Systematic Literature Review: Anti-Phishing Defences and Their Application to Before-the-click Phishing Email Detection

Most research into anti-phishing defence assumes that the mal-actor is attempting to harvest end-users' personally identifiable information or login credentials and, hence, focuses on detecting phishing websites. The defences for this type of attack are usually activated after the end-user clicks on a link, at which point the link is checked. This is known as after-the-click detection. However, more sophisticated phishing attacks (such as spear-phishing and whaling) are rarely designed to get the end-user to visit a website. Instead, they attempt to get the end-user to perform some other action, for example, transferring money from their bank account to the mal-actors account. These attacks are rarer, and before-the-click defence has been investigated less than after-the-click defence. To better integrate and contextualize these studies in the overall anti-phishing research, this paper presents a systematic literature review of proposed anti-phishing defences. From a total of 6330 papers, 21 primary studies and 335 secondary studies were identified and examined. The current research was grouped into six primary categories, blocklist/allowlist, heuristics, content, visual, artificial intelligence/machine learning and proactive, with an additional category of "other" for detection techniques that do not fit into any of the primary categories. It then discusses the performance and suitability of using these techniques for detecting phishing emails before the end-user even reads the email. Finally, it suggests some promising areas for further research.