Phishing is a model problem for usability concerns in privacy and security because both system designers and attackers battle in the user interface space. Careful analysis of the phishing problem promises to shed light on a wide range of security usability problems. In this paper, the authors examine the case of users authenticating web sites in the context of phishing attacks. In a phishing attack, the attacker spoofs a website (e.g., a financial services website). The attacker draws a victim to the rogue website, sometimes by embedding a link in email and encouraging the user to click on the link. The rogue website usually looks exactly like a known website, sharing logos and images, but the rogue website serves only to capture the user's personal information.