URL Inspection Tasks: Helping Users Detect Phishing Links in Emails
Daniele Lain, Yoshimichi Nakatsuka, Kari Kostiainen, Gene Tsudik, Srdjan Capkun
TL;DR
The paper tackles the persistent threat of URL-based phishing by addressing user inattention and limited URL literacy. It introduces three CAPTCHA-inspired URL inspection tasks (clicking, highlighting, typing) that force users to engage with the URL and verify intent after clicking a link, delivering feedback when mismatches occur. In a large online role-play study with 2,673 participants across cultures, the approach significantly reduced phishing success from 74% (control) to about 35%, with particularly strong gains against typosquat URLs; solving times increased modestly, indicating a trade-off between security and usability. The findings support sporadic deployment in high-security settings, show robustness across longer exposure and multilingual contexts, and provide practical guidance for warning design and user education to improve real-world phishing resilience.
Abstract
The most widespread type of phishing attack involves email messages with links pointing to malicious content. Despite user training and the use of detection techniques, these attacks are still highly effective. Recent studies show that it is user inattentiveness, rather than lack of education, that is one of the key factors in successful phishing attacks. To this end, we develop a novel phishing defense mechanism based on URL inspection tasks: small challenges (loosely inspired by CAPTCHAs) that, to be solved, require users to interact with, and understand, the basic URL structure. We implemented and evaluated three tasks that act as ``barriers'' to visiting the website: (1) correct click-selection from a list of URLs, (2) mouse-based highlighting of the domain-name URL component, and (3) re-typing the domain-name. These tasks follow best practices in security interfaces and warning design. We assessed the efficacy of these tasks through an extensive on-line user study with 2,673 participants from three different cultures, native languages, and alphabets. Results show that these tasks significantly decrease the rate of successful phishing attempts, compared to the baseline case. Results also showed the highest efficacy for difficult URLs, such as typo-squats, with which participants struggled the most. This highlights the importance of (1) slowing down users while focusing their attention and (2) helping them understand the URL structure (especially, the domain-name component thereof) and matching it to their intent.