PhishDetect is a browser extension that helps human rights defenders mitigate phishing attacks by empowering communities to identify, report, and block potential threats.
Background
Human rights defenders collect and distill personal stories of the oppressed. They need niche, customizable, and secure software designed for privacy. Off-the-shelf solutions (e.g. Google’s Safe Browsing) don’t allow security administrators to block specific threats that immediately endanger their network.
Motivated by a desire to give practical help to at-risk users, Claudio Guarnieri (Amnesty International) created the PhishDetect browser extension to protect people from phishing attacks. Although it was originally created to help human rights defenders and activists stay safe, anyone can use and benefit from PhishDetect.
Problem: Improving usability to reach the audience
The complex usability of PhishDetect was impeding adoption rates. As a proof of concept, PhishDetect has sound, audited technology. However for PhishDetect to be adopted by the human rights community (human rights defenders, journalists, activists), it first needed to be usable, simple, and clear.
Goal: Safety without complexity
We worked together to improve user flows, clarify the communication, and leverage graphics & metaphor (in collaboration with the talented brand designer Guille Lasarte). Improving the usability would allow the tool to do as intended - keep people safe without a lot of extra effort.
Process
With multiple organizations interested in adopting PhishDetect, we set out to redesign each touchpoint. Ensuring a clear understanding of the tool’s capabilities would mean that users could easily adopt safety-preserving behaviors.
Process:
1. Need-finding research
2. User flows
3. Ideating, sketching, and wireframing
4. User testing
5. High-fidelity mockups
1. Need-finding research with users allowed us to identify our areas of focus.
We interviewed four human rights organization employees and security technology experts to understand their challenges combatting phishing and motivations for using a tool like PhishDetect.
We learned that users were fearful of making a mistake that could endanger themselves, the organization, or their contacts. The majority of our users were not technologists by profession, so we focused on reassuring users’ safety rather than technical explanations.
We distilled our findings into four design principles that would guide our decisions, remind us of users’ needs, and help us stay on course:
2. Mapping flows were helpful to understand the full context and led to an inventory of wireframes.
For mapping out the onboarding process, we sketched the current process and discussed where to cut steps with the development team. These flows provided mutual understanding and informed the wireframes.
Our goal was reducing the number and complexity of steps so that the user could finish the process easier and faster, because when a user’s PhishDetect is set up correctly, they are more secure.
3. Sketching and wireframing to consider and test many solutions.
Getting the ideas in a visual form allowed us to have better discussion and converge on a concept.
4. Usability testing gave us validation and new ideas for better solutions.
Usability testing helped us validate which of the different concepts from ideation were best understood by the users.
Result
I closely collaborated with branding designer Guille Lasarte to develop the PhishDetect metaphor. Reflecting our research learnings, she defined a series of characters that illustrate how the tool helps and what the user needs to do, in a reassuring way.
From the brand guidelines, I developed a UI system and produced high-fidelity mockups that utilize the strong metaphor throughout the user journey.
Learnings
(1) Wild idea sketching was a big part of the process. With so many screens, flows, and integrations to design, the design speed needed to be quick. For each screen I sketched 5 to 10 ideas. That’s exactly what PhishDetect needed because it was transitioning from a proof of concept into a usable tool.
(2) With security tools, it’s important to resist over-explaining everything: the situation, the technology, what the user might do. I tried to remember that our users use a suite of tools everyday. Since they might not have the time to engage deeply with PhishDetect, we focused on efficiency. This meant that there were hard decisions because we couldn’t do everything. The result is a simplified tool that gives users just the information they need at the right time.
Read more
Strength In Numbers: Designing to Help At-Risk Users Protect Against Phishing Attacks
Next Project → Connect Humanity