Users’ inadvertent clicks on phishing links pose significant security risks. Method: This paper proposes an interactive, URL-structure-aware proactive defense mechanism that enforces pre-access user engagement with domain components via three lightweight tasks—click selection, mouse-hover domain highlighting, and domain re-entry—to strengthen structural awareness and intention alignment. Contribution/Results: First, it innovatively embeds URL structural verification directly into the user’s interaction flow, balancing security and usability. Second, it is the first to validate efficacy against high-confusion phishing techniques (e.g., typo-squatting) via a large-scale, cross-cultural online experiment (N = 2,673). Results demonstrate that the dual-path intervention—“deceleration + focused attention + structural cognition”—significantly reduces phishing click-through rates, particularly for visually ambiguous or structurally deceptive links.

The most widespread type of phishing attack involves email messages with links pointing to malicious content. Despite user training and the use of detection techniques, these attacks are still highly effective. Recent studies show that it is user inattentiveness, rather than lack of education, that is one of the key factors in successful phishing attacks. To this end, we develop a novel phishing defense mechanism based on URL inspection tasks: small challenges (loosely inspired by CAPTCHAs) that, to be solved, require users to interact with, and understand, the basic URL structure. We implemented and evaluated three tasks that act as ``barriers'' to visiting the website: (1) correct click-selection from a list of URLs, (2) mouse-based highlighting of the domain-name URL component, and (3) re-typing the domain-name. These tasks follow best practices in security interfaces and warning design. We assessed the efficacy of these tasks through an extensive on-line user study with 2,673 participants from three different cultures, native languages, and alphabets. Results show that these tasks significantly decrease the rate of successful phishing attempts, compared to the baseline case. Results also showed the highest efficacy for difficult URLs, such as typo-squats, with which participants struggled the most. This highlights the importance of (1) slowing down users while focusing their attention and (2) helping them understand the URL structure (especially, the domain-name component thereof) and matching it to their intent.