Reducing an 80% Misuse Rate into

Nearly Zero Errors

Reducing an 80% Misuse Rate into

Nearly Zero Errors

Reducing an 80% Misuse Rate into

Nearly Zero Errors

“A dodgy email containing a link that looks ‘legit’ but is actually malicious remains one of the most dangerous, yet successful, tricks in a cybercriminal’s handbook.” TechCrunch on CheckPhish

Cybersecurity tools often face a fundamental challenge: translating highly technical functionality into something intuitive for everyday users. Working on a product like CheckPhish, a tool that leverages AI to identify phishing threats and suspicious domains, I encountered a particularly knotty design problem.

01.1

Background

-01-

13% of app users and 80% of web visitors were misusing one of our core features.

13% of app users and 80% of web visitors were misusing one of our core features.

01.2

Metric

-02-

90%

Input accuracy improved more than 90%, with error rates dropping to nearly 0% after the redesign.

01.2

Metric

-02-

90%

Input accuracy improved more than 90%, with error rates dropping to nearly 0% after the redesign.

-03-

02.1

Define the Problem

Original Design

Original Design

02.1

Define the Problem

-04-

The Problem: Users weren’t Inputting the Right Data

  1. URL Scanner – Paste a suspicious link to see if it’s phishing.

  2. Domain Monitoring – Enter a domain to generate look-alike domains and detect possible impersonations.

    The problem? Many users didn’t understand the difference between a URL (https://malicious-link.com) and a domain (amazon.com).

    Two main misuse patterns emerged:

  • Phishing URLs: Users pasted full malicious links into Domain Monitoring instead of the URL Scanner.

  • Homepage URLs: Users entered formats like www.amazon.com instead of amazon.com.

The result was wasted system resources, skewed analytics, and frustrated users who didn’t get the results they expected.

URL Scanner – Paste a suspicious link to see if it’s phishing.

  1. Domain Monitoring – Enter a domain to generate look-alike domains and detect possible impersonations.

    The problem? Many users didn’t understand the difference between a URL (https://malicious-link.com) and a domain (amazon.com).

    Two main misuse patterns emerged:

  • Phishing URLs: Users pasted full malicious links into Domain Monitoring instead of the URL Scanner.

  • Homepage URLs: Users entered formats like www.amazon.com instead of amazon.com.

The result was wasted system resources, skewed analytics, and frustrated users who didn’t get the results they expected.

URL Scanner – Paste a suspicious link to see if it’s phishing.

  1. Domain Monitoring – Enter a domain to generate look-alike domains and detect possible impersonations.

    The problem? Many users didn’t understand the difference between a URL (https://malicious-link.com) and a domain (amazon.com).

    Two main misuse patterns emerged:

  • Phishing URLs: Users pasted full malicious links into Domain Monitoring instead of the URL Scanner.

  • Homepage URLs: Users entered formats like www.amazon.com instead of amazon.com.

The result was wasted system resources, skewed analytics, and frustrated users who didn’t get the results they expected.

Why the Existing Guidance Failed

We already displayed hints like “Enter domain name, e.g., amazon.com”.

 But errors persisted. Reviewing user behavior revealed why:

  • Habitual copy-pasting – Users grabbed entire URLs straight from their browser’s address bar.

  • Cognitive overload – Guidance text competed with other instructions and promotional messages on the page.

  • Mental model gap – Many users didn’t realize a URL and a domain are different things.

02.1

Define the Problem

-04-

The Problem: Users weren’t Inputting the Right Data

URL Scanner – Paste a suspicious link to see if it’s phishing.

  1. Domain Monitoring – Enter a domain to generate look-alike domains and detect possible impersonations.

    The problem? Many users didn’t understand the difference between a URL (https://malicious-link.com) and a domain (amazon.com).

    Two main misuse patterns emerged:

  • Phishing URLs: Users pasted full malicious links into Domain Monitoring instead of the URL Scanner.

  • Homepage URLs: Users entered formats like www.amazon.com instead of amazon.com.

The result was wasted system resources, skewed analytics, and frustrated users who didn’t get the results they expected.

Why the Existing Guidance Failed

We already displayed hints like “Enter domain name, e.g., amazon.com”.

 But errors persisted. Reviewing user behavior revealed why:

  • Habitual copy-pasting – Users grabbed entire URLs straight from their browser’s address bar.

  • Cognitive overload – Guidance text competed with other instructions and promotional messages on the page.

  • Mental model gap – Many users didn’t realize a URL and a domain are different things.

02.2

Design Audit

-05-

02.3

Design Process

-06-

02.3

Design Process

-07-

Early Fixes I Ruled Out

Early Fixes I Ruled Out

I explored a few ideas but discarded them quickly:

  • Longer instructions – Added more words, not clarity.

  • Auto-trimming URLs – Solved the symptom but didn’t teach the difference.

  • Error pop-ups – Risked annoying users mid-task.


None addressed the root cause: teaching the correct format without making users feel taught.

I explored a few ideas but discarded them quickly:

  • Longer instructions – Added more words, not clarity.

  • Auto-trimming URLs – Solved the symptom but didn’t teach the difference.

  • Error pop-ups – Risked annoying users mid-task.


None addressed the root cause: teaching the correct format without making users feel taught.

I explored a few ideas but discarded them quickly:

  • Longer instructions – Added more words, not clarity.

  • Auto-trimming URLs – Solved the symptom but didn’t teach the difference.

  • Error pop-ups – Risked annoying users mid-task.


None addressed the root cause: teaching the correct format without making users feel taught.

I explored a few ideas but discarded them quickly:

  • Longer instructions – Added more words, not clarity.

  • Auto-trimming URLs – Solved the symptom but didn’t teach the difference.

  • Error pop-ups – Risked annoying users mid-task.


None addressed the root cause: teaching the correct format without making users feel taught.

-08-

Educating by Design, Not Instruction

Educating by Design, Not Instruction

Instead of adding more text, I turned to affordance—using the design itself to signal the expected input.
Solution:

  • Pre-mask the Input Field – The field now shows https://www. by default, hinting that users only need to fill in what comes after (e.g., amazon.com).

  • Lightweight Help – A small question-mark icon provides a quick explanation for users who want more context.

Why It Works:

  • Reduces cognitive load—no extra reading required.

  • Leverages progressive disclosure—help appears only when needed.

  • Trains users over time without interrupting their flow.

Instead of adding more text, I turned to affordance—using the design itself to signal the expected input.
Solution:

  • Pre-mask the Input Field – The field now shows https://www. by default, hinting that users only need to fill in what comes after (e.g., amazon.com).

  • Lightweight Help – A small question-mark icon provides a quick explanation for users who want more context.

Why It Works:

  • Reduces cognitive load—no extra reading required.

  • Leverages progressive disclosure—help appears only when needed.

  • Trains users over time without interrupting their flow.

Instead of adding more text, I turned to affordance—using the design itself to signal the expected input.
Solution:

  • Pre-mask the Input Field – The field now shows https://www. by default, hinting that users only need to fill in what comes after (e.g., amazon.com).

  • Lightweight Help – A small question-mark icon provides a quick explanation for users who want more context.

Why It Works:

  • Reduces cognitive load—no extra reading required.

  • Leverages progressive disclosure—help appears only when needed.

  • Trains users over time without interrupting their flow.

Instead of adding more text, I turned to affordance—using the design itself to signal the expected input.
Solution:

  • Pre-mask the Input Field – The field now shows https://www. by default, hinting that users only need to fill in what comes after (e.g., amazon.com).

  • Lightweight Help – A small question-mark icon provides a quick explanation for users who want more context.

Why It Works:

  • Reduces cognitive load—no extra reading required.

  • Leverages progressive disclosure—help appears only when needed.

  • Trains users over time without interrupting their flow.

02.3

Design Process

-09-

03.1

User Flow Improvement

-10-

Flow Improvements Beyond the Input Field

While the pre-mask addressed the error rate issue, I also revisited other aspects of the tool’s user flow that contributed to confusion. The original design overwhelmed users with mixed guidance and promotional messages that lacked clear prioritization. For example:

Messages like “We help you discover potential scams or phishing URLs” (promotional) competed for attention with task-specific guidance.

Instructions such as “Enter domain,” “Export results first,” and “Contact us” were all presented together, making it hard for users to know where to start.

Why the Existing Guidance Failed

To simplify the flow and improve usability, I made two key adjustments:

  1. Breaking Down the User Flow into Steps

    • After clicking "Monitor New Domain," users are first asked if they want to export their results to avoid losing them. This serves as a clear reminder and allows us to seamlessly introduce an upsell opportunity for premium plans (e.g., unlimited monitoring).

    • Once users confirm or skip the export step, they proceed to monitor a new domain.

    • Why It Works: Users find tasks easier to complete when they’re broken into smaller steps. Separating the export reminder from domain monitoring clarified the flow and reduced cognitive overload.


  2. Repositioning and Simplifying Messaging

    • I moved the “Start Trial” and “Upgrade Plan” messages to the results page, creating space between promotional content and the main task flow.

    • Rephrased guidance using plain, user-friendly language to make instructions easier to process.

To simplify the flow and improve usability, I made two key adjustments:

  1. Breaking Down the User Flow into Steps

    • After clicking "Monitor New Domain," users are first asked if they want to export their results to avoid losing them. This serves as a clear reminder and allows us to seamlessly introduce an upsell opportunity for premium plans (e.g., unlimited monitoring).

    • Once users confirm or skip the export step, they proceed to monitor a new domain.

    • Why It Works: Users find tasks easier to complete when they’re broken into smaller steps. Separating the export reminder from domain monitoring clarified the flow and reduced cognitive overload.


  2. Repositioning and Simplifying Messaging

    • I moved the “Start Trial” and “Upgrade Plan” messages to the results page, creating space between promotional content and the main task flow.

    • Rephrased guidance using plain, user-friendly language to make instructions easier to process.

To simplify the flow and improve usability, I made two key adjustments:

  1. Breaking Down the User Flow into Steps

    • After clicking "Monitor New Domain," users are first asked if they want to export their results to avoid losing them. This serves as a clear reminder and allows us to seamlessly introduce an upsell opportunity for premium plans (e.g., unlimited monitoring).

    • Once users confirm or skip the export step, they proceed to monitor a new domain.

    • Why It Works: Users find tasks easier to complete when they’re broken into smaller steps. Separating the export reminder from domain monitoring clarified the flow and reduced cognitive overload.


  2. Repositioning and Simplifying Messaging

    • I moved the “Start Trial” and “Upgrade Plan” messages to the results page, creating space between promotional content and the main task flow.

    • Rephrased guidance using plain, user-friendly language to make instructions easier to process.

03.1

User Flow Improvement

-10-

Flow Improvements Beyond the Input Field

While the pre-mask addressed the error rate issue, I also revisited other aspects of the tool’s user flow that contributed to confusion. The original design overwhelmed users with mixed guidance and promotional messages that lacked clear prioritization. For example:


Messages like “We help you discover potential scams or phishing URLs” (promotional) competed for attention with task-specific guidance.


Instructions such as “Enter domain,” “Export results first,” and “Contact us” were all presented together, making it hard for users to know where to start.

Why the Existing Guidance Failed

To simplify the flow and improve usability, I made two key adjustments:

  1. Breaking Down the User Flow into Steps

    • After clicking "Monitor New Domain," users are first asked if they want to export their results to avoid losing them. This serves as a clear reminder and allows us to seamlessly introduce an upsell opportunity for premium plans (e.g., unlimited monitoring).

    • Once users confirm or skip the export step, they proceed to monitor a new domain.

    • Why It Works: Users find tasks easier to complete when they’re broken into smaller steps. Separating the export reminder from domain monitoring clarified the flow and reduced cognitive overload.


  2. Repositioning and Simplifying Messaging

    • I moved the “Start Trial” and “Upgrade Plan” messages to the results page, creating space between promotional content and the main task flow.

    • Rephrased guidance using plain, user-friendly language to make instructions easier to process.

03.1

User Flow Improvement

-11-

Web-Specific Fix: Default to the Right Tool

Web-Specific Fix: Default to the Right Tool

On the website, misuse was even higher because Domain Monitoring was the default tab.

  • I switched the default to URL Scanner—the feature most first-time visitors actually wanted.

  • Removed clutter and centered the scanner for a cleaner, app-like experience.

On the website, misuse was even higher because Domain Monitoring was the default tab.

  • I switched the default to URL Scanner—the feature most first-time visitors actually wanted.

  • Removed clutter and centered the scanner for a cleaner, app-like experience.

On the website, misuse was even higher because Domain Monitoring was the default tab.

  • I switched the default to URL Scanner—the feature most first-time visitors actually wanted.

  • Removed clutter and centered the scanner for a cleaner, app-like experience.

To fix this, I redesigned the graphic around clarity rather than strict proportionality:

  • Fixed Bubble Sizes – A limited range of small, medium, and large bubbles for visual balance.

  • Strategic Layout – Deliberately mixing sizes to avoid similar bubbles clustering.

  • Direct Number Labels – Embedding values inside bubbles so no legend scanning was needed.

  • Varied Text Size – Larger labels for higher-impact numbers.

  • Refined Color Palette – Reducing from 8 shades to 4 high-contrast colors for clear differentiation.


This shifted the chart from a mathematical diagram to a conceptual storytelling visual—retaining accuracy while improving readability.

03.2

Web Experience Improvement

-12-

03.3

Impact

Input Example - After Fix: Zero errors recorded over a half-month period

Input Example - Before Fix

Entry Error Amount

-13-

After launch, the improvements were both measurable and visible in our data:


  • Error rate: Dropped from 13% (app) & 80% (web) → almost 0%. The Entry Error Trend chart (first screenshot) shows a steep decline in incorrect inputs within weeks, with sustained near-zero errors.

  • User feedback: Described the updated Domain Monitoring as more intuitive and “self-explanatory.” This aligns with the Input Example – After Fix screenshot, where all monitored domains are cleanly formatted compared to the cluttered Before Fix example.

  • Business outcome: Higher conversions from free to premium plans, supported by reduced system strain and cleaner analytics.


These screenshots collectively illustrate the progression—from high, consistent error rates and messy inputs to error-free, standardized entries—demonstrating the redesign’s effectiveness in both UX and business terms.

After launch, the improvements were both measurable and visible in our data:

  • Error rate: Dropped from 13% (app) & 80% (web) → almost 0%. The Entry Error Trend chart (first screenshot) shows a steep decline in incorrect inputs within weeks, with sustained near-zero errors.

  • User feedback: Described the updated Domain Monitoring as more intuitive and “self-explanatory.” This aligns with the Input Example – After Fix screenshot, where all monitored domains are cleanly formatted compared to the cluttered Before Fix example.

  • Business outcome: Higher conversions from free to premium plans, supported by reduced system strain and cleaner analytics.


These screenshots collectively illustrate the progression—from high, consistent error rates and messy inputs to error-free, standardized entries—demonstrating the redesign’s effectiveness in both UX and business terms.

After launch, the improvements were both measurable and visible in our data:

  • Error rate: Dropped from 13% (app) & 80% (web) → almost 0%. The Entry Error Trend chart (first screenshot) shows a steep decline in incorrect inputs within weeks, with sustained near-zero errors.

  • User feedback: Described the updated Domain Monitoring as more intuitive and “self-explanatory.” This aligns with the Input Example – After Fix screenshot, where all monitored domains are cleanly formatted compared to the cluttered Before Fix example.

  • Business outcome: Higher conversions from free to premium plans, supported by reduced system strain and cleaner analytics.


These screenshots collectively illustrate the progression—from high, consistent error rates and messy inputs to error-free, standardized entries—demonstrating the redesign’s effectiveness in both UX and business terms.

03.3

Impact

-13-

After launch, the improvements were both measurable and visible in our data:

  • Error rate: Dropped from 13% (app) & 80% (web) → almost 0%. The Entry Error Trend chart (first screenshot) shows a steep decline in incorrect inputs within weeks, with sustained near-zero errors.

  • User feedback: Described the updated Domain Monitoring as more intuitive and “self-explanatory.” This aligns with the Input Example – After Fix screenshot, where all monitored domains are cleanly formatted compared to the cluttered Before Fix example.

  • Business outcome: Higher conversions from free to premium plans, supported by reduced system strain and cleaner analytics.


These screenshots collectively illustrate the progression—from high, consistent error rates and messy inputs to error-free, standardized entries—demonstrating the redesign’s effectiveness in both UX and business terms.

03.3

Impact

03.4

Takeaway

-14-

Why this Matters?

Why this Matters?

Phishing drives over 90% of cyberattacks, from data breaches to malware infections. For users, a single misinterpreted feature could mean missing a critical threat.
By embedding subtle education into the design, we not only fixed a frustrating usability problem—we strengthened trust, reduced resource waste, and protected users against one of the most common cyber threats.

Takeaway: The best education in UX often happens invisibly. When you design the interface to show the right behavior, you rarely have to tell.

Michele Du

Michele Du

Go Back

Reducing an 80% Misuse Rate to Nearly Zero Errors

Dashboard

Project

Case Study

My Profile

Back to top

Live

Go Back

80% Misuse → 0 Errors

Back to top

Live

Go Back

Reducing an 80% Misuse Rate to Nearly Zero Errors

Back to top

Live