Phishing attacks become increasingly sophisticated in targeting humans and exploiting cognitive biases, e.g., through inducing authority or urgency. Previous approaches to user training focused on URL warnings, textual, or click-based training, yielding mixed results. For more interactive training, uncoupled from users’ screens, we explore the potential of Augmented Reality (AR) technologies to enhance phishing detection. Through visual representations of biases that attackers typically exploit and gesture-based interactions with them, the training aims to enable users to counteract cognitive biases by increasing awareness and suspicion. In a laboratory study with N=117 users, we evaluated phishing detection rates, user interaction with, and feedback on the AR-based training in comparison with a click-based variant and a control condition. Our results show that interactive phishing training addressing cognitive biases increased detection rates by 33% and that interactive elements were well perceived. AR technologies further enhance the training.
https://dl.acm.org/doi/10.1145/3706598.3714023
The ACM CHI Conference on Human Factors in Computing Systems (https://chi2025.acm.org/)