What You See is Not What You Get: The Role of Email Presentation in Phishing Susceptibility

TL;DR

This study investigates how email presentation, especially link display on different devices, influences user susceptibility to phishing attacks, revealing that link masking significantly affects mobile users' likelihood to click.

Contribution

It provides empirical evidence on the impact of email link presentation and device type on phishing susceptibility, highlighting the importance of presentation design.

Findings

Mobile and computer users are equally likely to click unmasked links.

Mobile users are more likely to click masked links than computer users.

Link presentation significantly influences phishing susceptibility.

Abstract

Phishing is one of the most prevalent social engineering attacks that targets both organizations and individuals. It is crucial to understand how email presentation impacts users' reactions to phishing attacks. We speculated that the device and email presentation may play a role, and, in particular, that how links are shown might influence susceptibility. Collaborating with the IT Services unit of a large organization doing a phishing training exercise, we conducted a study to explore the effects of the device and the presentation of links. Our findings indicate that mobile device and computer users were equally likely to click on unmasked links, however mobile device users were more likely to click on masked links compared to computer users. These findings suggest that link presentation plays a significant role in users' susceptibility to phishing attacks.