Do Users Focus on the Correct Cues to Differentiate Between Phishing and Genuine Emails?

TL;DR

This study investigates which cues users rely on to distinguish phishing emails from genuine ones and finds a mismatch between effective indicators and user perceptions, informing better training strategies.

Contribution

The paper identifies key cues that differentiate phishing from genuine emails and reveals user reliance on ineffective cues, guiding improved educational approaches.

Findings

Users focus on cues like disclaimers and visual quality, which are poor indicators.

Effective cues such as message consistency and legitimacy perceptions are often overlooked.

The study informs targeted training to improve email security awareness.

Abstract

This paper examines the cues that typically differentiate phishing emails from genuine emails. The research is conducted in two stages. In the first stage, we identify the cues that actually differentiate between phishing and genuine emails. These are the consistency and personalisation of the message, the perceived legitimacy of links and sender, and the presence of spelling or grammatical irregularities. In the second stage, we identify the cues that participants use to differentiate between phishing and genuine emails. This revealed that participants often use cues that are not good indicators of whether an email is phishing or genuine. This includes the presence of legal disclaimers, the quality of visual presentation, and the positive consequences emphasised in the email. This study has implications for education and training and provides a basis for the design and development of targeted and more relevant training and risk communication strategies.