Promoting increased awareness of email fraud on college campuses and incentivizing users to report phishing attacks.
After an increase in the rate of scam emails targeting the Datmouth community, the Information, Technology, and Consulting department (ITC) at Dartmouth wanted to find a way to educate students and staff about phishing and approached the DALI Lab to create a solution.
Most interviewees felt like they already knew how to identity phishing, but the data from ITC was saying otherwise - we needed to think of an intervention that would engage these disinterested community members.
Me (designer, fall & winter)
Jeanne Annpark (designer, fall)
Sara Falkson (designer, winter)
Fisayo Babalola (project manager)
Faustino Cortina (developer)
Robert He (developer)
Ian Hou (developer)
Rohith Mandavilli (developer)
Ashley Song (developer)
User research & testing
Admin-facing design
Mentorship
Figma prototyping
Gamification
20 weeks (2019-2020)
Phishing is a type of social engineering attack that uses emails or messaging to obtain personal information or money. Most Dartmouth community members receive at least one phishing email per term, often in the form of fake job offers, messages from accounts posing as staff or administrators, and surveys. 8 out of 10 Dartmouth students and staff do not know how to report suspicious emails, so they either delete or ignore them.
The Information Technology, and Consulting (ITC) office at Dartmouth had noticed a marked increase in the number of phishing campaigns targeting the Dartmouth community.
There are already lots of existing phishing-related services. Many are integrated with company email servers and include reporting as well as education functionality. However, these platforms can cost thousands of dollars and are bundled with many features that are mostly irrelevant for a college campus. They also assume mandatory, company-wide participation, which is not possible at Dartmouth.
We talked to 14 people, with interviewees including students of different class years, professors, and administrators. We distilled the sentiments from our interviewees into journey maps, empathy maps, and personas (below). The personas were especially useful for capturing what we were hearing from interviewees, as perceptions of phishing varied greatly across different groups.
In general, we found that older (40+) employees with less tech experience as well as freshman students were most susceptible to phishing attacks and some had been tricked in the past. Older students were more confident in their abilities to recognize phishing - however several interviewees had been targeted by particularly threatening or convincing attacks.
Lots of anti-phishing platforms are mandatory for employees, but we wanted our solution to be fun and delightful. Our research showed us that required phishing education would just cause resentment from students and was unrealistic. We needed to grab our users’ attention in a different way.
We wanted this platform to help educate, since we saw that many community members don’t know how to recognize phishing (especially advanced, targeted phishing). But we also needed it to call our users to action and help ITC stop phishing campaigns. An effective solution would enable users to both learn more about phishing and report emails to ITC.
Our research showed that staff would benefit from phishing education (possibly even more than students, since phishing puts their jobs at risk), and so we didn’t want to limit our solution to students like ITC originally envisioned. ITC also made it clear that they wanted to eventually expand this solution to other colleges, and so we couldn’t build anything that would be unique to Dartmouth.
User research showed us that it would be a challenge to make college students care about phishing. We did some digging to figure out the best way to format the motivational structure.
Interviewees responded positively to the idea of gaining points for reporting phishing emails, but were skeptical about the contest. I thought that we should take inspiration from the College Pulse, by removing the “competition” aspect and creating a prize page where users can redeem points for smaller prizes like $5 gift cards or free coffees. In testing we found that this helps the payoff feel more immediate, important for motivating college students with short attention spans.
Our research showed that 8 out of 10 Dartmouth community members don’t know how to report a phishing email. Most people simply delete the emails (that is, if they don’t fall for them), which doesn’t help ITC identify and shut down phishing campaigns. What would be a convenient reporting mechanism that’s just about as fast as deleting?
Students think they’re too smart to get phished, and those who had fallen victim were shocked and embarrassed. We needed to show other students that it could happen to them too and convince them to participate in GoPhish. How could we grab the attention of busy students who are used to ignoring promotional posters and emails from Dartmouth administration?
We learned that professors and administrators were already receptive to phishing education, since it can threaten their funding and jobs. But, how could we convince time-pressed and uninterested students to voluntarily learn about phishing? This question was one of my focus areas for the project, and I found that the answer was in gamification.
Videos and traditional training modules are boring, so we brainstormed different educational games. I thought that we should use real examples from the Dartmouth community to help the problem feel more immediate, and was inspired by NYT Copy Edit This! quizzes to create phishing “scavenger hunt” quizzes. This can help users recognize the telltale signs of phishing in their own inboxes.
During the winter term, I mostly focused on designing an admin portal for GoPhish while developers coded the user interface. The functionality was based on the features of the user-facing platform as well as feedback sessions with members of ITC, who would be operating the application after launch. Since ITC envisioned this product eventually being expanded to other schools, it was important to make the admin experience intuitive as well.
I created wireframes for and styled over 25 screens to cover a full range of admin functionality. Some examples are shown below.
We presented our final prototype to top ITC administrators, including the Chief Information Officer of Dartmouth, to extremely positive feedback
GoPhish is currently still under development and I'm no longer actively working on the project, but ITC has big goals. After an initial launch at Dartmouth, user testing and iterations should be completed to determine what is working and change what isn't. ITC then plans to expand to other schools and bring increased cyber-security awareness to institutions across the country.
This was the perfect user population for learning how to design something that's genuinely fun, motivating, and frictionless even when the topic is boring. Lots of research helped us mold ITC's vision into something students would actually use.
DALI projects are awesome because they've taught me how to think like a developer and communicate big design decisions to clients. During the entire design process, we were in constant communication with devs and ITC to ensure that this project could actually be implemented in a timely and cost-efficient manner.
The winter term gave me my first deep-dive into admin-side design, reminding me that for every user-facing decision we made there would be new responsibilities for the admins maintaining the web app. Keeping in mind future users who weren't as familiar with the platform as our partners at ITC helped me clarify and simplify the functionality.
NCSECU StorefrontUX/UI • Client work
FlourishUX/UI • Student work
TD WealthUX/UI • Client work
Magellan EAP AppUX/UI • Client work
The Imagination StationExperience design • Student work
RescanoeProduct design • Student work
UnioUX/UI • Student work