Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Phishing Codebook: A Structured Framework for the Characterization of Phishing Emails

Tarini Saka, Rachiyta Jain, Kami Vaniea, Nadin Kökciyan

TL;DR

This paper introduces the Phishing Codebook, a human-centric qualitative framework for characterizing phishing emails by extracting eight high-level descriptive features that mirror human perception. Using iterative qualitative coding on 503 Nazario emails (2015–2021) and validating with inter-rater reliability of 0.93, the authors demonstrate how these codes enable robust campaign identification and generate tailored end-user guidance. The Codebook generalizes to new contexts, as shown by an independent UK-university dataset, with minor adaptations (notably adding an individual-from-sector). The work highlights practical implications for multi-layer defenses, real-time user guidance, and reproducible labeling, while outlining limitations and directions for automation and broader validation.

Abstract

Phishing is one of the most prevalent and expensive types of cybercrime faced by organizations and individuals worldwide. Most prior research has focused on various technical features and traditional representations of text to characterize phishing emails. There is a significant knowledge gap about the qualitative traits embedded in them, which could be useful in a range of phishing mitigation tasks. In this paper, we dissect the structure of phishing emails to gain a better understanding of the factors that influence human decision-making when assessing suspicious emails and identify a novel set of descriptive features. For this, we employ an iterative qualitative coding approach to identify features that are descriptive of the emails. We developed the ``Phishing Codebook'', a structured framework to systematically extract key information from phishing emails, and we apply this codebook to a publicly available dataset of 503 phishing emails collected between 2015 and 2021. We present key observations and challenges related to phishing attacks delivered indirectly through legitimate services, the challenge of recurring and long-lasting scams, and the variations within campaigns used by attackers to bypass rule-based filters. Furthermore, we provide two use cases to show how the Phishing Codebook is useful in identifying similar phishing emails and in creating well-tailored responses to end-users. We share the Phishing Codebook and the annotated benchmark dataset to help researchers have a better understanding of phishing emails.

Phishing Codebook: A Structured Framework for the Characterization of Phishing Emails

TL;DR

This paper introduces the Phishing Codebook, a human-centric qualitative framework for characterizing phishing emails by extracting eight high-level descriptive features that mirror human perception. Using iterative qualitative coding on 503 Nazario emails (2015–2021) and validating with inter-rater reliability of 0.93, the authors demonstrate how these codes enable robust campaign identification and generate tailored end-user guidance. The Codebook generalizes to new contexts, as shown by an independent UK-university dataset, with minor adaptations (notably adding an individual-from-sector). The work highlights practical implications for multi-layer defenses, real-time user guidance, and reproducible labeling, while outlining limitations and directions for automation and broader validation.

Abstract

Phishing is one of the most prevalent and expensive types of cybercrime faced by organizations and individuals worldwide. Most prior research has focused on various technical features and traditional representations of text to characterize phishing emails. There is a significant knowledge gap about the qualitative traits embedded in them, which could be useful in a range of phishing mitigation tasks. In this paper, we dissect the structure of phishing emails to gain a better understanding of the factors that influence human decision-making when assessing suspicious emails and identify a novel set of descriptive features. For this, we employ an iterative qualitative coding approach to identify features that are descriptive of the emails. We developed the ``Phishing Codebook'', a structured framework to systematically extract key information from phishing emails, and we apply this codebook to a publicly available dataset of 503 phishing emails collected between 2015 and 2021. We present key observations and challenges related to phishing attacks delivered indirectly through legitimate services, the challenge of recurring and long-lasting scams, and the variations within campaigns used by attackers to bypass rule-based filters. Furthermore, we provide two use cases to show how the Phishing Codebook is useful in identifying similar phishing emails and in creating well-tailored responses to end-users. We share the Phishing Codebook and the annotated benchmark dataset to help researchers have a better understanding of phishing emails.
Paper Structure (39 sections, 4 figures, 6 tables)

This paper contains 39 sections, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Grouping Similar Phishing Emails
  4. ML-based Representation of Phishing Emails
  5. Human-centric Representation of Phishing Emails
  6. Automatic Response to Users
  7. Qualitative Analysis of Phishing Emails
  8. Dataset
  9. Coding Methodology
  10. Unit of analysis
  11. Exploratory phase
  12. Main coding phase
  13. Inter-Rater Reliability
  14. Result - A Phishing Codebook
  15. Application of the Codebook on an Independent Dataset
  16. ...and 24 more sections

Figures (4)

  • Figure 1: A example WeTransfer email.
  • Figure 2: A comparison of two almost identical phishing emails sent to a user two days apart.
  • Figure 3: A comparison of three similar phishing emails sent to a user impersonating three different banks.
  • Figure 4: Emails from the USAA cluster.