalize the experience relative to how they assess the emails, what cues they use to determine their legitimacy, and what actions they would take for each suspicious email of their choice. We covertly sent a "false positive" suspicious email containing either a URL or an attachment (an email that is assigned a suspicious email warning but, in reality, is a legitimate one) and observed how participants would interact with it. Two participants clicked on the link (Apple Vision Pro), and one participant opened the attachment (Meta Quest 3). Upon close inspection, in all three instances, the participant "fell" for the phish because of the VR headsets' hypersensitive clicking and lack of ergonomic precision during the routine email sorting task. These and the other participants thus offered recommendations for implementing suspicious email warnings in VR environments, considerate of the immersiveness and ergonomics of the headsets' interface.