[Paper] Why people still fall for phishing emails

Why people still fall for phishing emails: an empirical investigation into how users make email response decisions
Asangi Jayatilaka, Nalin Asanka Gamagedara Arachchilage and Muhammad Ali Babar
Symposium on Usable Security and Privacy (USEC) 2024
26 February 2024, San Diego, CA, USA

Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails.
We conducted an empirical study using a think-aloud method to investigate how people make ‘response decisions’ while reading emails. The grounded theory analysis of the in-depth qualitative
data has enabled us to identify different elements of email users’ decision-making that influence their email response decisions.
Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users’ email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people’s email response decision-making behavior.
We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions.

The paper ends with five concrete enhancements to state-of-the-art anti-phishing education, training, and awareness tools to support users in making safe email responses. Among others, we suggest that the goal of anti-phishing education, training, and awareness tools should shift from accurate email legitimacy judgments to secure email responses.