The effect of repeated login prompts on phishing susceptibility
Background. Understanding the human aspects of phishing susceptibility is an important component in building effective defenses. People type passwords so often that it is possible that this act makes each individual password less safe from phishing attacks. Aim. This study investigated whether the act of re-authenticating to password-based login forms causes users to become less vigilant toward impostor sites, thus making them more susceptible to phishing attacks. Our goal was to determine whether users who type their passwords more often are more susceptible to phishing than users who type their passwords less often. If so, this result could lead to theoretically well-grounded best practices regarding login-session length limits and re-authentication practices. Method. We built a custom browser extension which logs password entry events and has the capability of shortening session times for a treatment group of users. We recruited subjects from our local campus population, and had them run the extension for two months. After this time, we conducted a synthetic phishing attack on all research subjects, followed by a debriefing. Our research protocol was approved by the University's IRB. Results. We failed to reject the null hypothesis. We found that login frequency has no noticeable effect on phishing susceptibility. Our high phishing success rate of 39.3% was likely a leading factor in this result. Conclusions. This study confirmed prior research showing exceedingly high phishing success rates. We also observed that recruiting only in-person and campus-affiliated users greatly reduced our subject pool, and that the extension-based investigation method, while promising, faces significant challenges itself due to deployed extension-based malware defenses.