A review of organization-oriented phishing research

Demographics.

Studies show that demographics are a significant factor in determining individuals’ susceptibility to phishing attacks. A study of university students in Emirates showed that junior students are less likely to fall victim to phishing than senior students (Mohebzada et al., 2012). Likewise, an investigation of multi-national financial organizations revealed that older participants are more vulnerable to phishing than younger participants (Taib et al., 2019). This observation was ascertained in several companies from various sectors (Lain, Kostiainen & Čapkun, 2022); however, this correlation was not observed with users of privacy-preserving technology companies (Clark, 2012). Younger users are more susceptible at the early stages (receiving and opening emails), whereas older users are more likely to fall victim at advanced stages (e.g., visiting phishing sites) (Zhou, Zhang & Liu, 2023). Considering the variation in studies’ results, we can attribute this to differences in participants’ age ranges, with some studies focusing on ages 18 to 25, while others include participants up to 40.

On the other hand, empirical studies have found that gender does not have a statistically significant impact on one’s likelihood of falling victim to an attack (Mohebzada et al., 2012; Taib et al., 2019; Flores, Farid & Samara, 2019; Clark, 2012; Zhou, Zhang & Liu, 2023; Lain, Kostiainen & Čapkun, 2022; Ribeiro, Guedes & Cardoso, 2024) except for a study in a Philippine university showing higher awareness of spam (Hermogenes & Capariño, 2019). Thus, while age remains a crucial factor in identifying those at greater risk, gender does not appear to influence susceptibility to phishing.

Regarding the university major, studies showed that IT students have a higher awareness of phishing emails and cybercrimes compared to their peers in education and science fields (Manasrah, Akour & Alsukhni, 2015); likewise, they have the best resistance against phishing attacks (Andrić, Oreški & Kišasondi, 2016). Similarly, 54.32% of IT students were aware of spam and phishing compared with students from teaching education programs (Hermogenes & Capariño, 2019), signifying the importance of technology competencies in phishing susceptibility (Ribeiro, Guedes & Cardoso, 2024). This finding is contrasted by Clark (2012), who reported an absence of correlation between an employee’s field of study in the US, whether computer-related or not, and their susceptibility to phishing attacks in experimental settings. These contrasting results highlight a complex landscape of cyber literacy and vulnerability among university students, suggesting that awareness does not necessarily equate to immunity from cyber threats.

Organizational-based factors.

Several key elements are found in the analyzed literature. The strong belief in organizations’ security measures may lead to a lower sense of risk (Kearney & Kruger, 2014) as observed in interviews with banking IT staff who assumed that their security protocols would prevent attacks or quickly rectify its implications (Conway et al., 2017).

Additionally, the length of time employees had worked at the company played a role. Newer employees, especially those in their first year, were found to be more vulnerable to phishing attempts than their more tenured colleagues (Kearney & Kruger, 2014). This finding was supported by a large-scale simulation in financial organizations (Taib et al., 2019) and a field experiment at a university and a large international consultancy company (Burda et al., 2020).

Furthermore, job responsibilities influenced vulnerability to phishing; thus, employees with managerial duties tended to be more cautious, potentially due to their investment in the company’s image or the consequences of non-compliance (Taib et al., 2019; Eftimie et al., 2021). Additionally, employees with higher effective organizational commitment show higher awareness in various Australian organizations (Reeves, Parsons & Calic, 2020). For example, employees from technology-based departments have a higher level of awareness than those from social-based departments in a Thai organization (Daengsi et al., 2021). Also, job roles that utilize a centralized inbox lead to increased exposure to potential phishing emails due to the nature of such inboxes (Williams, Hinds & Joinson, 2018). Apart from the job roles, generally, the frequent use of general computers and usual internet routine reduce employees’ susceptibility to phishing (Ribeiro, Guedes & Cardoso, 2024; Lain, Kostiainen & Čapkun, 2022).

The susceptibility to phishing was also examined between sectors. Government employees have more knowledge of phishing protection than employees from private sectors in Saudi Arabia (Innab et al., 2018). Adding to that, employees associated with privacy-preserving technology companies in the US are still likely to disclose personal information in phishing scenarios (Clark, 2012).

Interruptions during tasks increase the likelihood of employees falling for phishing scams, as they may be less focused and thus more susceptible to fraudulent communications (Williams, Morgan & Joinson, 2017).

The importance of organizational norms in influencing employees’ compliance with information security policies (ISPs) has been highlighted by Petrič & Roer (2022) and Williams, Hinds & Joinson (2018). The study provides comprehensive knowledge of how many normative variables, in particular phishing vulnerability, affect employees’ conduct. Notably, the investigation shows that the effect of descriptive norms on the tendency of staff members to click on questionable links differs from the effect of personal norms in the same tendency. It has been shown that workers who adopt security-promoting norms are less likely to interact with phishing emails and to exercise caution when clicking on embedded links. The research suggests that a moral commitment to organizational security norms triggers more analytical processing of emails. However, this commitment may not always safeguard against sophisticated phishing tactics post-click.

These results imply that evaluating and mitigating phishing susceptibility in an organizational setting requires a comprehensive approach that takes into account variables including job role, tenure, perceived security strength, and organizational norms.

Security and privacy perception and knowledge.

The perception and knowledge of security and privacy can play a crucial role in an individual’s susceptibility to cyber threats. A study of Middle Eastern countries revealed that the perceived high-security risk does not always translate to protective actions as the participants may fall prey to phishing (Aleroud et al., 2020). Similarly, in Australia, individuals with a lower fear of cyber threats exhibited better information security awareness (Reeves, Parsons & Calic, 2020; Ribeiro, Guedes & Cardoso, 2024).

Furthermore, a lack of security knowledge, such as misunderstanding security indicators on websites, leaves users more open to deception by phishers who often exploit such gaps in knowledge (Aleroud et al., 2020; Williams, Hinds & Joinson, 2018). Knowledge of the difference between HTTP and HTTPS and URL syntax and shorteners can help university students avoid suspicious emails (Andrić, Oreški & Kišasondi, 2016). A lack of technical understanding about what spear phishing entails, how personal information is used in attacks, and the consequences of engaging with phishing emails can lead to increased susceptibility (Williams, Hinds & Joinson, 2018), especially for financial consequences (Aleroud et al., 2020). Knowledge of red flags in phishing emails, such as spelling errors and sender address is critical (Williams, Hinds & Joinson, 2018; De Bona & Paci, 2020; Buckley et al., 2023). While this knowledge can be effective and used by several users, they might be misleading in the occurrence of lateral phishing, requiring knowledge of the sender’s writing style and the expectation of communication topic (Chitare, Coventry & Nicholson, 2023).

Higher privacy behavior reduces individuals’ susceptibility to phishing (Zhou, Zhang & Liu, 2023), particularly among women in the Middle East, influencing their willingness to share personal details; however, this caution does not necessarily extend to protecting them from phishing (Mohebzada et al., 2012; Aleroud et al., 2020).

Although raising knowledge of security and privacy is critical, it does not always protect against phishing, signifying the need for improving security procedures and education.

Personality traits.

The Big Five personality traits have been linked to various behaviors concerning vulnerability to phishing. Highly conscientious individuals typically engage in responsible security practices, whereas those with lower levels of conscientiousness are prone to riskier behaviors (Eftimie et al., 2021). Similar to the findings above, those in leadership positions, often characterized by low levels of agreeableness and high levels of conscientiousness, are less likely to fall for phishing attacks (Eftimie et al., 2021; Yaser Al-Bustani et al., 2023). Regarding trust, it significantly affects vulnerability to spear phishing; especially in Middle Eastern countries. Phishers usually exploit trust, particularly through credible-looking and contextually convincing materials, which underline the intricate link among personality, trust, and susceptibility to phishing (Aleroud et al., 2020). Experimenting with financial organizations shows that employees with higher trust in their intuition are less likely to engage with phishing emails (Buckley et al., 2023). In addition, individuals’ self-efficacy in detecting phishing attempts demonstrated a significant influence on their susceptibility to phishing attacks (Ribeiro, Guedes & Cardoso, 2024). People with high Influence are less susceptible to phishing due to their social awareness and caution, those with high Stability are moderately resistant but still have some vulnerabilities, while individuals with high Dominance are more susceptible because they prioritize results over careful scrutiny (Yaser Al-Bustani et al., 2023).

Testing methodology.

To assess and enhance awareness, previous research employed various methodologies. The most common methodology is the phishing simulation experiments (Bakhshi, 2017; Blancaflor et al., 2021; Bakar, Mohd & Sulaiman, 2017). An example is sending an email asking the employees to click on a link to a survey (Bakhshi, 2017; Blancaflor et al., 2021). The success of these simulated attacks can reveal the extent of vulnerability among the participants. To boast the benefits of such methodology, Rutherford, Lin & Blaine (2022) utilized the machine learning algorithms to understand the simulation results based on the potential victim’s demographics and administrative data.However, setting up simulated phishing experiments to measure actual behaviors is not only expensive but also raises ethical concerns, such as user consent.

Surveys developed to gather information can precede simulated phishing attacks. For example, researchers in Manila collected personal details through a survey and then used this information to launch targeted phishing attacks (Blancaflor et al., 2021). In some cases, surveys can effectively replace simulation methodologies. The results of an experiment in an Indonesian government sector revealed a significant relationship between the simulation results and the questionnaire results (Ikhsan & Ramli, 2019). However, Flores et al. (2015) suggested that the methodology used is dependent on the culture as surveys can be used as a proxy to measure employees’ intention to avoid social engineering in Sweden while scenarios are the best proxy in American culture, indicating that the use of assessment methods can differ between national cultures. Another method to test users’ awareness is the use and development of standard scales. A phishing experiment with Australian students revealed that students who achieved high scores in the experiment also achieved a high score on the Human Aspects of Information Security Questionnaire (Parsons et al., 2017).

Testing results.

Several studies have highlighted how surprisingly easy it can be to execute successful phishing attacks within organizations. For instance, in a branch office of a cooperative organization, a significant number of employees were comfortable sharing sensitive information, such as details about office supplies and equipment (Bakhshi, 2017). This finding underscores a lack of awareness regarding the sharing of potentially sensitive information. In a mid-sized university, 44.3% of users clicked on at least one phishing email, with 18.6% entering valid credentials (Cuchta et al., 2019); similarly, 42% of students in another experiment visited and completed forms and downloaded the email attached image (Rastenis et al., 2019). In total, 38% in a Malaysian university also entered their work ID and password, and 95% agreed to receive the financial aid (bait) (Bakar, Mohd & Sulaiman, 2017). This pattern of failure is not that different in surveys where 25% of students failed to correctly identify phishing emails in the survey (Andrić, Oreški & Kišasondi, 2016). A long-term study in various sectors revealed that about 32% will fall for phishing at least once if exposed to phishing emails (Lain, Kostiainen & Čapkun, 2022). These high engagement rates with phishing attempts indicate a substantial gap in awareness and the ease with which attackers can exploit this vulnerability. Studies in higher education institutions have shown that a large portion of students and employees are influenced by phishing emails, with a notable percentage of them providing personal data. This finding suggests a need for enhanced security education and training.

Phishing simulation for training.

Simulated phishing exercises are also used to train employees to recognize and respond to phishing attempts. This method involves creating and sending simulated phishing emails to employees, which mimic the tactics and appearance of real phishing emails, but without the malicious intent. The goal is to expose employees to the types of phishing that they might encounter in a safe and controlled environment. Such studies were explored in several sectors and countries such as transportation in Bangkok (Sirawongphatsara et al., 2023), various small Japanese organizations (Higashino et al., (2019), healthcare sector (Williams, Zafar & Gupta, 2024), and Israeli financial institution (Hillman, Harel & Toch, 2023). A notable finding across several studies, including research in Italy (De Bona & Paci, 2020) and the USA (Pirocca, Allodi & Zannone, 2020), shows that targeted simulated phishing training reduces susceptibility compared with generic phishing training (McElwee, Murphy & Shelton, 2018) with a noticeable increase in phishing reporting rate (Hillman, Harel & Toch, 2023). However, analysis of mid-sized and large companies demonstrates this method’s limited effectiveness for those already susceptible to phishing (Siadati et al., 2017; Lain, Kostiainen & Čapkun, 2022). Other research explored combining the phishing simulation with rewards and sanctions in organizations to mitigate risky behavior (Blythe, Gray & Collins, 2020; McElwee, Murphy & Shelton, 2018).

Although this type of training is effective in raising awareness, it is challenging to run; for example, using the open-source framework raises concerns about exposing staff information suggesting storing users’ data locally rather than using public servers (Higashino et al., 2019). If run locally without tools, it is overwhelming to manage in large organizations (Althobaiti, Jenkins & Vaniea, 2021).

Serious games.

Serious games are typically employed in various fields. Serious games include interactive games for education and training. Pantic & Husain (2018) applied the Five-Factor Model of personality traits to correlate types of phishing emails with individual vulnerabilities, suggesting a more personalized approach for training. Underhay, Pretorius & Ojo (2016) proposed a game-based e-learning model for university technology students in South Africa. The game involves role-playing as a system administrator, requiring players to secure networks and systems. Gupta et al. (2020) developed a serious game for cybersecurity professionals to identify sophisticated phishing emails using a mix of quizzes and feedback mechanisms. Similarly, Birajdar & T N (2022) developed a serious game for IT professionals that concentrates on aspects such as interactivity, depth of knowledge, awards, and sanctions.

Phishing training courses.

Phishing training is used for various purposes, such as educational curricula and IT training programs. Turner & Turner (2019) integrated phishing awareness modules into social studies classes, demonstrating positive outcomes in understanding and preventing phishing attacks. Interactive tools and apps are used to provide training in order to increase awareness among students and professionals in American high schools (Podila et al., 2020) and various sectors in Qatar (Al-hamar & Kolivand, 2020). This type of training is also used for helping cybersecurity students efficiently create spear phishing attacks, such as developing the Social Engineering Vulnerability Evaluation (SiEVE) process, a method for identifying targets, profiling them, and crafting highly personalized social engineering attacks (Meyers et al., 2018).

Combining theoretical training with practical training in a medical organization in the Slovak Republic improved phishing awareness to 13% (Madleňák & Kampová, 2022). Additionally, combining two or more training methods can effectively enhance security awareness, such as providing text-based training along with gamification (Alkhazi et al., 2022). For example, due to the limited resources in small-sized universities, Matovu et al. (2022) incorporated the in-class lectures for training combined with after-training Kahoot!-based games.

However, even after employing security training, a significant proportion of employees are still vulnerable to phishing (Kearney & Kruger, 2014; Madleňák & Kampová, 2022), indicating the need for long term awareness plan.

Online phishing advice.

The use of Twitter-based awareness strategies for bank customers in the Emirates revealed that while there is increased use of social media for fraud awareness, the impact and clarity of the advice vary (Skula, Bohacik & Zabovsky, 2020). Mossano et al. (2020) analyzed the publicly available anti-phishing web pages and found a lack of inconsistencies and concrete advice (Mossano et al., 2020).

Real time support.

Previous research examined the impact of providing support to users when they encounter potential phishing attempts. The use of security nudges (e.g., highlighting the sender) improves individuals’ detection of phishing emails (Nicholson, Coventry & Briggs, 2017). Similarly, using the EyeBit extension that deactivate all the forms inputs if the user did not look at the address bar underscores the importance of real-time, user-centric tools in combating phishing (Miyamoto et al., 2014).

The real-time support that is coming from peers and family was studied by Coronges et al. (2012). They studied the impact of social networks on mitigating the spread of phishing attacks, investigating whether warnings from friends or superiors are more effective in preventing successful phishing incidents. However, highly central individuals did not warn others about phishing attacks, meaning these networks are ineffective. Adding a warning on the top of a suspicious email as real-time support intervention significantly reduces phishing clicks and dangerous actions, though the length of the warning has no significant difference in the click rate (Lain, Kostiainen & Čapkun, 2022).

Classification based measures.

Classification-based methods are widely employed for detecting phishing attacks. These methods leverage various classification techniques such as machine learning (Mahbub, Pardede & Kayes, 2022), deep learning (He et al., 2024; Devalla et al., 2022), natural language processing (Dunder, Seljan & Odak, 2023; Tudosi et al., 2023), computer vision (Pires & Borges, 2023). These classification methods utilize a wide range of features such as URL-based features (Swarnalatha et al., 2021; Devalla et al., 2022; Bouijij, Berqia & Saliah-Hassan, 2022; Aslam & Nassif, 2023), image-based features extracted from websites screenshots (Tanimu & Shiaeles, 2022), websites cost features (Ito, Takata & Kamizono, 2022), and social features extracted from LinkedIn profiles (Dewan, Kashyap & Kumaraguru, 2014). For detecting voice phishing calls, Yu et al. (2024) explored several classifiers such as XGBoost, SVM, and Random Forest and found that combining Named Entity Recognition (NER) with sentence-level N-gram techniques improves the classification performance, particularly in reducing false negatives. In addition, some papers utilized feature detection algorithms such as Oriented FAST and Rotated BRIEF (ORB) algorithms for logo detection and localization (Bhurtel, Siwakoti & Rawat, 2022). Studies have focused on balancing data to enhance model accuracy using techniques like SMOTE (Alsubaei, Almazroi & Ayub, 2024; Tamanna et al., 2024).

Random forest and XGBoost have been used effectively on datasets such as URLs, websites, and job ads, achieving accuracies as high as 98.37% in certain cases (Devalla et al., 2022; Aslam & Nassif, 2023; Tamanna et al., 2024; Dewan, Kashyap & Kumaraguru, 2014). Support vector machines (SVM), KNN, and decision trees are also popular classifiers for phishing detection, with varying levels of success, reaching up to 94.87% accuracy (Shombot et al., 2024; Mahbub, Pardede & Kayes, 2022). Neural networks, particularly BiLSTM and ANN, show significant potential in URL and email phishing detection, with accuracies reaching up to 99.27% (Bouijij, Berqia & Saliah-Hassan, 2022; Alsubaei, Almazroi & Ayub, 2024; Pires & Borges, 2023). Heuristic approaches complement these methods by identifying phishing through analyzing sender information (Sanchez & Duan, 2012) and applying the local outlier factor on email headers from mirrored SMTP network traffic (Wu & Guo, 2022). NLP is explored for detecting various attacks, including phishing emails, through email content and source URL analysis (Thejaswini & Indupriya, 2019). Hierarchical clustering and K-medoids have been used to develop automatic categorization systems for grouping phishing websites or malware based on shared characteristics (Zhuang et al., 2012). The list of studies with their results are summarized in Table 2.

Multi-layer classification methods.

Some studies integrate multiple approaches, such as using K-nearest neighbors, and IP-based mechanisms, focusing on IP mapping and logo recognition (Bhurtel, Siwakoti & Rawat, 2022), or machine learning algorithms with dynamic firewall rule generation (Tudosi et al., 2023). Similarly, the use of the naive Bayesian classifier, fuzzy string comparison, and image hashing results in 95% detection of fake educational domains (Privalov & Smirnov, 2023; Privalov & Smirnov, 2022). Classifying phishing websites using blacklists alone is not effective as they are not effective against zero-day attacks and cloaked phishing sites (Oest et al., 2019; Chen et al., 2021). Though, phish Mail Guard integrates blacklist, white list, heuristic techniques, DNS, and textual content analysis for comprehensive phishing email identification (Hajgude & Ragha, 2012). Varshney et al. (2021) proposed a novel method to uncover DNS over HTTPS traffic for phishing detection. Another study is NoFish, where (Niroshan Atimorathanna et al., 2020) combined various mechanisms like URL analysis, visual similarity detection, DNS phishing detection, and an email client plugin. It utilizes machine learning, natural language processing (NLP), and computer vision techniques to detect phishing attacks, achieving an accuracy of 94% for URL detection and 91.67% for email detection. Using information from software-defined networking through deep packet inspection with the help of NNA resulted in an average accuracy of 98.1% (Chin, Xiong & Hu, 2018). Heuristics also was used by Liu & Zhang (2012). They proposed two layers of detection where they first compute the weight for the URL features. If the weight does not exceed a threshold, they check the webpage features, providing specialized detection mechanisms for financial phishing.

Collaborative phishing detection.

Collaboration between organizations can effectively defend against phishing. Higashino (2019) designed a system for sharing information about phishing attacks across financial organizations. Vos, Erkin & Doerr (2021) presented a privacy-preserving protocol for querying multiple data providers without revealing stored data. Similarly, Deval et al. (2021) employed machine learning methods for collaborative phishing detection, allowing for the inclusion of new features in the models while Salau, Dantu & Upadhyay (2021) utilized blockchain technology to share data about phishing between organizations. Interestingly, Stembert et al. (2015) proposed a method that combines interaction methods to detect email phishing attacks, leveraging the intelligence of both expert users and novice users.

Authentication based prevention.

Email spoofing techniques such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) help IT staff in organizations to verify the authenticity of the sender’s domain to prevent malicious actors and countermeasures phishing emails (Kulkarni et al., 2024). However, these protocols have a low adoption rate because of the deployment technical issues, weak incentives, and concerns about blocking legitimate emails (Hu, Peng & Wang, 2018), requiring applying other methods to complement them. Similarly, the security multi-factor authentication method–Fast Identity Online 2 protocol was found to be challenging to deploy with concerns of security, usability, and adaptability in real-world enterprise use cases (Kepkowski et al., 2023). Recent studies proposed several authentication solutions, such as the use of dynamic password technology as an alternative to OTP, offer new avenues for preventing phishing attacks (Xu, Qi & Xi, 2016) and the brand indicator for message identification to complement the sender’s email domain with their organization authenticated logo (Dolnák & Kampová, 2022). Additionally, Bojjagani, Brabin & Rao (2020) proposed a novel authentication protocol that sends a nonce message to a mobile customer device to avoid phishing attacks. DMARCBox provides analytical reports to combat email phishing, offering accurate graphical reports alongside geolocation mapping of email sources (Nanaware, Mohite & Patil, 2019). Thakur & Yoshiura (2021) propose AntiPhiMBS-Auth, a model for mobile banking systems, to combat phishing at the authentication level, addressing users who mistakenly download phishing apps and those vulnerable to phishing emails or SMS.

Other prevention methods.

Other studies focus on specific aspects of phishing attacks. Teerakanok, Yasuki & Uehara (2020) presented a practical solution for detecting bogus invoice schemes using checksums from invoices and shared secret information. Eshmawi & Nair (2019) aimed to protect organizations from Smishing attacks with a roving proxy framework. Goel, Sharma & Goswami (2017) suggested a method to prevent QR code manipulation for sharing sensitive information. ’DeFD’ distinguishes disguised executable files in phishing emails transferred over network connections to enhance incident response (Ghafir et al., 2018). Since phishing is the first step to initiating other attacks, Lam & Kettani (2019) focused on detecting and preventing ransomware delivery through phishing channels, while Zhang et al. (2012) introduced a VPN abuse detection system to identify compromised accounts rapidly. Virtual honeypot solutions are also used to prevent access to phishing sites (Husák & Cegan, 2014; Chauhan & Shiwani, 2014). Ho et al. (2019) developed a new detector for lateral phishing attacks to minimize false positives. Insider threat is one of the most common threats for lateral phishing, thus He et al. (2024) improved their phishing detection algorithm by utilizing Bi-LSTM with Attention mechanisms to detect insider threats based on user behavior. Since phishers nowadays start to encrypt their websites, Ohmori (2023) proposed a method to detect “Let’s Encrypt” sites using TLS 1.2 or less as they easily provide free encryption certificates and are commonly used by attackers; however, such tools can be improved to accurately detect malicious websites.

Some solutions aim to protect a specific brand. For example, Al-Hamar et al. (2021) proposed a solution for specific organizations to defend against organization-targeted phishing emails, focusing on domain names, while Ramanathan & Wechsler (2013) proposed a multi-stage methodology to take down websites impersonating organizations.

These varied approaches underscore the multifaceted nature of phishing defense, highlighting the importance of interdisciplinary collaboration and technological innovation in combating evolving cyber threats.

Incident analysis and management.

Incident analysis is an important step in the fight against phishing because organizations are required to mitigate the attack and learn from it to prevent future attacks. Lacey, Salmon & Glancy (2015) conducted a system analysis of processes, documentation, and activity logs to explore cyber situational awareness in organizations. To gain a deeper understanding of attack impact and the organizations’ response, tools for analyzing and visualizing phishing attacks hitting the organizations have been developed to enhance cyber situational awareness of targeted phishing attacks (Legg & Blackman, 2019) and to assess security risks in banking institutions (Gupta et al., 2021a). Furthermore, Gupta et al. (2021b) developed a conceptual model to investigate social engineering attacks in a calculated way from several perspectives including attacker methods, exploit weaknesses, and the consequences of the attack on the cryptographic algorithms. Similarly, Lohiya & Thakkar (2024) reviewed several attack modeling techniques (e.g., cyber kill chains, the diamond model, and security incident response matrix) for phishing attacks, revealing the significance of models to improve the risk assessment and response strategies. These tools and models help network defenders better understand the attacker’s methodology, assess the risks at each attack stage, and implement timely mitigation strategies. Using a survey of professionals from major accounting firms in Nigeria, the research finds that digital forensic accounting significantly helps in reducing phishing scams, advance fee fraud, and credit card fraud (Awodiran et al., 2023).

Phishing reporting.

Reporting phishing is essential in the fight against phishing because it allows organizations to respond quickly and block the attacks before they cause harm. To enhance the reporting rate, Burda, Allodi & Zannone (2020) proposed a crowd-sourced approach to automate response and containment against spear phishing, empowering users and strengthening resilience, which is observed by Lain, Kostiainen & Čapkun (2022) who found that employees can effectively and quickly report phishing emails while maintaining consistent reporting rate. Interestingly, while 31% of employees had the intention to report phishing emails, the most believable phishing emails are less likely to be reported compared to obvious ones (Kersten et al., 2022), making it important to raise awareness about the importance of reporting. Interestingly, this approach has shown to be successful in a small and medium-sized organization because of the strength of the community as employees are encouraged to share suspicious communications quickly, which can significantly enhance phishing resilience (Burda et al., 2023). For example, it can reduce the cost of advanced security plans by utilizing the human firewall system in detecting and preventing phishing attacks (Shin et al., 2023). Althobaiti, Jenkins & Vaniea (2021) conducted a case study on the phishing response procedures to understand how phishing reports are handled in a UK-based university and found that the number of reports can be unmanageable even though the percentage of reports is low compared to the size of the organization; therefore, Althobaiti et al. (2023) proposed a clustering approach that aims to group similar emails into campaigns for the IT teams to deal with them.

Learning from previous attacks.

Current attacks were examined by several studies to help organizations learn from incidents to prevent future events.

Oest et al. (2018) explored the anti-phishing ecosystem through phishing kit analysis, seeking insights into countering evolving social engineering techniques employed by cybercriminals. Additionally, profiling phishing emails based on attack groups has assisted organizations in understanding attack motives and devising effective countermeasures (Lee et al., 2021a). Using clustering techniques, Vargas et al. (2016) investigated the registered attack on a financial US institution by grouping phishing websites based on their similarities to distinguish attacker groups. Their findings can be utilized to update the anti-phishing filters to prevent such tactics. Other studies examined the human factors that are exploited by attackers, such as the use of targeted phishing that increases the success rates in penetrating organizational defenses, as seen in Swedish organizations (Holm et al., 2014), a telecommunication organization (Abdullah & Mohd, 2019), a university, and a large international consultancy company (Burda et al., 2020). This was also observed by Kotson & Schulz (2015) who found that phishers send unique curriculum vitae (CV) attachments based on the target victims’ profiles. Furthermore, the way the phishing attack was delivered plays a significant role, sometimes more than the content of the message itself (Burda et al., 2020). The source of an email is one of the tactics used to deceive victims; for instance, emails spoofing an information technology (IT) department have led to a higher percentage of compromised accounts in an Emirates university (Mohebzada et al., 2012) and Swedish organizations (Holm et al., 2014). Similarly, showing professionalism in emails or phone calls that spoof banks is one of the tactics as they resemble the messages that they usually receive from their banks (Jansen & Leukfeldt, 2015). This tendency was also observed with Jordanian students who click on links from seemingly familiar sources, such as friends or relatives (Manasrah, Akour & Alsukhni, 2015). While these tactics can combat phishing attacks, frequent analysis of attack messages and delivery methods is needed, as a recent study found a significant increase in attack sophistication from 2010 to 2023. For example, email topics are shifted from security-focused to campus life topics along with a reduction in spelling errors (Morrow, 2024).

Cognitive vulnerabilities such as authority, liking, scarcity, consistency, social proof, and reciprocity were also exploited by phishers (Taib et al., 2019; De Bona & Paci, 2020; Williams, Hinds & Joinson, 2018). However, these strategies do not always guarantee success as a phishing simulation in a multinational financial organization showed that while some users fell for authority-based lures, scarcity was perceived as the least credible tactic (Taib et al., 2019). Social proof is also a powerful tool, as people are more likely to trust a source that appears to be trusted by others (Taib et al., 2019). Social distance can also be exploited as the more individuals perceive similarity with the sender, the higher the trust and the greater the risk of data compromise (Martin, Lee & Parmar, 2021). Van Der Heijden & Allodi (2019) analyzed cognitive vulnerabilities in phishing attacks to prioritize remediation efforts based on vulnerability triggers, to predict users’ behavior and effectively mitigate the impact of phishing campaigns whereas Abroshan et al. (2021) presented a phishing mitigation solution leveraging human behavior and emotional cues to identify high-risk users and apply appropriate mitigation strategies. This system evolves to provide tailored protection, enabling organizations to effectively safeguard vulnerable users.

Attack notifications.

After a successful build of a phishing detection system, Pires & Borges (2023) developed a phishing responder model that does at least one of the following to the detected phishing attack: reporting the website via email, notification post on a Telegram channel and automatic reporting to Google SafeBrowsing. Sending warning emails about ongoing attacks can have limited effect as a preventive measure. For example, despite receiving warning emails from the IT department, some individuals still fell victim to phishing attacks, as noted by Mohebzada et al. (2012) and Holm et al. (2014). Similarly, management messaging does not appear to directly influence outcomes, as warning messages have not been observed to reduce the number of clicks in phishing simulations (McElwee, Murphy & Shelton, 2018). These findings suggest that alternative or supplementary strategies may be necessary to prevent phishing attacks and mitigate their impact on organizations effectively.

These diverse approaches underscore the multifaceted nature of responding to phishing attacks, highlighting the importance of integrating technological innovations with insights from human behavior and cognitive psychology to develop comprehensive anti-phishing strategies.