Leading product design and UX strategy for Webroot's AI-powered scam detection assistant — a high-stakes, high-trust surface built on responsible-AI principles that put clear verdicts ahead of fear.
Webroot — a flagship OpenText cybersecurity product — served millions of consumers across Windows, macOS, iOS, and Android. As scam calls, phishing attempts, and AI-generated fraud began outpacing consumer awareness, leadership saw an opening to lead the market with a contextual, AI-powered scam detection feature.
The opportunity was real, and so was the risk: a security assistant that overclaimed, alarmed users, or eroded trust could do more harm than good. A principled design strategy was needed before a single line of production code was written.
Research surfaced that elderly relatives and lower-tech users were primary scam targets — but even tech-savvy users admitted to false confidence. Existing tools offered no real-time assistance during suspicious interactions.
Generative AI could power a contextual scam detection assistant — but rushing to market risked false positives, fear-based UX, and eroded trust. A principled design strategy was needed before a single line of production code was written.
Working as UX Lead across product, engineering, privacy, and go-to-market stakeholders, the charge was to take scam detection from concept to a shippable, trustworthy AI product — owning the strategy and the hands-on delivery.
Lead the product design strategy and UX framework for a new AI-powered scam detection assistant — from research and personas through wireframes and conversation design — anchored in responsible AI principles that avoided fear-based patterns and preserved user agency.
Grounding the assistant in real user behavior meant studying the people most exposed to scams — and those who only thought they were safe. The team ran generative research across three core personas representing the product's real customer base, with a bias/risk review baked in to ensure the design would not exploit user anxiety.
"I think we all have this false sense of security until something actually happens to us."
— Amanda Murphy, Working Professional persona · Webroot UX Research, 2023
A recurring theme across all three personas was the gap between perceived and actual risk — users felt protected without understanding what protection meant in practice. This shaped a core design principle for the scam detection assistant: verdicts, not lectures. The product needed to deliver immediate clarity (safe / suspicious / blocked) without requiring users to learn cybersecurity concepts first.
Research also surfaced strong resistance to fear-based interfaces. Participants across cohorts described abandoning tools that felt alarmist or that used technical jargon to upsell. This directly informed the emotional tone of the AI assistant's conversational design — calm, factual, and action-oriented — and the notification system's threshold logic.
The scam detection assistant represented Webroot's most significant product innovation in years — and its highest-risk UX surface. Unlike passive protection (antivirus, VPN), this feature required active user participation: choosing what to submit, interpreting AI verdicts, and deciding whether to act on recommendations.
Leading the product design strategy meant resolving a fundamental tension: the assistant needed to be helpful enough to feel like a trusted expert, but restrained enough to avoid false confidence, fear exploitation, or over-dependence. The design strategy document — developed collaboratively across UX, engineering, privacy, and sales stakeholders — defined four non-negotiable principles before wireframes began.
Research consistently showed that asking users to decide whether something needed checking was itself a barrier. The assistant defaulted to a SmartScan approach — users should not need to know whether something was suspicious before submitting it. A URL, screenshot, or message could be pasted or uploaded, and the assistant handled classification.
Conversation flows led with the verdict (safe / suspicious / blocked), followed by the reasoning, followed by the recommended action. This inverted the typical AI assistant pattern of building to a conclusion — security decisions require immediate clarity, not narrative arc. Designed to avoid Lovable.dev-style UI patterns that bury the result in excessive prose.
Every alert, warning, and verdict went through a bias/risk review before production. Language that implied catastrophe, exaggerated risk, or pushed toward upsell was flagged and revised. The assistant's voice was designed to read like a knowledgeable friend, not a threat dashboard. This was codified in a responsible AI copy guide distributed to the content and engineering teams.
The AI assistant design worked through privacy review before any technical architecture was finalized — ensuring that submitted content (URLs, screenshots, messages) was handled with appropriate data minimization, clear consent flows, and transparent retention policies. Privacy was a design constraint, not an afterthought.
The shipped realization of the Scam Detection Assistant is AI Scam Protection: a dedicated module inside the Webroot app that lets people check whether something is legitimate before they act on it. It accepts the content users are actually unsure about — email and direct-message text, files and documents, images, and video — through a single drop zone. A user can drag a file in, paste a suspicious link, or paste the body of a message, and the assistant classifies it. This is the SmartScan-first principle in production: users never have to decide whether something is "suspicious enough" to check first.
The flow leads with intent rather than a bare spinner — the processing state reads "Checking for scams…", framing the wait around the verdict it is building toward. The privacy posture is stated at the point of use, not buried in terms: the panel reminds users that Webroot only scans what they share and does not store their data or reach anything else on the device. Nothing in the experience uses red, countdowns, or fear copy — the same calm, factual tone the persona research demanded.
One drop zone takes email and message text, files, images, and video. Users paste or drag — they never have to judge whether something is suspicious before submitting it. The SmartScan-first research principle, shipped as a single input affordance.
The wait state says "Checking for scams…" rather than showing a bare spinner, framing the experience around the safe / suspicious / blocked verdict it is building toward — clarity over narrative arc, exactly as the conversation design specified.
The panel tells users plainly that Webroot only scans what they share and does not store their data or access anything else on the device — the privacy-by-design principle made visible where the decision happens, not hidden in a terms page.
No red states, no countdowns, no fear copy in the scanning flow — just the brand mascot and a plain-language status. The emotional tone reflects the research finding that users abandon tools that feel alarmist or upsell through anxiety.
Responsible AI framework established as a template for all future AI-powered features — including formal bias/risk review, ethical copywriting standards, and a privacy-first design protocol that predated legal requirements and positioned the product for regulatory compliance.
AI Scam Protection shipped inside the Webroot app — a SmartScan-first experience that lets users check email, messages, files, images, and links and returns a plain-language safe / suspicious / blocked verdict, with privacy stated at the point of use.
A verdict-first conversation model that inverted the typical AI assistant pattern — leading with the answer, not narrative — and a calm, non-alarmist voice codified in a responsible-AI copy guide distributed to content and engineering teams.
