Where the User Does Look When Reading Phishing Mails - An Eye-Tracking Study

To detect phishing mails, various strategies based on a reliable cryptography-based security framework exist. Nevertheless, the user themselves still provide a greater opportunity for phishing attacks. Therefore, it is crucial to understand how the user deals with phishing mails when confronted with them. This study limits itself to visual stimuli of phishing mails and therefore uses an eye-tracking procedure to determine the gaze behavior. Twenty-one different mails were used for this experiment, of which fourteen were phishing mails. The task of the users was to decide whether it was a phishing mail or a real mail. For the evaluation, the individual mails were provided with Areas of Interest (AOIs). This is similar to the usual components of a mail that would be attachment, body, footer, header and signature. Thereafter, three artificial groups were formed. There was one group with a low score of correct answers, one with a middle score and one with a high score. These three groups were then compared and showed differences in processing time. This led to the assumption that knowledge and time are two important factors in recognizing phishing mails.