GoPhish

Promoting increased awareness of email fraud on college campuses and incentivizing users to report phishing attacks.

CHALLENGE

After an increase in the rate of scam emails targeting the Datmouth community, the Information, Technology, and Consulting department (ITC) at Dartmouth wanted to find a way to educate students and staff about phishing and approached the DALI Lab to create a solution.

Most interviewees felt like they already knew how to identity phishing, but the data from ITC was saying otherwise - we needed to think of an intervention that would engage these disinterested community members. 

OUTCOME

  • I worked with a team of designers and developers to conduct user research, deconstruct the problem space, sketch, wireframe, and prototype both user-facing and admin-facing web interfaces.

  • GoPhish is a platform that educates college students and staff about phishing email scams, teaching them how to recognize the signs of phishing through interactive quizzes.

  • Our solution also calls the community to action with a rewards system, in which users receive points for forwarding emails to ITC and redeem them for small prizes.

PROJECT INFO

Team

Me (designer, fall & winter)
Jeanne Annpark (designer, fall)
Sara Falkson (designer, winter)

Fisayo Babalola (project manager)
Faustino Cortina (developer)
Robert He (developer)
Ian Hou (developer)
Rohith Mandavilli (developer)
Ashley Song (developer)

Skills

User research & testing
Admin-facing design
Mentorship
Figma prototyping
Gamification

Timeline

20 weeks (2019-2020)

BACKGROUND

Dartmouth seems phishy

Phishing is a type of social engineering attack that uses emails or messaging to obtain personal information or money. Most Dartmouth community members receive at least one phishing email per term, often in the form of fake job offers, messages from accounts posing as staff or administrators, and surveys. 8 out of 10 Dartmouth students and staff do not know how to report suspicious emails, so they either delete or ignore them.

The Information Technology, and Consulting (ITC) office at Dartmouth had noticed a marked increase in the number of phishing campaigns targeting the Dartmouth community.

COMPETITIVE RESEARCH

Existing products don’t work well for colleges

There are already lots of existing phishing-related services. Many are integrated with company email servers and include reporting as well as education functionality. However, these platforms can cost thousands of dollars and are bundled with many features that are mostly irrelevant for a college campus. They also assume mandatory, company-wide participation, which is not possible at Dartmouth.

USER RESEARCH

No one is immune to phishing, but students in particular don’t think it’s a big problem.

We talked to 14 people, with interviewees including students of different class years, professors, and administrators. We distilled the sentiments from our interviewees into journey maps, empathy maps, and personas (below). The personas were especially useful for capturing what we were hearing from interviewees, as perceptions of phishing varied greatly across different groups.

In general, we found that older (40+) employees with less tech experience as well as freshman students were most susceptible to phishing attacks and some had been tricked in the past. Older students were more confident in their abilities to recognize phishing - however several interviewees had been targeted by particularly threatening or convincing attacks.

Group-1051
Group-1019

HOW MIGHT WE?

How might we encourage the college community, especially students who think they can’t be phished, to educate themselves about phishing, and participate in reporting?

DESIGN PRINCIPLES

#1

We should draw in users without forced participation

Lots of anti-phishing platforms are mandatory for employees, but we wanted our solution to be fun and delightful. Our research showed us that required phishing education would just cause resentment from students and was unrealistic. We needed to grab our users’ attention in a different way.

#2

We must promote awareness as well as reporting

We wanted this platform to help educate, since we saw that many community members don’t know how to recognize phishing (especially advanced, targeted phishing). But we also needed it to call our users to action and help ITC stop phishing campaigns. An effective solution would enable users to both learn more about phishing and report emails to ITC.

#3

Our solution shouldn’t be limited to students, or to Dartmouth

Our research showed that staff would benefit from phishing education (possibly even more than students, since phishing puts their jobs at risk), and so we didn’t want to limit our solution to students like ITC originally envisioned. ITC also made it clear that they wanted to eventually expand this solution to other colleges, and so we couldn’t build anything that would be unique to Dartmouth.

IDEATION & SKETCHES

pointsandprizes
fastandsimple
hookingusers
learningbyplaying

FINAL SOLUTION

We presented our final prototype to top ITC administrators, including the Chief Information Officer of Dartmouth, to extremely positive feedback

15_-Macbook-Pro

USER FEEDBACK

phishingfeedback

TAKEAWAYS & NEXT STEPS

#1

Launch and expand

GoPhish is currently still under development and I'm no longer actively working on the project, but ITC has big goals. After an initial launch at Dartmouth, user testing and iterations should be completed to determine what is working and change what isn't. ITC then plans to expand to other schools and bring increased cyber-security awareness to institutions across the country.  

#2

Overcoming indifference

This was the perfect user population for learning how to design something that's genuinely fun, motivating, and frictionless even when the topic is boring. Lots of research helped us mold ITC's vision into something students would actually use. 

#3

Working with real developer and partner constraints

DALI projects are awesome because they've taught me how to think like a developer and communicate big design decisions to clients. During the entire design process, we were in constant communication with devs and ITC to ensure that this project could actually be implemented in a timely and cost-efficient manner. 

#4

Designing for both users and administrators 

The winter term gave me my first deep-dive into admin-side design, reminding me that for every user-facing decision we made there would be new responsibilities for the admins maintaining the web app. Keeping in mind future users who weren't as familiar with the platform as our partners at ITC helped me clarify and simplify the functionality. 

NCSECU StorefrontUX/UI • Client work

FlourishUX/UI • Student work

TD WealthUX/UI • Client work

Magellan EAP AppUX/UI • Client work

The Imagination StationExperience design • Student work

RescanoeProduct design • Student work

UnioUX/UI • Student work