Falling for Phishing: An Empirical Investigation into People's Email Response Behaviors

Despite the sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to understand why phishing email attacks still work, we have carried out an empirical study to investigate how people make response decisions while reading their emails. We used a "think aloud" method and follow-up interviews to collect data from 19 participants. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Based on the identified factors, we discuss how people can be susceptible to phishing attacks due to the flaws in their decision-making processes. Furthermore, we propose design directions for developing a behavioral plugin for email clients that can be used to nudge people's secure behaviors enabling them to have a better response to phishing emails.