GoPhish
Promoting increased awareness of email fraud on college campuses and incentivizing users to report phishing attacks.
CHALLENGE
After an increase in the rate of scam emails targeting the Datmouth community, the Information, Technology, and Consulting department (ITC) at Dartmouth wanted to find a way to educate students and staff about phishing and approached the DALI Lab to create a solution.
Most interviewees felt like they already knew how to identity phishing, but the data from ITC was saying otherwise - we needed to think of an intervention that would engage these disinterested community members.
OUTCOME
- I worked with a team of designers and developers to conduct user research, deconstruct the problem space, sketch, wireframe, and prototype both user-facing and admin-facing web interfaces.
- GoPhish is a platform that educates college students and staff about phishing email scams, teaching them how to recognize the signs of phishing through interactive quizzes.
- Our solution also calls the community to action with a rewards system, in which users receive points for forwarding emails to ITC and redeem them for small prizes.
PROJECT INFO
Team
Me (designer, fall & winter)
Jeanne Annpark (designer, fall)
Sara Falkson (designer, winter)
Fisayo Babalola (project manager)
Faustino Cortina (developer)
Robert He (developer)
Ian Hou (developer)
Rohith Mandavilli (developer)
Ashley Song (developer)
Skills
User research & testing
Admin-facing design
Mentorship
Figma prototyping
Gamification
Timeline
20 weeks (2019-2020)
BACKGROUND
Dartmouth seems phishy
Phishing is a type of social engineering attack that uses emails or messaging to obtain personal information or money. Most Dartmouth community members receive at least one phishing email per term, often in the form of fake job offers, messages from accounts posing as staff or administrators, and surveys. 8 out of 10 Dartmouth students and staff do not know how to report suspicious emails, so they either delete or ignore them.
The Information Technology, and Consulting (ITC) office at Dartmouth had noticed a marked increase in the number of phishing campaigns targeting the Dartmouth community.
COMPETITIVE RESEARCH
Existing products don’t work well for colleges
There are already lots of existing phishing-related services. Many are integrated with company email servers and include reporting as well as education functionality. However, these platforms can cost thousands of dollars and are bundled with many features that are mostly irrelevant for a college campus. They also assume mandatory, company-wide participation, which is not possible at Dartmouth.
USER RESEARCH
No one is immune to phishing, but students in particular don’t think it’s a big problem.
We talked to 14 people, with interviewees including students of different class years, professors, and administrators. We distilled the sentiments from our interviewees into journey maps, empathy maps, and personas (below). The personas were especially useful for capturing what we were hearing from interviewees, as perceptions of phishing varied greatly across different groups.
In general, we found that older (40+) employees with less tech experience as well as freshman students were most susceptible to phishing attacks and some had been tricked in the past. Older students were more confident in their abilities to recognize phishing - however several interviewees had been targeted by particularly threatening or convincing attacks.
HOW MIGHT WE?
How might we encourage the college community, especially students who think they can’t be phished, to educate themselves about phishing, and participate in reporting?
DESIGN PRINCIPLES
#1
We should draw in users without forced participation
Lots of anti-phishing platforms are mandatory for employees, but we wanted our solution to be fun and delightful. Our research showed us that required phishing education would just cause resentment from students and was unrealistic. We needed to grab our users’ attention in a different way.
#2
We must promote awareness as well as reporting
We wanted this platform to help educate, since we saw that many community members don’t know how to recognize phishing (especially advanced, targeted phishing). But we also needed it to call our users to action and help ITC stop phishing campaigns. An effective solution would enable users to both learn more about phishing and report emails to ITC.
#3
Our solution shouldn’t be limited to students, or to Dartmouth
Our research showed that staff would benefit from phishing education (possibly even more than students, since phishing puts their jobs at risk), and so we didn’t want to limit our solution to students like ITC originally envisioned. ITC also made it clear that they wanted to eventually expand this solution to other colleges, and so we couldn’t build anything that would be unique to Dartmouth.
IDEATION & SKETCHES
DESIGN CHALLENGE 1
Encouraging participation
User research showed us that it would be a challenge to make college students care about phishing. We did some digging to figure out the best way to format the motivational structure.
Interviewees responded positively to the idea of gaining points for reporting phishing emails, but were skeptical about the contest. I thought that we should take inspiration from the College Pulse, by removing the “competition” aspect and creating a prize page where users can redeem points for smaller prizes like $5 gift cards or free coffees. In testing we found that this helps the payoff feel more immediate, important for motivating college students with short attention spans.
Fast and simple reporting
Our research showed that 8 out of 10 Dartmouth community members don’t know how to report a phishing email. Most people simply delete the emails (that is, if they don’t fall for them), which doesn’t help ITC identify and shut down phishing campaigns. What would be a convenient reporting mechanism that’s just about as fast as deleting?
Hooking users
Students think they’re too smart to get phished, and those who had fallen victim were shocked and embarrassed. We needed to show other students that it could happen to them too and convince them to participate in GoPhish. How could we grab the attention of busy students who are used to ignoring promotional posters and emails from Dartmouth administration?
DESIGN CHALLENGE 2
Educational platform
We learned that professors and administrators were already receptive to phishing education, since it can threaten their funding and jobs. But, how could we convince time-pressed and uninterested students to voluntarily learn about phishing? This question was one of my focus areas for the project, and I found that the answer was in gamification.
Videos and traditional training modules are boring, so we brainstormed different educational games. I thought that we should use real examples from the Dartmouth community to help the problem feel more immediate, and was inspired by NYT Copy Edit This! quizzes to create phishing “scavenger hunt” quizzes. This can help users recognize the telltale signs of phishing in their own inboxes.
DESIGN CHALLENGE 3
Admin interface
During the winter term, I mostly focused on designing an admin portal for GoPhish while developers coded the user interface. The functionality was based on the features of the user-facing platform as well as feedback sessions with members of ITC, who would be operating the application after launch. Since ITC envisioned this product eventually being expanded to other schools, it was important to make the admin experience intuitive as well.
I created wireframes for and styled over 25 screens to cover a full range of admin functionality. Some examples are shown below.
FINAL SOLUTION
We presented our final prototype to top ITC administrators, including the Chief Information Officer of Dartmouth, to extremely positive feedback
USER FEEDBACK
TAKEAWAYS & NEXT STEPS
#1
Launch and expand
GoPhish is currently still under development and I'm no longer actively working on the project, but ITC has big goals. After an initial launch at Dartmouth, user testing and iterations should be completed to determine what is working and change what isn't. ITC then plans to expand to other schools and bring increased cyber-security awareness to institutions across the country.
#2
Overcoming indifference
This was the perfect user population for learning how to design something that's genuinely fun, motivating, and frictionless even when the topic is boring. Lots of research helped us mold ITC's vision into something students would actually use.
#3
Working with real developer and partner constraints
DALI projects are awesome because they've taught me how to think like a developer and communicate big design decisions to clients. During the entire design process, we were in constant communication with devs and ITC to ensure that this project could actually be implemented in a timely and cost-efficient manner.
#4
Designing for both users and administrators
The winter term gave me my first deep-dive into admin-side design, reminding me that for every user-facing decision we made there would be new responsibilities for the admins maintaining the web app. Keeping in mind future users who weren't as familiar with the platform as our partners at ITC helped me clarify and simplify the functionality.
NCSECU StorefrontUX/UI • Client work
FlourishUX/UI • Student work
TD WealthUX/UI • Client work
Magellan EAP AppUX/UI • Client work
The Imagination StationExperience design • Student work
RescanoeProduct design • Student work
UnioUX/UI • Student work