{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T18:30:46Z","timestamp":1780425046546,"version":"3.54.1"},"reference-count":73,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2023,5,2]],"date-time":"2023-05-02T00:00:00Z","timestamp":1682985600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2023,5,19]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>Distinguishing phishing emails from legitimate emails continues to be a difficult task for most individuals. This study aims to investigate the psycholinguistic factors associated with deception in phishing email text and their effect on end-user ability to discriminate phishing emails from legitimate emails.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>Email messages and end-user decisions collected from a laboratory phishing study were validated and analyzed using natural language processing methods (Linguistic Inquiry Word Count) and penalized regression models (LASSO and Elastic Net) to determine the linguistic dimensions that attackers may use in phishing emails to deceive end-users and measure the impact of such choices on end-user susceptibility to phishing.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>We found that most participants, who played the role of a phisher in the study, chose to deceive their end-user targets by pretending to be a familiar individual and presenting time pressure or deadlines. Results show that use of words conveying certainty (e.g. always, never) and work-related features in the phishing messages predicted higher end-user vulnerability. On the contrary, use of words that convey achievement (e.g. earn, win) or reward (cash, money) in the phishing messages predicted lower end-user vulnerability because such features are usually observed in scam-like messages.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>Insights from this research show that analyzing emails for psycholinguistic features associated with computer-mediated deception could be used to fine-tune and improve spam and phishing detection technologies. This research also informs the kinds of phishing attacks that must be prioritized in antiphishing training programs.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>Applying natural language processing and statistical modeling methods to analyze results from a laboratory phishing experiment to understand deception from both attacker and end-user is novel. Furthermore, results from this work advance our understanding of the linguistic factors associated with deception in phishing email text and its impact on end-user susceptibility.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-11-2021-0185","type":"journal-article","created":{"date-parts":[[2023,5,2]],"date-time":"2023-05-02T09:59:34Z","timestamp":1683021574000},"page":"199-220","source":"Crossref","is-referenced-by-count":12,"title":["Determining psycholinguistic features of deception in phishing messages"],"prefix":"10.1108","volume":"31","author":[{"given":"Tianhao","family":"Xu","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Prashanth","family":"Rajivan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","published-online":{"date-parts":[[2023,5,2]]},"reference":[{"key":"key2023051713121121900_ref001","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.ijhcs.2015.05.005","article-title":"Why phishing still works: user strategies for combating phishing attacks","volume":"82","year":"2015","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2023051713121121900_ref002","article-title":"Phishing activity trends report 2021 q1","author":"APWG","year":"2021"},{"key":"key2023051713121121900_ref003","article-title":"Phishing activity trends report 2021 q2","author":"APWG","year":"2021"},{"key":"key2023051713121121900_ref004","first-page":"1027","article-title":"k-means++: the advantages of careful seeding","volume-title":"Proceedings of the eighteenth annual ACM-SIAM symposium on discrete algorithms","year":"2006"},{"issue":"1","key":"key2023051713121121900_ref005","first-page":"63","article-title":"Response to a phishing attack: persuasion and protection motivation in an organizational context","volume":"30","year":"2021","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2023051713121121900_ref006","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1207\/s15327957pspr1003_2","article-title":"Accuracy of deception judgments","volume":"10","year":"2006","journal-title":"Personality and Social Psychology Review"},{"key":"key2023051713121121900_ref007","doi-asserted-by":"crossref","first-page":"785","DOI":"10.1145\/2939672.2939785","article-title":"Xgboost: a scalable tree boosting system","volume-title":"Proceedings of the 22nd acm sigkdd International Conference on Knowledge Discovery and Data Mining","year":"2016"},{"key":"key2023051713121121900_ref008","volume-title":"Influence: Science and Practice","year":"2009"},{"key":"key2023051713121121900_ref009","article-title":"Spam corpus creation for trec","year":"2005"},{"issue":"1","key":"key2023051713121121900_ref010","first-page":"671","article-title":"Sok: a comprehensive reexamination of phishing research from the security perspective","volume":"22","year":"2019","journal-title":"IEEE Communications Surveys and Tutorials"},{"issue":"1","key":"key2023051713121121900_ref011","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1108\/ICS-12-2020-0204","article-title":"Evaluating user susceptibility to phishing attacks","volume":"30","year":"2022","journal-title":"Information and Computer Security"},{"issue":"5","key":"key2023051713121121900_ref012","doi-asserted-by":"crossref","first-page":"979","DOI":"10.1037\/0022-3514.70.5.979","article-title":"Lying in everyday life","volume":"70","year":"1996","journal-title":"Journal of Personality and Social Psychology"},{"issue":"1","key":"key2023051713121121900_ref013","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1037\/0033-2909.129.1.74","article-title":"Cues to deception","volume":"129","year":"2003","journal-title":"Psychological Bulletin"},{"key":"key2023051713121121900_ref014","first-page":"581","article-title":"Why phishing works","volume-title":"Proceedings of the SIGCHI, Conference on Human Factors in Computing Systems, ACM","year":"2006"},{"key":"key2023051713121121900_ref015","doi-asserted-by":"crossref","first-page":"1065","DOI":"10.1145\/1357054.1357219","article-title":"You\u2019ve been warned: an empirical study of the effectiveness of web browser phishing warnings","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2008"},{"key":"key2023051713121121900_ref016","volume-title":"Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage","year":"2009"},{"issue":"9","key":"key2023051713121121900_ref017","doi-asserted-by":"crossref","first-page":"913","DOI":"10.1037\/0003-066X.46.9.913","article-title":"Who can catch a liar?","volume":"46","year":"1991","journal-title":"American Psychologist"},{"key":"key2023051713121121900_ref018","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.ijhcs.2018.12.004","article-title":"Persuasion: how phishing emails can influence users and bypass security measures","volume":"125","year":"2019","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2023051713121121900_ref019","first-page":"36","article-title":"Principles of persuasion in social engineering and their use in phishing","volume-title":"International Conference on Human Aspects of Information Security, Privacy, and Trust","year":"2015"},{"key":"key2023051713121121900_ref020","volume-title":"The Belmont Report: ethical Principles and Guidelines for the Protection of Human Subjects of Research","author":"for the Protection of Human Subjects of Biomedical, U.S.N.C. and Research, B","year":"1978"},{"key":"key2023051713121121900_ref021","doi-asserted-by":"crossref","first-page":"101862","DOI":"10.1016\/j.cose.2020.101862","article-title":"Susceptibility to phishing on social network sites: a personality information processing model","volume":"94","year":"2020","journal-title":"Computers and Security"},{"key":"key2023051713121121900_ref022","first-page":"256","article-title":"Deception research today","volume":"5","year":"2014","journal-title":"Frontiers in Psychology"},{"issue":"7","key":"key2023051713121121900_ref023","doi-asserted-by":"crossref","first-page":"10206","DOI":"10.1016\/j.eswa.2009.02.037","article-title":"A review of machine learning approaches to spam filtering","volume":"36","year":"2009","journal-title":"Expert Systems with Applications"},{"key":"key2023051713121121900_ref024","doi-asserted-by":"crossref","first-page":"449","DOI":"10.1145\/1240624.1240697","article-title":"The truth about lying in online dating profiles","volume-title":"Proceedings of the SIGCHI, Conference on Human factors in computing systems","year":"2007"},{"issue":"2","key":"key2023051713121121900_ref025","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1108\/OIR-04-2015-0106","article-title":"Individual processing of phishing emails: how attention and elaboration protect against phishing","volume":"40","year":"2016","journal-title":"Online Information Review"},{"key":"key2023051713121121900_ref026","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1016\/j.chb.2018.09.008","article-title":"Context in a bottle: language-action cues in spontaneous computer-mediated deception","volume":"91","year":"2019","journal-title":"Computers in Human Behavior"},{"key":"key2023051713121121900_ref027","article-title":"Computer-mediated deception: collective language-action cues as stigmergic signals for computational intelligence","volume-title":"Proceedings of the 51st HI International Conference on System Sciences","year":"2018"},{"key":"key2023051713121121900_ref028","first-page":"1273","article-title":"Detecting and characterizing lateral phishing at scale","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19)","year":"2019"},{"issue":"2","key":"key2023051713121121900_ref029","doi-asserted-by":"crossref","first-page":"393","DOI":"10.1080\/07421222.2016.1205924","article-title":"Computer-mediated deception: strategies revealed by language-action cues in spontaneous communication","volume":"33","year":"2016","journal-title":"Journal of Management Information Systems"},{"key":"key2023051713121121900_ref030","first-page":"3706","article-title":"Real or spiel? a decision tree approach for automated detection of deceptive language-action cues","volume-title":"2016 49th HI International Conference on System Sciences (HICSS)","year":"2016"},{"issue":"1","key":"key2023051713121121900_ref031","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1145\/2063176.2063197","article-title":"The state of phishing attacks","volume":"55","year":"2012","journal-title":"Communications of the ACM"},{"issue":"1","key":"key2023051713121121900_ref032","doi-asserted-by":"crossref","first-page":"e16775","DOI":"10.2196\/16775","article-title":"Why employees (still) click on phishing links: investigation in hospitals","volume":"22","year":"2020","journal-title":"Journal of Medical Internet Research"},{"key":"key2023051713121121900_ref033","doi-asserted-by":"crossref","first-page":"466","DOI":"10.3389\/fpsyg.2018.00466","article-title":"Statistical models for predicting threat detection from human behavior","volume":"9","year":"2018","journal-title":"Frontiers in Psychology"},{"issue":"6","key":"key2023051713121121900_ref034","doi-asserted-by":"crossref","first-page":"835","DOI":"10.1108\/OIR-03-2012-0037","article-title":"Understanding persuasive elements in phishing e-mails: a categorical content and semantic network analysis","volume":"37","year":"2013","journal-title":"Online Information Review"},{"issue":"3","key":"key2023051713121121900_ref035","doi-asserted-by":"crossref","first-page":"354","DOI":"10.1002\/acp.3407","article-title":"Automated verbal credibility assessment of intentions: the model statement technique and predictive modeling","volume":"32","year":"2018","journal-title":"Applied Cognitive Psychology"},{"key":"key2023051713121121900_ref036","first-page":"308","article-title":"Characterizing phishing threats with natural language processing","volume-title":"2015 IEEE Conference on Communications and Network Security (CNS), IEEE","year":"2015"},{"key":"key2023051713121121900_ref037","first-page":"28","article-title":"Social engineering attacks on the knowledge worker","volume-title":"Proceedings of the 6th International Conference on Security of Information and Networks\u2019","year":"2013"},{"key":"key2023051713121121900_ref038","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1016\/j.jisa.2014.09.005","article-title":"Advanced social engineering attacks","volume":"22","year":"2015","journal-title":"Journal of Information Security and Applications"},{"key":"key2023051713121121900_ref039","first-page":"1941","article-title":"Linguistic cues to deception and perceived deception in interview dialogues","volume-title":"Proceedings of the 2018 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long Papers)","year":"2018"},{"issue":"3","key":"key2023051713121121900_ref040","first-page":"18","article-title":"Classification and regression by random forest","volume":"2","year":"2002","journal-title":"R News"},{"issue":"5","key":"key2023051713121121900_ref041","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3336141","article-title":"Susceptibility to spear-phishing emails: effects of internet user demographics and email content","volume":"26","year":"2019","journal-title":"ACM Transactions on Computer-Human Interaction (TOCHI)"},{"key":"key2023051713121121900_ref042","article-title":"A text-based deception detection model for cybercrime","volume-title":"International Conference on Technology","year":"2016"},{"key":"key2023051713121121900_ref043","unstructured":"Nazario, J. (2016), \u201cPhishing corpus\u201d, available at: https:\/\/monkey.org\/\u223cjose\/phishing\/"},{"issue":"5","key":"key2023051713121121900_ref044","doi-asserted-by":"crossref","first-page":"665","DOI":"10.1177\/0146167203029005010","article-title":"Lying words: predicting deception from linguistic styles","volume":"29","year":"2003","journal-title":"Personality and Social Psychology Bulletin"},{"key":"key2023051713121121900_ref045","first-page":"1","article-title":"Inside a phisher\u2019s mind: understanding the anti-phishing ecosystem through phishing kit analysis","volume-title":"2018 APWG Symposium on Electronic Crime Research (eCrime), IEEE","year":"2018"},{"key":"key2023051713121121900_ref046","article-title":"Sunrise to sunset: analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale","volume-title":"29th {USENIX} Security Symposium ({USENIX} Security 20)","year":"2020"},{"key":"key2023051713121121900_ref047","unstructured":"Ott, M., Choi, Y., Cardie, C. and Hancock, J.T. (2011), \u201cFinding deceptive opinion spam by any stretch of the imagination\u201d, arXiv preprint arXiv:1107.4557."},{"key":"key2023051713121121900_ref048","unstructured":"Park, G. and Taylor, J.M. (2015), \u201cUsing syntactic features for phishing detection\u201d, arXiv preprint arXiv:1506.00037."},{"key":"key2023051713121121900_ref049","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1016\/j.ijhcs.2019.02.007","article-title":"Predicting susceptibility to social influence in phishing emails","volume":"128","year":"2019","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2023051713121121900_ref050","doi-asserted-by":"crossref","first-page":"194","DOI":"10.1016\/j.cose.2015.02.008","article-title":"The design of phishing studies: challenges for researchers","volume":"52","year":"2015","journal-title":"Computers and Security"},{"key":"key2023051713121121900_ref051","article-title":"The development and psychometric properties of liwc2015","year":"2015"},{"key":"key2023051713121121900_ref052","doi-asserted-by":"crossref","first-page":"1532","DOI":"10.3115\/v1\/D14-1162","article-title":"Glove: global vectors for word representation","volume-title":"Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP)","year":"2014"},{"key":"key2023051713121121900_ref053","doi-asserted-by":"crossref","first-page":"135","DOI":"10.3389\/fpsyg.2018.00135","article-title":"Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks","volume":"9","year":"2018","journal-title":"Frontiers in Psychology"},{"key":"key2023051713121121900_ref054","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.procs.2021.05.077","article-title":"Phishing email detection using natural language processing techniques: a literature survey","volume":"189","year":"2021","journal-title":"Procedia Computer Science"},{"issue":"5","key":"key2023051713121121900_ref055","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1177\/0018720818780472","article-title":"Hacking the human: the prevalence paradox in cybersecurity","volume":"60","year":"2018","journal-title":"Human Factors: The Journal of the Human Factors and Ergonomics Society"},{"issue":"1","key":"key2023051713121121900_ref056","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1111\/j.1468-2958.2009.01366.x","article-title":"The prevalence of lying in America: three studies of self-reported lies","volume":"36","year":"2010","journal-title":"Human Communication Research"},{"key":"key2023051713121121900_ref057","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1145\/1280680.1280692","article-title":"Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish","volume-title":"Proceedings of the 3rd symposium on Usable privacy and security","year":"2007"},{"key":"key2023051713121121900_ref058","first-page":"447","article-title":"Anti-phishing detection of phishing attacks using genetic algorithm","volume-title":"2010 International Conference on Communication Control and Computing Technologies\u2019","year":"2010"},{"key":"key2023051713121121900_ref059","first-page":"564","article-title":"Social engineering and organisational dependencies in phishing attacks","volume-title":"IFIP Conference on Human-Computer Interaction","year":"2019"},{"issue":"1","key":"key2023051713121121900_ref060","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1177\/0261927X09351676","article-title":"The psychological meaning of words: Liwc and computerized text analysis methods","volume":"29","year":"2010","journal-title":"Journal of Language and Social Psychology"},{"issue":"1","key":"key2023051713121121900_ref061","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1111\/j.2517-6161.1996.tb02080.x","article-title":"Regression shrinkage and selection via the lasso","volume":"58","year":"1996","journal-title":"Journal of the Royal Statistical Society: Series B (Methodological)"},{"key":"key2023051713121121900_ref062","first-page":"824","article-title":"Detecting phishing emails the natural language way","volume-title":"European Symposium on Research in Computer Security","year":"2012"},{"issue":"8","key":"key2023051713121121900_ref063","doi-asserted-by":"crossref","first-page":"1146","DOI":"10.1177\/0093650215627483","article-title":"Suspicion, cognition, and automaticity model of phishing susceptibility","volume":"45","year":"2018","journal-title":"Communication Research"},{"issue":"3","key":"key2023051713121121900_ref064","doi-asserted-by":"crossref","first-page":"576","DOI":"10.1016\/j.dss.2011.03.002","article-title":"Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model","volume":"51","year":"2011","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2023051713121121900_ref065","doi-asserted-by":"crossref","first-page":"295","DOI":"10.1146\/annurev-psych-010418-103135","article-title":"Reading lies: nonverbal communication and deception","volume":"70","year":"2019","journal-title":"Annual Review of Psychology"},{"issue":"5","key":"key2023051713121121900_ref066","doi-asserted-by":"crossref","first-page":"499","DOI":"10.1007\/s10979-006-9066-4","article-title":"Cues to deception and ability to detect lies as a function of police interview styles","volume":"31","year":"2007","journal-title":"Law and Human Behavior"},{"issue":"4","key":"key2023051713121121900_ref067","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1109\/TPC.2012.2208392","article-title":"Research article phishing susceptibility: an investigation into the processing of a targeted spear phishing email","volume":"55","year":"2012","journal-title":"IEEE Transactions on Professional Communication"},{"issue":"CSCW2","key":"key2023051713121121900_ref068","first-page":"1","article-title":"How experts detect phishing scam emails","volume":"4","year":"2020","journal-title":"Proceedings of the ACM on Human-Computer Interaction"},{"key":"key2023051713121121900_ref069","first-page":"601","article-title":"Do security toolbars actually prevent phishing attacks?","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems\u2019","year":"2006"},{"key":"key2023051713121121900_ref070","first-page":"3669","article-title":"Detecting phishing websites and targets based on urls and webpage links","volume-title":"2018 24th International Conference on Pattern Recognition (ICPR), IEEE","year":"2018"},{"issue":"4","key":"key2023051713121121900_ref071","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1080\/07421222.2004.11045779","article-title":"A comparison of classification methods for predicting deception in computer-mediated communication","volume":"20","year":"2004","journal-title":"Journal of Management Information Systems"},{"issue":"2","key":"key2023051713121121900_ref072","doi-asserted-by":"crossref","first-page":"301","DOI":"10.1111\/j.1467-9868.2005.00503.x","article-title":"Regularization and variable selection via the elastic net","volume":"67","year":"2005","journal-title":"Journal of the Royal Statistical Society: series B (Statistical Methodology)"},{"key":"key2023051713121121900_ref073","first-page":"1","article-title":"Phishing detection approaches","volume-title":"2019 2nd International Conference on New Trends in Computing Sciences (ICTCS), IEEE","year":"2019"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2021-0185\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2021-0185\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:21Z","timestamp":1753406601000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/31\/2\/199-220\/113721"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,2]]},"references-count":73,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,5,2]]},"published-print":{"date-parts":[[2023,5,19]]}},"alternative-id":["10.1108\/ICS-11-2021-0185"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2021-0185","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,2]]}}}