Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions

Asangi Jayatilaka, Nalin Asanka Gamagedara Arachchilage, Muhammad Ali Babar

TL;DR

This study addresses why users still fall for phishing by revealing how people decide to respond to emails. Using a think-aloud, role-play methodology with a simulated email client and grounded theory analysis, the authors develop a theoretical model in which perceived email legitimacy is shaped by sender legitimacy cues, content familiarity, professionalism, expected receipt, information depth, link trust, security content, and past experiences; intention to respond is mediated by emotional attachments and personal habits, with validation behavior influencing actions. The key contributions include a granular, data-driven model that links cognitive, affective, and behavioral factors to unsafe email responses, and a set of design recommendations for anti-phishing education and tools that move beyond mere legitimacy judgments to promoting secure responses. This work provides practical implications for education, training, and tool design, emphasizing tailored interventions, safe validation practices, and the incorporation of emotions and habits into defense strategies, thereby enhancing the effectiveness of phishing resistance in real-world settings.

Abstract

Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions

Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions

TL;DR

This study addresses why users still fall for phishing by revealing how people decide to respond to emails. Using a think-aloud, role-play methodology with a simulated email client and grounded theory analysis, the authors develop a theoretical model in which perceived email legitimacy is shaped by sender legitimacy cues, content familiarity, professionalism, expected receipt, information depth, link trust, security content, and past experiences; intention to respond is mediated by emotional attachments and personal habits, with validation behavior influencing actions. The key contributions include a granular, data-driven model that links cognitive, affective, and behavioral factors to unsafe email responses, and a set of design recommendations for anti-phishing education and tools that move beyond mere legitimacy judgments to promoting secure responses. This work provides practical implications for education, training, and tool design, emphasizing tailored interventions, safe validation practices, and the incorporation of emotions and habits into defense strategies, thereby enhancing the effectiveness of phishing resistance in real-world settings.

Abstract

Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions
Paper Structure (32 sections, 3 figures)

This paper contains 32 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Background and motivation
  3. Research Methodology
  4. Emails selection
  5. Data collection
  6. Data analysis
  7. Results
  8. H1: Effects of "perceived sender legitimacy" on "perceived email legitimacy"
  9. H2: Effects of "perceived familiarity of the email content" on "perceived email legitimacy"
  10. H3: Effects of "perceived professionalism of the email title and content" on "perceived email legitimacy"
  11. H4: Effects of "perceived likelihood of receiving the email" on "perceived email legitimacy"
  12. H5: Effects of "perceived adequacy of length and granularity of information" on "perceived email legitimacy"
  13. H6: Effects of "trust for email links" on "perceived email legitimacy"
  14. H7: Effects of "perceived sense of security from auxiliary security content" on "perceived email legitimacy"
  15. H8: Effects of "previous phishing experiences" on "perceived email legitimacy"
  16. ...and 17 more sections

Figures (3)

  • Figure 1: Simulated web email client
  • Figure 2: The number of unique concepts for each participant
  • Figure 3: Overview of the theoretical model developed based on gathered qualitative data. The latent variables are indicated with ovals, and core categories derived based on GT analysis are shown in rectangles. Concepts are not shown in the figure for brevity. In a 'partially affect' relationship only some concepts in a category are affected by the other category or latent variable.