Filipo Sharevski (DePaul University), Jennifer Vander Loop (DePaul University), Sarah Ferguson (DePaul University), Viktorija Paneva (LMU Munich)
For all the immersive potential offered by Virtual Reality (VR) headsets, the technology itself is also conducive to perceptual manipulations. Altering user perception in VR could negatively affect security behavior, as translating prior experiences into an immersive environment might introduce an atypical susceptibility to phishing. A case in point is the routine evaluation of potentially suspicious emails for links or attachments, a task that people might be proficient in traditional interactive environments but fall for when doing so via a VR headset. To explore VR’s potential for such manipulative alterations, we devised a study exploring user assessment and action on suspicious emails and warnings through virtual reality (VR) headsets. A balanced set of (n=20) Apple Vision Pro users and (n=20) Meta Quest 3 users were invited to evaluate their own Gmail messages. Prior to doing so, we covertly sent a false positive suspicious email – containing either a URL or attachment – that contained a warning banner but was nonetheless legitimate. Our observations showed that two Apple Vision Pro participants clicked the link, and one Meta Quest 3 participant opened the attachment. In all three cases, the susceptibility to phishing was due to the headsets’ hypersensitive click response and poor ergonomic precision during the email evaluation task. Although the perceptual manipulation in these cases could be deemed as unintentional, we nonetheless provide evidence of VR’s potential to negatively affect users’ defenses against immersive social engineering manifestations. Based on these findings and the participation experience, we offer recommendations for implementing suspicious email warnings tailored for VR environments.