Where the User Does Look When Reading Phishing Mails – An Eye-Tracking Study

  • Kevin PfeffelEmail author
  • Philipp Ulsamer
  • Nicholas H. Müller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11590)


To detect phishing mails, various strategies based on a reliable cryptography-based security framework exist. Nevertheless, the user themselves still provide a greater opportunity for phishing attacks. Therefore, it is crucial to understand how the user deals with phishing mails when confronted with them. This study limits itself to visual stimuli of phishing mails and therefore uses an eye-tracking procedure to determine the gaze behavior. Twenty-one different mails were used for this experiment, of which fourteen were phishing mails. The task of the users was to decide whether it was a phishing mail or a real mail. For the evaluation, the individual mails were provided with Areas of Interest (AOIs). This is similar to the usual components of a mail that would be attachment, body, footer, header and signature. Thereafter, three artificial groups were formed. There was one group with a low score of correct answers, one with a middle score and one with a high score. These three groups were then compared and showed differences in processing time. This led to the assumption that knowledge and time are two important factors in recognizing phishing mails.


Phishing Awareness Security Eye-tracking Human factors 


  1. 1.
    Semba, B., Eymann, T.: Developing a model to analyze the influence of personal values on IT security behavior. In: Nissen, V., et al. (eds.) Multikonferenz Wirtschaftsinformatik (MKWI) 2016, TU Ilmenau, Ilmenau, pp. 1083–1091 (2016)Google Scholar
  2. 2.
    ISACA: State of Cyber Security 2017: Part 2: Current Trends in the Threat Landscape (2017)Google Scholar
  3. 3.
    FBI Gov Homepage. Accessed 15 Feb 2019
  4. 4.
    Bergholz, A., Paaß, G., Reichartz, F., Strobel, S., Chung, J.H.: Improved phishing detection using model-based features. In: Proceedings of the International Conference on E-mail and AntiSpam (2008)Google Scholar
  5. 5.
    Fette, I., Sadeh, N., Tomasic, A.: Learning to Detect Phishing Emails, Technical Report, Institute for Software Research International, School of Computer Science, Carneige Mellon University (2006)Google Scholar
  6. 6.
    Toolan, F., Carthy, J.: Phishing detection using classifier ensembles. In: Proceedings of the 4th ECrime Researchers Summit, Tacoma, WA (2009)Google Scholar
  7. 7.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious urls. In: 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1245–1254. ACM, New York (2009)Google Scholar
  8. 8.
    Prakash, P., Kumar, M., Kompella, R., Gupta, M.: Phishnet: predictive blacklisting to detect phishing attacks. In: IEEE INFOCOM 2010, pp. 1–5. IEEE, San Diego (2015)Google Scholar
  9. 9.
    Wu, R., Miller, R.C., Garnkel, S.L.: Do security toolbars actually prevent phishing attacks? In: SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, New York (2006)Google Scholar
  10. 10.
    Kirda, E., Kruegel, C.: Protecting users against phishing attacks. Comput. J. 49(5), 554–561 (2006)CrossRefGoogle Scholar
  11. 11.
    Jakobsson, M.: Modeling and preventing phishing attacks. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, p. 89. Springer, Heidelberg (2005). Scholar
  12. 12.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Kevin Pfeffel
    • 1
    Email author
  • Philipp Ulsamer
    • 1
  • Nicholas H. Müller
    • 1
  1. 1.University of Applied Sciences Würzburg-SchweinfurtWürzburgGermany

Personalised recommendations