Abstract:
Despite sophisticated phishing email detection systems, and training and
awareness programs, humans continue to be tricked by phishing emails. In an
attempt to better understand why phishing email attacks still work and how best
to mitigate them, we have carried out an empirical study to investigate
people's thought processes when reading their emails. We used a scenario-based
role-play "think aloud" method and follow-up interviews to collect data from 19
participants. The experiment was conducted using a simulated web email client,
and real phishing and legitimate emails adapted to the given scenario. The
analysis of the collected data has enabled us to identify eleven factors that
influence people's response decisions to both phishing and legitimate emails.
Furthermore, based on the user study findings, we discuss novel insights into
flaws in the general email decision-making behaviors that could make people
susceptible to phishing attacks.