Phishing Susceptibility and Mitigation in the 2FA Context : An Investigation of How the Interplay of Psychological and Individual Factors and UX Design Can Influence Users’ Decisions to Login to a Suspicious Website

Gerken, Jorina Freya, Wang, Zhaoying

January 2024

Phishing is a form of social engineering, in which attackers attempt to trick victims with e-mails designed to look like legitimate requests (Vishwanath et al., 2011), aiming “to exploit human error or human behaviour with the objective of gaining access to information or services” (European Union Agency for Cybersecurity [ENISA], 2023, p. 7). According to the ENISA Threat Landscape 2023 report, phishing is the most prevalent form of social engineering and predicted to continue posing a significant threat to users (ENISA, 2023). In this, attackers have also already succeeded in circumventing second-factor authentication (2FA) (ENISA, 2023). This thesis aimed to contribute to the ongoing research concerning the mitigation of social engineering attacks by investigating phishing susceptibility and a UX-based mitigation approach in the context of 2FA, which to the best of our knowledge had not been previously researched. Based on prior research in other contexts, stress, attention, elaboration, involvement and 2FA frequency were identified as potentially relevant factors. Under consideration of these factors, a 2FA implementation was designed, combining automated URL verification with verification-basedwarnings. An online study (N = 94) was conducted to investigate how the posited susceptibility factors as well as the UX design can influence users’ decisions to abort or proceed with logging in to a suspicious website. In this, a between-subject study design was used to investigate howmuch of an impact specifically the “opinionatedness” of a warning design, i.e. its “use of visual design cues to promote a recommended course of action” (Felt et al., 2015, p. 2893), can have in the 2FA context compared to an otherwise identical design offering a neutral choice. In the collected sample, involvement had a significant negative effect on the likelihood to proceed with the login, in accordance with its posited influence. In addition, confidence in the decision made was discovered as another potential predictor, also showing a significant negativeeffect on the likelihood to proceed in the collected sample. The observed effect of the opinionated design can be seen to contradict the posited assumption that users would be more likely to go with the promoted action. However, overall, the results can be seen to suggest thattaking susceptibility factors into consideration when designing 2FA implementations might be a promising approach towards phishing mitigation. Further research is needed to validate these indications, due to the insufficient sample size and use of convenience sampling in this thesis.

phishing susceptibility

phishing mitigation

2FA

second-factor authentication

psychological factors

involvement

confidence in the decision made

warning design

opinionated design

Elektroteknik och elektronik