Technology Usability Lab in Privacy and Security

Logo: Technology Usability Lab in Privacy and Security
Research Publications People Student Projects Wiki Outreach

Phishing Training and Detection

Reading a URL is one of the key abilities necessary for identifying malicious communications, but many people cannot accurately read a URL and predict where it will go. This happens for several reasons, URLs are naturally complex to read, visually identical characters can easily confuse a person, and for some URLs, such as shortened ones, it is physically impossible to predict the destination from simply reading the text due to redirection.

In this project, we explore the design and effectiveness of different communication approaches to support internet users' decision on URL security and privacy risk.


  1. Faheem: Explaining URLs to people using a Slack bot [bibtex]
    K. Althobaiti, K. Vaniea, S. Zheng; In Symposium on Digital Behaviour Intervention for Cyber Security. 2018.
  2. Automatic phishing detection versus user training, Is there a middle ground using XAI? [bibtex]
    S. Albakry, K. Vaniea; In Proceedings of the SICSA Workshop on Reasoning, Learning and Explainability. 2018.
  3. A Review of Human-and Computer-Facing URL Phishing Features [bibtex]
    K. Althobaiti, G. Rummani, K. Vaniea; In IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW). 2019.
  4. What is this URL's Destination? Empirical Evaluation of Users' URL Reading [bibtex]
    S.S. Albakry, K. Vaniea, M.K. Wolters; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2020.



Research and projects here are partially funded by the following groups:

Related Student Projects

The following are related projects completed by interns, undergraduate, and masters students.
Project screenshot.

Analysing Online Anti-Fraud Advice to Identify Common Anti-Phishing Instructions and Assumptions

Mattia Mossano (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

There is a wide variety of anti-phishing advice available through many organizations such as banks, universities, law enforcement, and consumer advacacy groups. In this work, I collect advice from 94 web pages across 9 countries. I find that the advice given to users is disorganized with different advice given by different groups and sometimes the same group offering different advice for differenty entities.

Project screenshot.

Catch-Phish: Developing a Phishing Learning and Detection Tool

Stephen Waddell (2018-2019, Undergraduate Thesis)

Supervisor: Kami Vaniea

Designed an in-browser tool that analyzes URLs before users click on them and provides feedback about the likely final destination of the URL. The project involved interviewing people about different interface ideas, building a prototype, and testing the prototype with a small number of participants.

Project screenshot.

Web-based tool for estimating security training approaches for security decision-makers

Nan Sheng (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Cyber security has been a concern for organizations because it can lead to large financial loss. The premise of this project is that the CISO realizes the improtance of cyber security training and is trying to find a suitable training approach for the staff. This project collects essential information about training approaches from academic papers and training companies such as methodology, charateristic, effectiveness, cost and commercial training products. The goal is to help someone like a CISO select a suitable training approache for the staff.

Project screenshot.

Empirical Evaluation of Users' Ability to Read URLs With and Without a Support Website

Xinding Wang (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Reading a URL unaided is challenging. This project had two goals:
1) Determine if people in China and Europe read URLs differently.
2) Build a website that parses and explains a URL to someone in both English and Chinese.

Project screenshot.

Faheem: Real-time Slack Bot URL Explainer Assists Users in Overcoming Phishing

Kholoud Althobaiti (2016-2017, Masters Thesis)

Supervisors: Stuart Anderson, Kami Vaniea

People have difficulty understanding URLs which makes it harder for them to decide what links are safe to click on or identify potential privacy issues. Faheem is a Slack chat bot designed to help users understand a URL through an interactive discussion with the bot.