A big phish is (not) in sight : phishing prevention and response for screen reader users

Abstract

Phishing is a prevalent and increasingly sophisticated threat in the critical digital environment. Nowadays, measures to protect against phishing are highly dependent on vision, failing to address the needs and worries of screen reader users. We gathered screen reader users’ phishing awareness, as well as their phishing identification and dealing strategies, by conducting semi-structured interviews (n = 10), a netnography study (analyzing 59 forum posts), and lab-based sessions (n = 14). We opted for this approach to know their phishing abilities and challenges in greater detail. Results show that blind people are generally aware of phishing, and their screen reader is crucial in recognizing a threat. There are three email areas where users try to identify phishing: sender, subject + preview, and content. The email areas users choose to focus more on impact how confident they are to identify phishing. With the help of their screen reader, participants discarded emails from unknown or unlikely sources and emails that, when they heard their initial parts still in the inbox, suggested the message had unexpected requests and strange links embedded in the content. When opening an email message, participants ignored the sender often and jumped directly into analyzing the content. Since the content sounded legitimate, they identified the email as secure without a detailed inspection. Finally, our participants adopted preventive measures to avoid falling victim to a phishing attack. For instance, they stuck to websites they had previously visited and knew their structure and layout. Our work supplies new perspectives regarding phishing prevention for blind people. We explore opportunities for future work reflecting on the design of more accessible anti-phishing solutions. Although we intended to understand the screen reader users’ behavior when facing phishing, we want developers and researchers to use the results to decrease the overall population’s susceptibility to phishing.