UX Measures to protect users from phishing sites

I the last days I was thinking about possible solutions to protect your users from putting their data into forms on phishing websites and how you could warn them or "educate" them into not doing that.

Following Scenario:
Your work for a popular website with millions of users. Think Amazon, Spotify, Google, Paypal... something like this. Now, as attackers want to get access to user accounts, they send out phishing emails (or sms, letters, WhatsApp messages) with a similar looking link e.g. the real address would be https://www.yourcompany.com/login, and the new address is http://www.yourcompany.com-login.to. If a user clicks on it, he lands on a copied login page of that website (Same html & css, optically indistinguishable).

What could you do on your website - to your users - to protect them from phishing sites?

Ideas I was thinking of:

  • Redesign the login page with a lot of big, graphic warnings on that page (e.g. "watch out for that lock in your browser address bar"), so
    a) the user will get educated every time he is on the login page of the real website
    b) the attacker has to copy that warning elements to still use the original company website design.
    The question is if users really look at that.

  • Warn the user when he registers, that people might try to phish his data.

  • Establish a policy that users should NEVER click on any link to your site but should open it directly via homepage every time. (The newsletter analytics team might kill you for that)

  • Send security related newsletter to users and try to educate them as often as possible at any place on your website.

I am not very happy with any of them, but I tried to find studies or real life examples of counter measures, but could find none.

Tags: