Eyes on the Phish(er): Towards Understanding Users’ Email Processing Pattern and Mental Models in Phishing Detection

Workload has been shown to influence users’ performance, with higher workload leading to increased psycho-physiological activation, strain, and fatigue, which can negatively affect task performance (Hockey, 1997; Fan and Smith, 2017). Studies indicate that both task workload and email load impact users’ email reading behavior and susceptibility to phishing (Vishwanath et al., 2011; Jalali et al., 2020; Rozentals, 2021). Under high workload, users find it more challenging to process emails, which can increase their susceptibility to phishing. Additionally, they are more likely to interact with phishing emails that appear relevant under high workload compared to low workload (Zhuo et al., 2024).

Detecting phishing emails requires attention. Users need to be somewhat suspicious of an email before considering it phishing (Canfield et al., 2016), and this requires paying attention to the email, and elaborate on the content (Musuva et al., 2019; Harrison et al., 2016). Extending this phenomenon, studying where users’ allocate their attentions when processing phishing emails is valuable for uncovering the mental models behind user behaviours.

Eye-tracking technology is one common approach to capture users’ visual attention to emails to study their email processing patterns. Pfeffel et al. (Pfeffel et al., 2019) used eye-tracking in an email judgement study. They found that experts are efficient: participants who were able to detect phishing spent more time looking at the header area and less time looking at emails overall. On the other hand, non-experts need more time: they took longer to look over aspects of the messages to distinguish between legitimate and phishing emails. We extend this work by studying the dwell time on specific parts of the header, such as the sender address. Further, we explored whether Pfeffel’s judgement-task findings hold within a realistic email inbox scenario.

The visual design of phishing emails plays an important role in influencing users’ trust and their susceptibility to phishing attacks (Parsons et al., 2016; Vishwanath et al., 2011; Pfeffel et al., 2019; Burda et al., 2020; Alseadoon et al., 2015). Users tend to rely on visual cues to heuristically determine the email’s legitimacy (Harrison et al., 2015). Attackers often take advantage of this to craft phishing emails that mimics legitimate ones, to make phishing emails appear authentic, to trick users into falling for the attack (Williams and Polage, 2019).

With the rapid growth of artificial intelligence (AI) and large language models (LLMs), many cognitively demanding tasks can be automated, improving efficiency. However, these technologies can also be exploited maliciously. Studies show that tools like ChatGPT can generate compelling email content and source code for phishing websites (Grbic and Dujlovic, 2023; Karanjai, 2022; Roy et al., 2023; Begou et al., 2023). Moreover, attackers can leverage AI to create sophisticated spear-phishing emails with minimal effort by providing more information about the victims to these models (Gradonm, 2023).

Tailored phishing, a term introduced by Burda et al. (Burda et al., 2020), describes phishing attacks that fall between generic phishing and spear-phishing. Similar to generic phishing, tailored phishing is a single-stage attack (hit-or-miss attack) but involves gathering additional information about the victims and their organisation to craft the phishing email, targeting a smaller population. Unlike spear-phishing, which involves iterative information gathering and attack engineering, tailored phishing requires less effort due to its single-stage nature. With advancing AI technology, we anticipate a shift from more generic, hit-or-miss attacks to more tailored and sophisticated phishing emails closely related to the recipient.

In the study, participants imagined themselves as temporary office workers managing emails related to a university club’s event (see Appendix for full scenario and instructions). The study targeted university students and staff, with scenario and email content designed to simulate real-life emails and activities. Participants were tasked to process emails as if they were actual recipients, handling tasks such as replying to queries and compiling event information.

Before processing the emails, participants watched an introductory video explaining the task, scenario, application interface, and other relevant background information. An information sheet with details for completing the primary task was provided, and participants were asked to familiarise themselves with it before starting the email processing session.

To enhance the realism of the scenario, we included various types of emails in the inbox, simulating a typical email inbox. We also created a website and poster for the scenario, reinforcing the idea that the information is publicly accessible.

The true research goal was not disclosed to the participants to avoid biasing their behaviour and interaction with the emails. For the same reason, participants were not informed about the presence of phishing emails in the inbox.

The experiment used a between-subjects design, with participants randomly assigned to either low or high workload conditions. Both sessions lasted 15 minutes but differed in the number of emails to be processed: 20 for the low workload and 30 for the high workload. The number of task-related emails was doubled in the high workload condition to ensure participants experienced a higher workload. Our workload manipulation was similar to Zhuo’s study, where they also doubled the task-related emails in the high workload condition compared to the low workload. The breakdown of the emails used in the conditions are shown in Table 1.

We included the same four phishing emails in both low and high workload conditions to maintain consistency and comparability. The scenario simulated attackers scraping publicly accessible information and using large language models (LLMs) to generate well-crafted, tailored email messages and phishing resources, such as landing pages. We followed this process using information about the club to create tailored phishing emails for our study and finalised the designs with some manual adjustments.

All phishing email senders were external unknown senders, reflecting the hit-or-miss nature of tailored attacks. Since all participants were university students or staff, they should be able to distinguish between internal and external email addresses. We ensured that all phishing emails were actionable, meaning participants could engage with them using the provided information. This design avoided scenarios like undelivered parcels, which might be easily dismissed as irrelevant to participants’ tasks. We exclude spear-phishing emails and internal phishing emails because these emails would be too difficult for participants to detect in a simulated scenario. Also, they are less common because it must be tailored to each organisation attacked. The visual presentation of the phishing emails are shown in Figure 2.

In our study, participants were considered phished if they submitted their credentials to the phishing website or clicked on the phishing attachment.

All participants completed the study in a controlled environment using the same equipment. We used the custom software from Zhuo et al. (Zhuo et al., 2024), which included a simulated Gmail client panel and a primary task panel, as shown in Figure 3. The email client panel supported most interactions needed for processing emails, and participants’ interactions were recorded for data analysis. The primary task panel contained content to help participants complete their primary tasks. To support accurate eye tracking, the application was positioned on the left side of the screen, allowing the right side to display embedded links and PDF attachments in a browser. Due to limited screen space, we simulated the Gmail client with the side menu bar collapsed, displaying the inbox and email content side by side.

For the hardware, we used a Tobii Pro X3-120 screen-based eye tracker to measure participants’ areas of interest (AoI) and eye movement data (eye fixation rate, fixation duration) and a wrist-worn health tracker Empatica E4 to collect electrodermal activity (EDA).

We used eye fixation rate, eye fixation duration and EDA to assess cognitive load. Previous studies have shown that both eye movement (Chen et al., 2011; Wang et al., 2014; Van Gog et al., 2009) and EDA data (Setz et al., 2009; Conway et al., 2013) are good indicators of cognitive load. Consistent with prior research, we measured the median fixation rate and fixation per second, and counted the average EDA peaks per minute to assess participants’ cognitive load.

We included a post-study questionnaire to understand participants’ cognitive load, email reading behaviours, and interactions with various emails they had seen during the email processing session. The questionnaire consisted of five sections: (1) demographic information; (2) a NASA TLX questionnaire to assess subjective workload rating (Hart and Staveland, 1988); (3) an email rating section; (4) a cybersecurity knowledge test; and (5) a phishing cue detection section.

The email rating section included eight emails from the email processing session, four phishing emails and four legitimate emails. For each email, participants answered four questions: (1) whether they remembered seeing the email; (2) which parts of the email they paid attention to (multiple select); (3) how they judged the trustworthiness of the email (on a 7-point scale); and (4) their justification for the email’s trustworthiness. These questions helped assess participants’ attention to emails and their mental models for evaluating email trustworthiness.

In the phishing cue detection section, participants received paper copies of the phishing emails from the email processing session and were debriefed on the real research goal and the existence of phishing emails in the study. They were asked to encircle any suspicious elements they noticed in the phishing emails. If they fell for a phishing email, they were asked to provide reasons for why they were deceived.

We recruited 115 participants, including 62 undergraduate students, 32 graduate students, and 21 staff members. The mean age was 26.2 years, with a standard deviation of 7.6. Among these participants, 60 were women, 53 were men, and 2 were non-binary. Due to some technical problems with the eye tracker, 37 participants’ eye-tracking data was not collected. The 78 participants with eye-tracking data were used in the hypothesis testing.

Each participant was given a $20 grocery voucher for their participation. Our study protocol was reviewed and approved by the Human Participants Ethics Committee of the university.

We evaluate the effectiveness of our workload manipulation. An alpha value of $0.05$ was used for all tests.

To compare physiological stress in our low versus high workload conditions, we examine EDA. Mean EDA peak counts were normalised based on each participant’s mean baseline EDA peak count, which was calculated from a 15-minute session during the post-study questionnaire when participants were expected to be relaxed. We conducted two Wilcoxon signed-rank tests on the mean EDA peak count between processing emails compared to the baseline. A greater difference indicates a greater change in load. The differences between baseline and workload conditions were significant (Table 3), indicating both low and high workload were more physiologically arousing than baseline. We conducted a one-sided Mann-Whitney U test to directly compare EDA in low and high workload. The results were insignificant, but in the direction that is consistent with our expectations. There were more EDA peaks per minute in the high workload ($M=2.58,SD=2.14$) compared to low workload ($M=1.61,SD=1.08$), with an effect size of $r=0.238$.

We evaluated participants’ normalised median fixation duration and fixation rate from the eye tracker. Normalisation was necessary to account for individual baseline differences. Fixation duration was normalised using a min-max scaling method (value between 0 and 1). We performed one-sided, unpaired t-tests for the fixation duration, fixation rate, and the NASA TLX data. Differences were not significant. The normalised median fixation duration was in the expected direction: higher in the high workload ($M=0.14,SD=0.03$) and lower to low workload ($M=0.13,SD=0.04$), with an effect size of $r=0.264$.

We expected that participants would spend more time reading each email under low workload compared to high workload. We performed one-sided unpaired t-tests on the average reading time of different types of emails, as shown in Table 4. Results were significant, indicating that participants spent significantly more time reading each email under low workload compared to high workload.

Based on these results, we conclude that our workload manipulation may induce some differences in cognitive workload between low and high workload.

We hypothesised that participants under high workload are more likely to fall for tailored phishing emails compared to those under low workload. We conducted a one-sided Mann-Whitney U test to compare the number of phishing emails participants fell for between low ($M=2.71,SD=1.01,min=0,max=4$) and high ($M=2.60,SD=0.81,min=1,max=4$) workload conditions. The Mann-Whitney U test was chosen because it is suitable for comparing ordinal data between two independent groups. Our results show no significant difference, $U(N_{low}=38,N_{high}=40)=834,p=0.216$, indicating that there is no evidence that people fall for more tailored phishing emails under high workload compared to low workload. Therefore, H1 is not supported.

To test whether participants who looked at the email senders were less likely to fall for phishing, we examined the number of phishing emails where participants looked at the email sender (both sender name and address) and the number of times they fell for phishing. Based on the literature, it takes approximately 400 ms to recognise a word (Meeter et al., 2020). Phishing indicators such as email sender and URLs typically contain several words, so we consider 2 seconds to be a reasonable threshold to classify participants as looking at a cue. Since the data are ordinal and not normally distributed, we conducted Spearman’s correlation tests instead of t-tests. We observe a significant negative correlation, $\rho(76)=-0.362,p=0.001$, indicating that participants who looked at the email sender were less likely to fall for phishing (Figure 5 in Appendix B; H2a supported). Of participants who did look at the sender and fall for phishing, they spent 3 seconds gazing at the sender area ($SD=1.08$), whereas those who did not fall on average spent 3.4 seconds ($SD=1.18$).

We hypothesised that those who look at the actual hyperlink URLs are less likely to be phished. We evaluate this hypothesis based on three phishing emails with masked links where the actual URL can be seen through hover. The fourth contains a phishing attachment without any links. There were only two instances where participants hovered and then looked at the URLs displayed at the bottom of the screen, and in both instances, they reported the phishing email. Thus, the vast majority of participants clicked on the link without ever seeing the URL. The participant was then brought to a browser page where the URL was visible (as shown in Figure 1). Our analysis focuses on whether participants looked at the actual URL in the browser.

We performed a Spearman’s correlation between the viewed URLs (through hover and in the browser) and falling for phishing (i.e., typing in credentials in the phishing website). Our result showed no significant correlation, $\rho(76)=0.063,p=0.585$. Thus, H2b is not supported because there is no evidence that looking at the actual hyperlink URLs influences participants’ propensity to type in their credentials into a phishing site.

In addition to the quantitative analysis we performed to study participants’ attention on phishing emails, we also analysed their subjective reports on the AoIs they focused on while reading phishing and legitimate emails, and their ratings of the emails’ trustworthiness and the reasoning behind these ratings.

As shown in Figure 4, one of the biggest differences between participants’ attention to the visual elements is the attention to the email sender address. In cases where participants did not fall for phishing emails, 64% paid attention to the email sender address, compared to only 36% of those who fell for phishing. Additionally, although about half of the participants looked at hyperlinks, they rarely hovered over them to check the actual URLs. This is consistent with our observation that there were only two instances where participants checked the hovered URL. In comparison, when reading legitimate emails, participants focused more on the email subject and less on other visual elements.

For each of these visual elements, we conducted a Spearman’s correlation test between the number of times participants reported paying attention to the visual element and the number of times they fell for phishing. The correlation was only significant between reported attention on the email sender address and the phished count, and the result is consistent with H2a, $\rho(113)=-0.260,p=0.005$.

In the questionnaire, we asked the participants to rate the trustworthiness of the email on a scale from 1 to 7. We classify participants’ ratings below 4 as trusting the email, 4 as unsure, and above 4 as not trusting the email. Participants wrote free-text responses explaining the reasons for each of the 920 ratings. In a first pass, the main author created codes as an intermediate step in a thematic analysis process (Braun and Clarke, 2006). For example, the response “Anything involving money and credit card is not trusted.” is coded as “asking for sensitive information.” The main author then combined the codes into themes (see Appendix). The themes were tabulated in a manner consistent with verbal protocol analysis (Simon and Ericsson, 1984).

Based on the themes created, we performed a frequency analysis to study the most common reasons for trusting and distrusting an email. This frequency analysis helps highlight general patterns in user behaviours and perceptions and aids in understanding the users’ mental models behind their decisions.

The three most mentioned themes categorised by their rated trustworthiness and actual phished stats are shown in Table 5. Participants tend to trust emails from trusted senders or when the email intention is reasonable and relevant. They would not trust emails where they can identify suspicious cues, such as emails that ask for sensitive information and are sent from unknown senders.

It is worth noting that even though some participants noticed suspicious cues in the phishing email, they still reported trusting the email. For instance, “sender not trusted” was mentioned twelve times when they rated the phishing email as trusted.

Additionally, when exploring each phishing email, we found that the most common reason for not trusting p1 is asking for sensitive information (38 times). For the other three phishing emails, suspicious email sender address is the most frequently mentioned reason (29 times, 9 times, and 37 times, respectively).

After the post-study questionnaire session, participants were debriefed about the phishing emails and asked to encircle the suspicious cues in the phishing emails and provide reasons for why they fell for them. Out of the 102 participants who filled out the questions (102 * 4 = 408 entries), there were 25 phishing emails from 20 participants where they could not find any suspicious cues. This indicates that most participants know, in principle, how to identify phishing cues in phishing emails.

Similar to the trustworthiness rating analysis, we conducted a thematic analysis by first generating 22 initial codes from participants’ reasons for falling for phishing, then categorising them into eleven themes. Table 6 shows the five most identified phishing cues and reasons for falling for phishing emails. The full list of themes is attached in the Appendix. Recalling H2a, we found that looking at the email sender correlates with lower phishing susceptibility. Among the 94 instances where participants fell for phishing because they trusted the phishing email sender, only 10 involved participants spending more than 2 seconds reading the sender’s details.

When exploring individual phishing emails, we found that excluding the “time pressure” reason, participants’ reasons for falling for the phishing emails differed. For p1, the most reported reason was “reasonable/relevant intention”. For p2 and p3, it was “trusting the visual presentation of the email/landing page”. For p4, it was “sender trusted”.

We conducted post-hoc analyses to further explore aspects of email interactions and deepen our understanding of participants’ phishing email performance. Specifically, we examined their objective and subjective reasoning for rating the trustworthiness of phishing emails and their reasons for falling for them. In this section, we present a variety of tests and again use an alpha value of 0.05. We choose not to apply corrections for multiple tests because our study involves multiple speculative tests (to assess whether participants looked, how many emails they looked at, and how long they looked at each visual element), which complicates the selection of appropriate corrections. Hence, we believe it is reasonable to report results without correction. Any results that appear significant would require further study with a priori hypotheses.

Many studies highlight the importance of checking email sender addresses to assess the legitimacy of the email (Dixon et al., 2022; Steves et al., 2019; Tomé, 2023; Aver, 2021; Stouffer, 2022). Our study provides concrete evidence that looking at the email sender indeed can reduce the likelihood of falling for phishing emails. We observed many participants deliberately paying attention to the email sender address to verify the email’s legitimacy.

However, looking at the email sender address does not guarantee the detection of phishing emails. Participants also need to know how to assess the trustworthiness of the email sender. In the study, all four phishing emails utilised some form of spoofed sender to enhance trustworthiness, as shown in Figure 2. The username of p1’s sender address was related to the credit card payment, p2 and p3 used fake sender domains that were similar to the real ones, and the sender name of p4 was relevant to the scenario. Our results show that participants reported 78 times across the four phishing emails that they trusted the phishing email because the sender seemed known or trusted. This suggests that while participants looked at the sender, they did not critically interpret the trustworthiness of the information. For example, in p4, many participants reported that they had seen the sender’s name before, so they did not bother checking the sender address. This underlines the necessity of paying attention to details when checking emails.

Another frequently mentioned tip for detecting phishing emails is to check the hyperlinks in the email. However, our study revealed that participants rarely hovered over the hyperlinks to check the actual URL. Surprisingly, there were only two instances (from different participants) where participants checked the hovered URLs in phishing emails. In both instances, they reported the email as phishing. This suggests that those who know how to check URLs can interpret them correctly. Most participants, however, looked at the actual URL through the link in the browser. The URLs of the landing pages used spoofing techniques to enhance their trustworthiness, as shown in Figure 2. For example, the phishing URL domain for p2 was ”docs-google.online,” which is similar to the official Google Docs page ”docs.google.com.” In p3, the displayed hyperlink was a seemingly trusted URL that differed from the actual phishing URL. The high phished rates among participants who looked at the actual URL suggest they were unable to identify the phishing cue in the URL. This aligns with McAlaney and Hills’s study (McAlaney and Hills, 2020), highlighting the importance of both reading time and interpretation of visual cues in phishing detection. Additionally, the higher phished rate results from shorter reading time on the complex phishing emails (p2 and p3) before clicking also implies that impulsivity contributes to influencing participants’ interaction, validating findings from Lawson et al. and Parsons et al. (Lawson et al., 2020; Parsons et al., 2013).

It is worth noting that viewing the URL in the browser implies they have already clicked on the link. This action is dangerous even if credentials are not entered because link clicks can be tracked by attackers and used for further malicious attempts. After opening the landing page, participants’ attention could be distracted by the website content, making them less likely to check the actual URL.

The differences in phished rates between the phishing emails allow us to explore the impact of email visual designs on participants’ attention and their mental models of processing phishing emails. A commonly reported reason for falling for p2 and p3 was trusting the visual presentation of the message and landing pages. After seeing familiar emails and landing pages, participants tended to assume the email was trusted and overlooked other phishing cues, such as the email sender address. This aligns with the finding that emails and websites deemed more professional-looking tended to be trusted more (Stojmenović et al., 2022). This issue is becoming more serious as the cost of creating professional-looking emails and websites has decreased significantly due to advancements in AI and LLMs.

In the credit card phishing email, many participants distrusted the email because they identified the suspicious intention (asking for sensitive information) rather than focusing on the email sender address, which they typically did with other phishing emails. More than 10 participants reported not trusting the email because they simply did not trust any money-related emails. In contrast, the two phishing emails (p2 and p3) that asked for login credentials resulted in much higher phishing rates.

Our results suggest that participants’ perception of sensitive information mainly includes financial-related information, such as credit card details, while login credentials to digital services like university and Google accounts do not raise the same red flags. This distinction is troubling because it indicates a potential gap in understanding the importance of protecting non-financial information. Many participants did not realise entering credentials to phishing websites can have serious consequences. Although participants’ behaviour in the experiment may not be fully reflective of real-world behaviour, the willingness to disclose credentials but not credit card details raises concerns about their perception of credentials as sensitive information.

Our results show that the first 10 seconds after opening an email are crucial for participants to determine its relevance and legitimacy. For example, when the attention-grabbing element feels suspicious, such as in p1, many participants quickly raised a red flag and investigated its legitimacy. On average, participants who clicked the link but were not phished spent less time reading the email than those who got phished. This supports Pfeffel et al.’s finding (Pfeffel et al., 2019) that longer email reading time does not necessarily improve phishing detection.

Conversely, when participants saw an email with a familiar Google file-sharing layout (p2), they tended to trust it without much thought. This could explain why participants spent less than 10 seconds before clicking the phishing link in p2, with those who got phished spending, on average, only 2.5 seconds on the email. This short reading time suggests that familiar layouts influenced participants’ decisions. Similarly, participants could quickly identify marketing emails based on their layout and images.

In p4, many participants reported trusting the email because the sender looked familiar. We observed similar behaviour with legitimate emails, where participants quickly responded based on visual cues like the email sender name and layout. This suggests that the email sender name is one of the first visual elements participants focus on, significantly influencing their first impression.

These observations indicate that participants’ first impressions heavily influence their judgement of an email. In the initial seconds of viewing an email, their judgements were driven by intuitions and heuristics rather than systematic evaluation. When their impression did not raise a red flag, participants tended not to critically process the email. This could explain why participants sometimes identified suspicious cues but still rated the email as trustworthy. Expanding on this idea, this may partially explain why participants did not inspect the hovered URL, as they did not question its legitimacy and it is not intuitive to view the embedded URL. Our findings reflect this, showing that without inspecting the actual URL, participants who paid attention to the text masking the link were more likely to fall for phishing.

These findings all converge on one idea, that participants’ perceptions of email relevance, familiarity and visual professionalism strongly impact their first impressions of the email and its trustworthiness, which could lead to overlooking phishing indicators that could help them detect phishing emails. This reveals a critical vulnerability in how users process emails. The reliance on first impression over systematic evaluation highlights the need for further research.

Recalling that H1 is not supported, we speculate that the insignificance in the results may be due to the unsuccessful workload manipulation. We observed some significant differences, such as email reading time between conditions, but the manipulation was not strong enough to register a subjective difference between groups. Zhuo et al.’s study used a within-subject design, meaning participants directly compared their experiences of the workloads, which contributed to registering a significant subjective difference. Our study would require a much stronger workload condition to register a subjective difference. This would require adding more emails and tasks. The additional workload would increase the strength of the manipulation but also add complication to the comparison analysis. There would be a wider variation in the amount of work that people did and the number of phishing emails they would see.

The results of this study have several implications for future research and for improving individual and organisational defences against phishing attacks.

Our study has several limitations that need to be acknowledged.

One of the main limitations is the ineffective manipulation of workload. Although we doubled the number of task-related emails under high workload conditions, the overall workload was not doubled due to the presence of other emails. The use of a between-subject design also influenced the strength of the results. We observed that many participants, experienced in processing emails, could complete the tasks in the high workload condition in under 10 minutes. Conversely, some participants struggled to complete the low workload within the 15-minute time period given.

Second, before the email processing session, participants were asked to spend several minutes reading an information sheet containing background information on the scenario and tasks. Ideally, participants should have reasonable familiarity with the content to efficiently find the needed information. However, our study did not assess participants’ familiarity with the content. As a result, some participants spent a long time reading through the document during the email processing session to find information, which influenced their interaction with the emails.

Third, some phishing emails were too relevant to the scenario, resulting in a very high phished rate. Although the phishing emails were crafted with the assumption that all the information is publicly accessible by attackers, the role-playing nature of the study blurred the line between relevant and non-relevant emails. Furthermore, since the email sender is an important cue that helps participants distinguish between legitimate and phishing emails, role-playing a character instead of processing participants’ own emails meant they were uncertain whether they should know the sender.