"I don't know why i check this . . . " - Investigating Expert Users' Strategies to Detect Email Signature Spoofing Attacks

Peter Mayer*, Damian Poddebniak, Konstantin Fischer, Marcus Brinkmann, Juraj Somorovsky, Angela Sasse, Sebastian Schinzel, Melanie Volkamer

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


OpenPGP is one of the two major standards for end-to-end email security. Several studies showed that serious usability issues exist with tools implementing this standard. However, a widespread assumption is that expert users can handle these tools and detect signature spoofing attacks. We present a user study investigating expert users' strategies to detect signature spoofing attacks in Thunderbird. We observed 25 expert users while they classified eight emails as either having a legitimate signature or not. Studying expert users explicitly gives us an upper bound of attack detection rates of all users dealing with PGP signatures. 52% of participants fell for at least one out of four signature spoofing attacks. Overall, participants did not have an established strategy for evaluating email signature legitimacy. We observed our participants apply 23 different types of checks when inspecting signed emails, but only 8 of these checks tended to be useful in identifying the spoofed or invalid signatures. In performing their checks, participants were frequently startled, confused, or annoyed with the user interface, which they found supported them little. All these results paint a clear picture: Even expert users struggle to verify email signatures, usability issues in email security are not limited to novice users, and developers may need proper guidance on implementing email signature GUIs correctly.

Original languageEnglish
Title of host publicationProceedings of the 18th Symposium on Usable Privacy and Security, SOUPS 2022
EditorsSonia Chiasson, Apu Kapadia
Number of pages20
PublisherUSENIX - The Advanced Computing Systems Association
Publication date8. Aug 2022
ISBN (Print)978-1-939133-30-4
Publication statusPublished - 8. Aug 2022
Externally publishedYes
Event18th Symposium on Usable Privacy and Security, SOUPS 2022 - Boston, United States
Duration: 7. Aug 20229. Aug 2022


Conference18th Symposium on Usable Privacy and Security, SOUPS 2022
Country/TerritoryUnited States
SponsorEthyca, Google Inc., Meta, NSF, USENIX Association

Bibliographical note

Funding Information:
We thank the organizers of the Free and Open Source Developer Meeting 2020 for providing an interview location on the premises of the event and allowing us to recruit participants from among the attendees. We also thank Imke Ines Klatt for her feedback on the referee instructions, recruiting, and execution of participant sessions during the 36c3. We thank Tobias Kappert and Christian Dresen for the execution of the first pre-study at the Chaos Communication Camp 2019, Martin Grothe for his support during the interview process at FOSDEM, Jonathan von Niessen for his security analyses of signature validation in Thunderbird, as well as Christiane Rosa, Marie-Claire Thiery, and Fabian Ballreich for their help in transcribing the think-alouds. Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA - 390781972. Marcus Brinkmann was partially supported by the German Federal Ministry of Economics and Technology (BMWi) project "Industrie 4.0 Recht-Testbed" (13I40V002C). Damian Poddebniak was supported by a research grant of the Münster University of Applied Sciences. This research was further supported by funding from the topic Engineering Secure Systems, subtopic 46.23.01 Methods for Engineering Secure Systems, of the Helmholtz Association (HGF) and by KASTEL Security Research Labs.


  • Email Signatures
  • User Study
  • Signature Forgeries
  • Expert Users


Dive into the research topics of '"I don't know why i check this . . . " - Investigating Expert Users' Strategies to Detect Email Signature Spoofing Attacks'. Together they form a unique fingerprint.

Cite this