Eyes on the Phish(er): Towards Understanding Users' Email Processing Pattern and Mental Models in Phishing Detection

TL;DR

The study addresses how workload and visual phishing cues shape users' email-processing patterns and mental models. It integrates an inbox-style task with eye-tracking and electrodermal activity under a between-subjects workload design to examine responses to four tailored phishing emails, focusing on indicators such as the sender and URLs. Key findings show a significant negative association between attention to the email sender and phishing risk ($\rho$(76) = -0.362, $p = 0.001$), while attention to text-masked links increases susceptibility ($\rho$(76) = 0.258, $p = 0.005$) and attention to actual URLs in the browser does not confer protection ($\rho$(76) = 0.063, $p = 0.585$). The results highlight the pivotal role of first impressions—driven by relevance, familiarity, and visual design—in shaping trust and phishing vulnerability, with important implications for security interface design and user training.

Abstract

Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

Figures (6)

• Figure 1: Structure of The User Study
• Figure 2: The four phishing emails used in the study. p1) phishing email for credit card information; p2) phishing email for Google credential; p3) phishing email for university credential; p4) phishing email with attachment. The red boxes highlight the visual interests that participants tend to focus on. We removed some parts (in grey) of the email for anonymity. Note that the domain of the two links in p3 is similar and different
• Figure 3: The user interface of the email simulator. The top left section is the simulated Gmail client interface, the bottom left section is the task panel, and the right side of the screen is a browser for viewing hyperlinks and attachments.
• Figure 4: Participants' attention on the visual elements in the phishing email
• Figure 5: Correlation between looking at the sender and being phished