Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Context-Aware Phishing Email Detection Using Machine Learning and NLP

Amitabh Chakravorty, Matthew Price, Nelly Elsayed, Zag ElSayed

Abstract

Phishing attacks remain among the most prevalent cybersecurity threats, causing significant financial losses for individuals and organizations worldwide. This paper presents a machine learning-based phishing email detection system that analyzes email body content using natural language processing (NLP) techniques. Unlike existing approaches that primarily focus on URL analysis, our system classifies emails by extracting contextual features from the entire email content. We evaluated two classification models, Naive Bayes and Logistic Regression, trained on a combined corpus of 53,973 labeled emails from three distinct datasets. Our preprocessing pipeline incorporates lowercasing, tokenization, stop-word removal, and lemmatization, followed by Term Frequency-Inverse Document Frequency (TF-IDF) feature extraction with unigrams and bigrams. Experimental results demonstrate that Logistic Regression achieves 95.41% accuracy with an F1-score of 94.33%, outperforming Naive Bayes by 1.55 percentage points. The system was deployed as a web application with a FastAPI backend, providing real-time phishing classification with average response times of 127ms.

Context-Aware Phishing Email Detection Using Machine Learning and NLP

Abstract

Phishing attacks remain among the most prevalent cybersecurity threats, causing significant financial losses for individuals and organizations worldwide. This paper presents a machine learning-based phishing email detection system that analyzes email body content using natural language processing (NLP) techniques. Unlike existing approaches that primarily focus on URL analysis, our system classifies emails by extracting contextual features from the entire email content. We evaluated two classification models, Naive Bayes and Logistic Regression, trained on a combined corpus of 53,973 labeled emails from three distinct datasets. Our preprocessing pipeline incorporates lowercasing, tokenization, stop-word removal, and lemmatization, followed by Term Frequency-Inverse Document Frequency (TF-IDF) feature extraction with unigrams and bigrams. Experimental results demonstrate that Logistic Regression achieves 95.41% accuracy with an F1-score of 94.33%, outperforming Naive Bayes by 1.55 percentage points. The system was deployed as a web application with a FastAPI backend, providing real-time phishing classification with average response times of 127ms.

Paper Structure

This paper contains 29 sections, 3 equations, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. URL-Based Phishing Detection
  4. Email Content Analysis
  5. Methodology
  6. Dataset Description
  7. Text Preprocessing Pipeline
  8. Feature Extraction
  9. Classification Models
  10. Multinomial Naïve Bayes
  11. Logistic Regression
  12. Experimental Setup
  13. Results
  14. Model Performance Comparison
  15. Confusion Matrix Analysis
  16. ...and 14 more sections

Figures (5)

  • Figure 1: The distribution of legitimate and phishing emails across the three datasets. Dataset 3 contributes the largest number of samples, while Dataset 2 exhibits the highest class imbalance.
  • Figure 2: Performance comparison between Naïve Bayes and Logistic Regression. Logistic Regression achieves the highest scores across all metrics, with particularly notable improvement in precision.
  • Figure 3: Confusion matrices comparing classification performance. Logistic Regression achieves 40.6% fewer false positives (218 vs. 367) while maintaining comparable false negative rates.
  • Figure 4: Top 10 features with the highest coefficient magnitudes for phishing indicators (positive, red) and legitimate indicators (negative, green). Phishing indicators include action-oriented terms, while legitimate indicators reflect the training data composition.
  • Figure 5: Web interface displaying real-time classification results with confidence scores. The system provides detected indicators and risk assessment for user interpretation.