Phishing : A qualitative study of users' e-mail classification process, and how it is influenced by the subjective knowledge

Abstract: Background. E-mail phishing is a type of social engineering where the threat actor sends e-mails with the intention to, for example, gain sensitive information or gain access to sensitive assets. Anyone can be a target of a phishing attempt, and any user that uses a digital environment should be aware of which factors to be attentive to in an e-mail. Objectives. This thesis intends to study the practical ability to identify phishing e-mails among users and what factors they are looking for when performing the classification. The intention is also to investigate if subjective knowledge impacts practical ability. Methods. A user study was conducted where the participants were to classify e-mails from an inbox as either phishing or legitimate. During the observation, the participants thought-out-loud for the authors of this thesis to hear their approach and which factors they noticed. A questionnaire also was conducted to capture the participants' knowledge, previous experience, and confidence in their classifications. Results. The results show that the majority of the participants did not know what factors to look after, nor how to inspect them, to make a justified classification of an e-mail. Most participants made the classifications based on their gut feelings. Those participants who had any theoretical knowledge showed more confidence and identified more phishing attempts. Conclusions. This thesis concluded that the participants lacked the required knowledge to identify phishing attempts. Further, it concludes that subjective knowledge leads to high confidence, which helps users make the correct classification. Therefore, this topic needs to be further enlightened to bring more awareness, and education needs to be conducted.