How Johnny Experiences Phishing Warnings: A Qualitative Study Investigating the Impact of Design Decisions on the User

Pham, Stefanie; LENZINI, Gabriele; Pöhn, Daniela

doi:10.1109/access.2025.3642897

Download

Article (Scientific journals)

How Johnny Experiences Phishing Warnings: A Qualitative Study Investigating the Impact of Design Decisions on the User

Pham, Stefanie; LENZINI, Gabriele; Pöhn, Daniela

2025 • In IEEE Access, p. 1-1

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/10993/66938

DOI
10.1109/access.2025.3642897

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

How_Johnny_Experiences_Phishing_Warnings_A_Qualita.pdf

Author preprint (2.98 MB)

Creative Commons License - Attribution, Non-Commercial, No Derivative

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Phishing; Human Computer Interation; Cybersecurity

Abstract :

[en] To this day, phishing remains one of the most critical and elusive threats in cybersecurity. Although detection technologies have evolved and improved, they have not kept pace with novel phishing strategies. Thus, when software cannot definitively identify phishing, the last line of defense rests with the user when they are asked to “think before you click”. The appeal is commonly accompanied by warning messages, supposedly providing the user with enough information and incentive to make an informed, secure decision. However, warning messages must be carefully crafted because their elements can considerably affect the user’s agency, trust, and decision-making. We selected four of the key design elements in warning messages: content , placement , level of friction , and timing . We conducted a qualitative study using think-aloud sessions with 18 participants. Each participant was presented with phishing scenarios, accompanied by warning messages that differ in regard to those four elements of design, followed by a post-session interview. Thematic analysis revealed 13 themes across the four elements and from the analysis, novel insights emerged. For instance, timing changes the context in which users frame their concern: rather than being concerned about the potential consequences of clicking —as the warning intends— they become suspicious of the app displaying the message, fearing it may invade their privacy and violate their security. Our findings form a basis for future research about how to design and implement mechanisms, such as warning apps, that are more adaptable, targeted, and potentially more effective in protecting users from phishing attacks.

Research center :

SnT/UL IRiSC

Disciplines :

Computer science

Author, co-author :

Pham, Stefanie; Ludwig-Maximilians-Universität München, Munich, Germany

LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

Pöhn, Daniela ; University of the Bundeswehr Munich, RI CODE, Neubiberg, Germany

External co-authors :

yes

Language :

English

Title :

How Johnny Experiences Phishing Warnings: A Qualitative Study Investigating the Impact of Design Decisions on the User

Publication date :

December 2025

Journal title :

IEEE Access

ISSN :

2169-3536

Publisher :

IEEE

Pages :

1-1

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Additional URL :

https://ieeexplore-ieee-org.proxy.bnl.lu/document/11298165

FnR Project :

FNR14926102 - SEVERITAS - Secure And Verifiable Electronic Testing And Assessment Systems, 2020 (01/05/2021-30/04/2025) - Gabriele Lenzini

Name of the research project :

R-STR-5031 - GR IRiSC - LENZINI Gabriele

Available on ORBilu :

since 19 December 2025

Statistics

Number of views

39 (3 by Unilu)

Number of downloads

23 (1 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

Sophos Ltd., ‘‘Phishing-insights 2021,’’ Sophos Ltd., Abingdon, United Kingdom, Whitepaper, 2021, https://www.sophos.com/resources/phishing-insights-2021.
Anti-Phishing Working Group, ‘‘Phishing Activity Trends Report, 4th Quarter 2023,’’ Anti-Phishing Working Group, Lexington, MA, USA, Quarterly Report, Nov. 2023, https://docs.apwg.org/reports/apwg_trends_report_q4_2023.pdf.
——, ‘‘Phishing Activity Trends Report, 1st Quarter 2024,’’ Anti-Phishing Working Group, Lexington, MA, USA, Quarterly Report, May 2024, https://docs.apwg.org/reports/apwg_trends_report_q1_2024.pdf.
B. Schneier, ‘‘Semantic attacks: The third wave of network attacks,’’ 2000, [Online]. Available: https://www.schneier.com/essays/archives/2000/10/the-third-wave-of-network-attacks.html. Accessed on: Nov 14, 2025.
A. Prasad and S. Chandra, ‘‘PhiUSIIL: A diverse security profile empowered phishing URL detection framework based on similarity index and incremental learning,’’ Comput. Secur., vol. 136, p. 103545, 2024, DOI: 10.1016/j.cose.2023.103545.
Z. F. Zaaba, C. Lim Xin Yi, A. Amran, and M. A. Omar, ‘‘Harnessing the Challenges and Solutions to Improve Security Warnings: A Review,’’ Sens., vol. 21, no. 21, p. 7313, Nov. 2021, DOI: 10.3390/s21217313.
P. Boyle and L. A. Shepherd, ‘‘MailTrout: A machine learning browser extension for detecting phishing emails,’’ in Proc. British HCI Conference, virtual, Jul. 2021, pp. 104–115, DOI: 10.14236/ewic/HCI2021.10.
M. Volkamer, K. Renaud, B. Reinheimer, and A. Kunz, ‘‘User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn,’’ Comput. Secur., vol. 71, pp. 100–113, Nov. 2017, DOI: 10.1016/j.cose.2017.02.004.
M. Cooper, Y. Levy, L. Wang, and L. Dringus, ‘‘Heads-up! An Alert and Warning System for Phishing Emails,’’ Organ. Cybersecur. J. Pract. Process People, vol. 1, no. 1, pp. 47–68, Jan. 2021, DOI: 10.1108/OCJ-03-2021-0006.
M. Moghimi and A. Y. Varjani, ‘‘New Rule-Based Phishing Detection Method,’’ Expert Sys. Appl., vol. 53, pp. 231–242, Jul. 2016, DOI: 10.1016/j.eswa.2016.01.028.
O. K. Sahingoz, E. Buber, O. Demir, and B. Diri, ‘‘Machine learning based phishing detection from URLs,’’ Expert Sys. Appl., vol. 117, pp. 345–357, Mar. 2019, DOI: 10.1016/j.eswa.2018.09.029.
O. Bhopen Singh and H. Tahbildar, ‘‘A Literature Survey on Anti-Phishing Browser Extensions,’’ Int. J. Comput. Sci. Eng. Surv., vol. 6, no. 4, pp. 21–37, Aug. 2015, DOI: 10.5121/ijcses.2015.6402.
A. A. Zuraiq and M. Alkasassbeh, ‘‘Review: Phishing Detection Approaches,’’ in Proc. ICTCS, Como, Italy, Oct. 2019, pp. 1–6, DOI: 10.1109/ICTCS.2019.8923069.
V. Shahrivari, M. M. Darabi, and M. Izadi, ‘‘Phishing Detection Using Machine Learning Techniques,’’ Sep. 2020, [Online]. DOI: 10.48550/arXiv.2009.11116. Accessed on: May 26, 2025.
S. Das, A. Kim, Z. Tingle, and C. Nippert-Eng, ‘‘All about phishing: Exploring user research through a systematic literature review,’’ in Proc. HAISA, Nicosia, Cyprus, Aug. 2019, pp. 189–202.
D. Lain, K. Kostiainen, and S. Čapkun, ‘‘Phishing in Organizations: Findings from a Large-Scale and Long-Term Study,’’ in Proc. SP, San Francisco, CA, USA, May 2022, pp. 842–859, DOI: 10.1109/SP46214.2022.9833766.
M. Lennartsson, J. Kävrestad, and M. Nohlberg, ‘‘Exploring the Meaning of ‘‘Usable Security’’,’’ in Proc. HAISA, Mytilene, Greece, ser. IFIP Advances in Information and Communication Technology, N. Clarke and S. Furnell, Eds., 2020, pp. 247–258, DOI: 10.1007/978-3-030-57404-8_19.
J. Petelka, Y. Zou, and F. Schaub, ‘‘Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings,’’ in Proc. CHI, Glasgow, Scotland, United Kingdom, May 2019, pp. 1–15, DOI: 10.1145/3290605.3300748.
V. Distler, G. Lenzini, C. Lallemand, and V. Koenig, ‘‘The Framework of Security-Enhancing Friction: How UX Can Help Users Behave More Securely,’’ in Proc. NSPW, online, Oct. 2020, pp. 45–58, DOI: 10.1145/3442167.3442173.
L. Qu, R. Xiao, and W. Shi, ‘‘Interactions of Framing and Timing in Nudging Online Game Security,’’ Comput. Secur., vol. 124, p. 102962, Jan. 2023, DOI: 10.1016/j.cose.2022.102962.
B. Naqvi, K. Perova, A. Farooq, I. Makhdoom, S. Oyedeji, and J. Porras, ‘‘Mitigation strategies against the phishing attacks: A systematic literature review,’’ Comput. Secur., vol. 132, p. 103387, Sep. 2023, DOI: 10.1016/j.cose.2023.103387.
H. Siadati, S. Palka, A. Siegel, and D. McCoy, ‘‘Measuring the effectiveness of embedded phishing exercises,’’ in Proc. CSET, Vancouver, BC, Canada, 2017, pp. 1–8.
P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, ‘‘Lessons from a Real World Evaluation of Anti-Phishing Training,’’ in Proc. eCrime, Atlanta, GA, USA, Oct. 2008, pp. 1–12, DOI: 10.1109/ECRIME.2008.4696970.
D. Jampen, G. Gür, T. Sutter, and B. Tellenbach, ‘‘Don’t Click: Towards an Effective Anti-Phishing Training. A Comparative Literature Review,’’ Hum.-centric Comput. Inf. Sci., vol. 10, no. 1, p. 33, Aug. 2020, DOI: 10.1186/s13673-020-00237-7.
G. Misra, N. A. G. Arachchilage, and S. Berkovsky, ‘‘Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks,’’ in Proc. HAISA, Adelaide, Australia, 2017, pp. 41–51.
F. Rubia, A. Yasin, and L. Liu, ‘‘How Persuasive Is a Phishing Email? A Phishing Game for Phishing Awareness,’’ J. Comput. Secur., vol. 27, no. 6, pp. 581–612, Jan. 2019, DOI: 10.3233/JCS-181253.
Z. Wen, Z. Lin, R. Chen, and E. Andersen, ‘‘What.Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game,’’ in Proc. CHI, Glasgow, Scotland, UK, Apr. 2019, p. 12, DOI: 10.1145/3290605.3300338.
X. Chen, M. Sacré, G. Lenzini, S. Greiff, V. Distler, and A. Sergeeva, ‘‘The Effects of Group Discussion and Role-playing Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment,’’ in Proc. CHI, Honolulu, HI, USA, 2024, DOI: 10.1145/3613904.3641943.
S. Bell and P. Komisarczuk, ‘‘An analysis of phishing blacklists: Google Safe Browsing, OpenPhish, and PhishTank,’’ in Proc. ACSW, Melbourne, VIC, Australia, 2020, pp. 1–11, DOI: 10.1145/3373017.3373020.
R. Srinivasa Rao and A. R. Pais, ‘‘Detecting Phishing Websites using Automation of Human Behavior,’’ in Proc. CPSS, Abu Dhabi, United Arab Emirates, 2017, p. 33–42, DOI: 10.1145/3055186.3055188.
P. Bountakas, K. Koutroumpouchos, and C. Xenakis, ‘‘A Comparison of Natural Language Processing and Machine Learning Methods for Phishing Email Detection,’’ in Proc. ARES, Vienna, Austria, 2021, pp. 1–12, DOI:10.1145/3465481.3469205.
E. G. Dada, J. S. Bassi, H. Chiroma, S. M. Abdulhamid, A. O. Adetunmbi, and O. E. Ajibuwa, ‘‘Machine learning for email spam filtering: review, approaches and open research problems,’’ Heliyon, vol. 5, no. 6, p. e01802, Jun. 2019, DOI: 10.1016/j.heliyon.2019.e01802.
D. Akhawe and A. P. Felt, ‘‘Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness,’’ in Proc. USENIX Security, Washington, D.C., USA, 2013, pp. 257–272.
R. W. Reeder, A. P. Felt, S. Consolvo, N. Malkin, C. Thompson, and S. Egelman, ‘‘An experience sampling study of user reactions to browser warnings in the field,’’ in Proc. CHI, Montreal, QC, Canada, Apr. 2018, pp. 1–13, DOI: 10.1145/3173574.3174086.
A. Aggarwal, A. Rajadesingan, and P. Kumaraguru, ‘‘PhishAri: Automatic realtime phishing detection on Twitter,’’ in Proc. eCrime, Las Croabas, PR, USA, 2012, pp. 1–12, DOI: 10.1109/eCrime.2012.6489521.
F. Greco, G. Desolda, P. Buono, and A. Piccinno, ‘‘Enhancing Phishing Defenses: The Impact of Timing and Explanations in Warnings for Email Clients,’’ Comput. Standards Interfaces, vol. 93, p. 103982, 2025, DOI: 10.1016/j.csi.2025.103982.
S. Bender, S. Horn, G. Loewenstein, and O. Roberts, ‘‘Phishing feedback: just-in-time intervention improves online security,’’ Behav. Public Policy, p. 1–13, 2024, DOI: 10.1017/bpp.2024.19.
J. Petelka, B. Berens, C. Sugatan, M. Volkamer, and F. Schaub, ‘‘Restricting the Link: Effects of Focused Attention and Time Delay on Phishing Warning Effectiveness,’’ in Proc. IEEE SP, San Francisco, CA, USA. Los Alamitos, CA, USA: IEEE Computer Society, May 2025, pp. 1–19. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/SP61157.2025.00007
A. L. Cox, S. J. Gould, M. E. Cecchinato, I. Iacovides, and I. Renfree, ‘‘Design Frictions for Mindful Interactions: The Case for Microboundaries,’’ in Proc. CHI EA, San Jose, CA, USA, May 2016, pp. 1389–1397, DOI: 10.1145/2851581.2892410.
E. J. Slifkin and M. B. Neider, ‘‘Phishing interrupted: The impact of task interruptions on phishing email classification,’’ Int. J. Hum.-Comp. Stud., vol. 174, p. 103017, Jun. 2023, DOI: 10.1016/j.ijhcs.2023.103017.
C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, and M. Sleeper, ‘‘Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It,’’ in Proc. SOUPS, Menlo Park, CA, USA, 2014, pp. 105–111.
C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs, and S. Schechter, ‘‘Your attention please: Designing security-decision UIs to make genuine risks harder to ignore,’’ in Proc. SOUPS, Newcastle, United Kingdom, Jul. 2013, pp. 1–12, DOI: 10.1145/2501604.2501610.
A. Dennis and R. Minas, ‘‘Security on Autopilot: Why Current Security Theories Hijack Our Thinking and Lead Us Astray,’’ ACM SIGMIS Database: DATABASE Adv. Inf. Syst., vol. 49, pp. 15–38, Apr. 2018, DOI: 10.1145/3210530.3210533.
D. Kahneman, Thinking, Fast and Slow, ser. Penguin Psychology. London, United Kingdom: Penguin Books, 2012.
M. Harbach, S. Fahl, P. Yakovleva, and M. Smith, ‘‘Sorry, I don’t get it: An analysis of warning message texts,’’ in Financial Cryptography and Data Security, D. Hutchison, T. Kanade, and A. A. Adams, Eds. Berlin, Heidelberg, Germany: Springer Berlin Heidelberg, 2013, vol. 7862, pp. 94–111, DOI: 10.1007/978-3-642-41320-9_7.
Z. F. Zaaba and T. K. Boon, ‘‘Examination on Usability Issues of Security Warning Dialogs,’’ J. Multidiscip. Eng. Sci. Technol. (JMEST), vol. 2, no. 6, pp. 26–35, Jun. 2015.
O. Sarker, A. Jayatilaka, S. Haggag, C. Liu, and M. A. Babar, ‘‘A multivocal literature review on challenges and critical success factors of phishing education, training and awareness,’’ J. Syst. Softw., vol. 208, p. 111899, Feb. 2024, DOI: 10.1016/j.jss.2023.111899.
V. Braun and V. Clarke, ‘‘Using Thematic Analysis in Psychology,’’ Qual. Res. Psychol., vol. 3, no. 2, pp. 77–101, Jan. 2006, DOI: 10.1191/1478088706qp063oa.
Ustuk, Özgehan, ‘‘Thematic analysis with maxqda: Step-by-step guide,’’ 2025, [Online]. Availabe: https://www.maxqda.com/blogpost/thematicanalysis-with-maxqda-step-by-step-guide. Accessed on: Nov 14, 2025.
K. Krol, M. Moroz, and M. A. Sasse, ‘‘Don’t Work. Can’t Work? Why It’s Time to Rethink Security Warnings,’’ in Proc. CRiSIS, Cork, Ireland, Oct. 2012, pp. 1–8, DOI: 10.1109/CRISIS.2012.6378951.
Figma, ‘‘Figma: The collaborative interface design tool,’’ 2025, [Online]. Availabe: https://www.figma.com/. Accessed on: Nov 14, 2025.
LinkedIn, ‘‘LinkedIn,’’ 2025, [Online]. Availabe: https://www.linkedin.com/. Accessed on: Nov 14, 2025.
Check Point Research Team, ‘‘LinkedIn still number one brand to be faked in phishing attempts while Microsoft surges up the rankings to number two spot in Q2 report,’’ Jul. 2022, [Online]. Availabe: https://blog.checkpoint.com/2022/07/19/linkedin-still-number-one-brand-to-be-faked-in-phishing-attempts-while-microsoft-surges-up-therankings-to-number-two-spot-in-q2-report/. Accessed on: Nov 14, 2025.
A. Black, P. Luna, O. Lund, and S. Walker, Information Design: Research and Practice. Milton Park, United Kingdom: Taylor & Francis, Jan. 2017.
Mozilla, ‘‘Mozilla phishing test site,’’ 2025, [Online]. Availabe: https://www.itisatrap.org/firefox/its-a-trap.html. Accessed on: Nov 14, 2025.
Netcraft, ‘‘Netcraft,’’ 2025, [Online]. Availabe: https://www.netcraft.com/. Accessed on: Nov 14, 2025.
ZecOps Research Team, ‘‘Introducing ZecOps Anti-Phishing Extension,’’ Apr. 2021, [Online]. Available: https://blog.zecops.com/announcements/introducing-zecops-anti-phishing-extension/. Accessed on: Nov 14, 2025.
M. Volkamer, ‘‘TORPEDO,’’ Feb. 2022, [Online]. Available: https://secuso.aifb.kit.edu/TORPEDO.php/. Accessed on: Nov 14, 2025.
B. Ramkumar, ‘‘PicoPalette phishing site detector plugin,’’ 2018, [Online]. Availabe: https://github.com/picopalette/phishing-detection-plugin. Accessed on: Nov 14, 2025.
M. Hennink and B. N. Kaiser, ‘‘Sample sizes for saturation in qualitative research: A systematic review of empirical tests,’’ Soc. Sci. Med., vol. 292, p. 114523, 2022, DOI: 10.1016/j.socscimed.2021.114523.
R. Carlsson, S. Rauti, and T. Heino, ‘‘A Case Study of a Privacy-Invading Browser Extension,’’ in Proc. ICITS, Cusco, Peru, ser. Lecture Notes in Networks and Systems, Á. Rocha, C. Ferrás, and W. Ibarra, Eds., 2023, pp. 127–134, DOI: 10.1007/978-3-031-33258-6_12.
C. H. Rankin, T. Abrams, R. J. Barry, S. Bhatnagar, D. F. Clayton, J. Colombo, G. Coppola, M. A. Geyer, D. L. Glanzman, S. Marsland, F. K. McSweeney, D. A. Wilson, C.-F. Wu, and R. F. Thompson, ‘‘Habituation Revisited: An Updated and Revised Description of the Behavioral Characteristics of Habituation,’’ Neurobiol. Learn. Mem., vol. 92, no. 2, pp. 135–138, Sep. 2009, DOI: 10.1016/j.nlm.2008.09.012.
A. Vance, J. L. Jenkins, and B. B. Anderson, ‘‘The fog of warnings: How non-essential notifications blur with security warnings,’’ in Proc. SOUPS, Santa Clara, CA, USA, 2019, pp. 407–420.
S. Das, A. Dingman, and L. J. Camp, ‘‘Why Johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key,’’ in Financial Cryptography and Data Security, S. Meiklejohn and K. Sako, Eds. Berlin, Heidelberg, Germany: Springer Berlin Heidelberg, 2018, vol. 10957, pp. 160–179, DOI: 10.1007/978-3-662-58387-6_9.
Z. Benenson, G. Lenzini, D. Oliveira, S. Parkin, and S. Uebelacker, ‘‘Maybe Poor Johnny Really Cannot Encrypt: The Case for a Complexity Theory for Usable Security,’’ in Proc. NSPW, Twente, Netherlands, Sep. 2015, pp. 85–99, DOI: 10.1145/2841113.2841120.
G. Cybenko, ‘‘Why Johnny can’t evaluate security risk,’’ IEEE Secur. Priv., vol. 4, no. 01, pp. 5–5, Jan. 2006, DOI: 10.1109/MSP.2006.30.
R. Wash and E. Rader, ‘‘Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users,’’ Proceedings fo the 11th Symposium On Usable Privacy and Security (SOUPS), pp. 309–325, 2015, https://www.usenix.org/conference/soups2015/proceedings/presentation/wash.
E. Rozentals, ‘‘Email Load and Stress Impact on Susceptibility to Phishing and Scam Emails,’’ Master’s Thesis, Department of Computer Science, Electrical and Space Engineering, Digital Services and Systems, Luleå University of Technology, Luleå, Sweden, 2021.
H. Qahri-Saremi and O. Turel, ‘‘Situational Contingencies in Susceptibility of Social Media to Phishing: A Temptation and Restraint Model,’’ J. Manag. Inf. Sys., vol. 40, no. 2, pp. 503–540, Apr. 2023, DOI: 10.1080/07421222.2023.2196779.
Z. Benenson, F. Gassmann, and R. Landwirth, ‘‘Unpacking Spear Phishing Susceptibility,’’ in Financial Cryptography and Data Security, M. Brenner, K. Rohloff, J. Bonneau, A. Miller, P. Y. Ryan, V. Teague, A. Bracciali, M. Sala, F. Pintore, and M. Jakobsson, Eds. Cham, Switzerland: Springer International Publishing, 2017, vol. 10323, pp. 610–627, DOI: 10.1007/978-3-319-70278-0_39.
Y. Wang and Y.-W. Mo, ‘‘The Effect of Default Options on Consumer Decisions in the Product Configuration Process,’’ in Proc. ConfWS, Graz, Austria, ser. CEUR Workshop Proceedings, Jun. 2018, pp. 31–36.