The most widespread type of phishing attack involves email messages with links pointing to malicious content. Despite user training and the use of detection techniques, these attacks are still highly effective. Recent studies show that it is user inattentiveness, rather than lack of education, that is one of the key factors in successful phishing attacks. To this end, we develop a novel phishing defense mechanism based on URL inspection tasks: small challenges (loosely inspired by CAPTCHAs) that, to be solved, require users to interact with, and understand, the basic URL structure. We implemented and evaluated three tasks that act as ``barriers'' to visiting the website: (1) correct click-selection from a list of URLs, (2) mouse-based highlighting of the domain-name URL component, and (3) re-typing the domain-name. These tasks follow best practices in security interfaces and warning design. We assessed the efficacy of these tasks through an extensive on-line user study with 2,673 participants from three different cultures, native languages, and alphabets. Results show that these tasks significantly decrease the rate of successful phishing attempts, compared to the baseline case. Results also showed the highest efficacy for difficult URLs, such as typo-squats, with which participants struggled the most. This highlights the importance of (1) slowing down users while focusing their attention and (2) helping them understand the URL structure (especially, the domain-name component thereof) and matching it to their intent.

翻译：钓鱼攻击中最普遍的形式涉及包含指向恶意内容链接的电子邮件。尽管进行了用户培训并采用了检测技术，这类攻击仍然极为有效。近期研究表明，用户注意力不集中（而非缺乏教育）是钓鱼攻击成功的关键因素之一。为此，我们开发了一种基于URL检测任务的新型钓鱼防御机制：这些小型挑战（松散借鉴了CAPTCHA的设计理念）要求用户与基本URL结构进行交互并理解其构成才能完成。我们实现并评估了三种作为访问网站"屏障"的任务：(1)从URL列表中正确点击选择，(2)通过鼠标高亮显示域名URL组件，(3)重新输入域名。这些任务遵循安全界面和警告设计的最佳实践。我们通过一项涵盖2,673名参与者的大规模在线用户研究评估了这些任务的有效性，参与者来自三种不同文化背景、母语和文字体系。结果表明，与基线情况相比，这些任务显著降低了钓鱼攻击的成功率。研究还显示，对于参与者最难以识别的复杂URL（如仿冒域名），任务效果最为显著。这凸显了以下两点的重要性：(1)在聚焦用户注意力的同时延缓其操作速度，(2)帮助用户理解URL结构（特别是其中的域名组件）并将其与访问意图进行匹配。