{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T06:00:40Z","timestamp":1767765640042,"version":"3.48.0"},"reference-count":60,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T00:00:00Z","timestamp":1767484800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Phishing websites continue to evolve in sophistication, making them increasingly difficult to distinguish from legitimate platforms and challenging the effectiveness of current detection systems. In this study, we investigate the role of subtle deceptive behavioral cues such as mouse-over effects, pop-up triggers, right-click restrictions, and hidden iframes in enhancing phishing detection beyond traditional structural and domain-based indicators. We propose a hierarchical hybrid detection framework that integrates dimensionality reduction through Principal Component Analysis (PCA), phishing campaign profiling using K Means clustering, and a stacked ensemble classifier for final prediction. Using a public phishing dataset, we evaluate multiple feature configurations to quantify the added value of behavioral indicators. The results demonstrate that behavioral indicators, while weak predictors in isolation, significantly improve performance when combined with conventional features, achieving a macro F1 score of 97 percent. Explainable AI analysis using SHAP confirms the contribution of specific behavioral characteristics to model decisions and reveals interpretable patterns in attacker manipulation strategies. This study shows that behavioral interactions leave measurable forensic signatures and provides evidence that combining structural, domain, and behavioral features offers a more comprehensive and reliable approach to phishing intrusion detection.<\/jats:p>","DOI":"10.3390\/fi18010030","type":"journal-article","created":{"date-parts":[[2026,1,5]],"date-time":"2026-01-05T10:53:50Z","timestamp":1767610430000},"page":"30","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Synergistic Phishing Intrusion Detection: Integrating Behavioral and Structural Indicators with Hybrid Ensembles and XAI Validation"],"prefix":"10.3390","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9257-4295","authenticated-orcid":false,"given":"Isaac Kofi","family":"Nti","sequence":"first","affiliation":[{"name":"School of Information Technology, University of Cincinnati, Cincinnati, OH 45221, USA"},{"name":"Information Technology and Analytics Center (ITAC), School of Information Technology, University of Cincinnati, Cincinnati, OH 45221, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2518-3398","authenticated-orcid":false,"given":"Murat","family":"Ozer","sequence":"additional","affiliation":[{"name":"School of Information Technology, University of Cincinnati, Cincinnati, OH 45221, USA"},{"name":"Information Technology and Analytics Center (ITAC), School of Information Technology, University of Cincinnati, Cincinnati, OH 45221, USA"}]},{"given":"Chengcheng","family":"Li","sequence":"additional","affiliation":[{"name":"School of Information Technology, University of Cincinnati, Cincinnati, OH 45221, USA"}]}],"member":"1968","published-online":{"date-parts":[[2026,1,4]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"607","DOI":"10.48175\/IJARSCT-17681","article-title":"Artificial Intelligence in Cybersecurity","volume":"4","author":"Gautam","year":"2024","journal-title":"Int. J. Adv. Res. Sci. Commun. Technol."},{"key":"ref_2","unstructured":"Anti-Phishing Working Group (APWG) (2025, June 12). Phishing Activity Trends Report, Q1 2023. Available online: https:\/\/apwg.org."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"672","DOI":"10.3390\/make3030034","article-title":"A Survey of Machine Learning-Based Solutions for Phishing Website Detection","volume":"3","author":"Tang","year":"2021","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Taha, A. (2021). Intelligent ensemble learning approach for phishing website detection based on weighted soft voting. Mathematics, 9.","DOI":"10.3390\/math9212799"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"5948","DOI":"10.1016\/j.eswa.2014.03.019","article-title":"Phishing detection based Associative Classification data mining","volume":"41","author":"Abdelhamid","year":"2014","journal-title":"Expert Syst. Appl."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Salem, A.H., Azzam, S.M., Emam, O.E., and Abohany, A.A. (2024). Advancing Cybersecurity: A Comprehensive Review of AI-Driven Detection Techniques, Springer International Publishing.","DOI":"10.1186\/s40537-024-00957-y"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1186\/s42400-024-00237-5","article-title":"Phishing behavior detection on different blockchains via adversarial domain adaptation","volume":"7","author":"Yan","year":"2024","journal-title":"Cybersecurity"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Alhuzali, A., Alloqmani, A., Aljabri, M., and Alharbi, F. (2025). In-Depth Analysis of Phishing Email Detection: Evaluating the Performance of Machine Learning and Deep Learning Models Across Multiple Datasets. Appl. Sci., 15.","DOI":"10.3390\/app15063396"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1016\/j.eswa.2018.09.029","article-title":"Machine learning based phishing detection from URLs","volume":"117","author":"Sahingoz","year":"2019","journal-title":"Expert Syst. Appl."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"13","DOI":"10.18488\/76.v9i1.2983","article-title":"Machine Learning and Deep Learning Based Phishing Websites Detection: The Current Gaps And Next Directions","volume":"9","author":"Adane","year":"2022","journal-title":"Rev. Comput. Eng. Res."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"18499","DOI":"10.1109\/ACCESS.2023.3247135","article-title":"Phishing or Not Phishing? A Survey on the Detection of Phishing Websites","volume":"11","author":"Zieni","year":"2023","journal-title":"IEEE Access"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1007\/s10462-024-11055-z","article-title":"Staying ahead of phishers: A review of recent advances and emerging methodologies in phishing detection","volume":"58","author":"Kavya","year":"2024","journal-title":"Artif. Intell. Rev."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"275","DOI":"10.52866\/ijcsm.2024.05.03.015","article-title":"A Machine Learning Algorithms for Detecting Phishing Websites: A Comparative Study","volume":"5","author":"Taha","year":"2024","journal-title":"Iraqi J. Comput. Sci. Math."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"203","DOI":"10.1111\/j.1468-2885.1996.tb00127.x","article-title":"Interpersonal Deception Theory","volume":"6","author":"Buller","year":"1996","journal-title":"Commun. Theory"},{"key":"ref_15","unstructured":"Fogg, B.J. (2023, January 5\u201310). Prominence-Interpretation theory: Explaining how people assess credibility online. Proceedings of the Human Factors in Computing Systems, Ft. Lauderdale, FL, USA."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Fogg, B.J., Soohoo, C., Danielson, D.R., Marable, L., Stanford, J., and Tauber, E.R. (2003, January 6\u20137). How do users evaluate the credibility of Web sites?: A study with over 2500 participants. Proceedings of the 2003 Conference on Designing for User Experiences DUX\u201903, San Francisco, CA, USA.","DOI":"10.1145\/997078.997097"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"187976","DOI":"10.1109\/ACCESS.2024.3514972","article-title":"A State-of-the-Art Review on Phishing Website Detection Techniques","volume":"12","author":"Li","year":"2024","journal-title":"IEEE Access"},{"key":"ref_18","unstructured":"Hossain, A., Khin, L., and Wison, G. (2025, June 10). An Intelligent Phishing Detection and Protection Scheme Using a Fusion of Images, Frames and Text. Available online: https:\/\/www.researchgate.net\/publication\/353482275_An_Intelligent_Phishing_Detection_and_Protection_Scheme_using_a_fusion_of_Images_Frames_and_Text."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"2015","DOI":"10.1007\/s12652-018-0798-z","article-title":"A machine learning based approach for phishing detection using hyperlinks information","volume":"10","author":"Jain","year":"2018","journal-title":"J. Ambient. Intell. Humaniz. Comput."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"590","DOI":"10.1016\/j.jksuci.2023.01.004","article-title":"A systematic literature review on phishing website detection techniques","volume":"35","author":"Safi","year":"2023","journal-title":"J. King Saud Univ. Comput. Inf. Sci."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/j.future.2018.11.004","article-title":"A stacking model using URL and HTML features for phishing webpage detection","volume":"94","author":"Li","year":"2019","journal-title":"Futur. Gener. Comput. Syst."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"36805","DOI":"10.1109\/ACCESS.2023.3252366","article-title":"Phishing Detection System Through Hybrid Machine Learning Based on URL","volume":"11","author":"Karim","year":"2023","journal-title":"IEEE Access"},{"key":"ref_23","first-page":"1","article-title":"Combining Lexical, Host, and Content-based features for Phishing Websites detection using Machine Learning Models","volume":"11","author":"Hamadouche","year":"2024","journal-title":"ICST Trans. Scalable Inf. Syst."},{"key":"ref_24","unstructured":"Joshi, A., Lloyd, L., Westin, P., and Seethapathy, S. (2019). Using Lexical Features for Malicious URL Detection\u2014A Machine Learning Approach. arXiv, Available online: http:\/\/arxiv.org\/abs\/1910.06277."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Hong, J., Kim, T., Liu, J., Park, N., and Kim, S.-W. (2020). Phishing URL Detection with Lexical Features and Blacklisted Domains. Adaptive Autonomous Secure Cyber Systems, Springer International Publishing.","DOI":"10.1007\/978-3-030-33432-1_12"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Haq, Q.E.U., Faheem, M.H., and Ahmad, I. (2024). Detecting Phishing URLs Based on a Deep Learning Approach to Prevent Cyber-Attacks. Appl. Sci., 14.","DOI":"10.3390\/app142210086"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Prakash, P., Kumar, M., Kompella, R.R., and Gupta, M. (2010, January 14\u201319). PhishNet: Predictive Blacklisting to Detect Phishing Attacks. Proceedings of the 2010 Proceedings IEEE INFOCOM, San Diego, CA, USA.","DOI":"10.1109\/INFCOM.2010.5462216"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"110398","DOI":"10.1016\/j.comnet.2024.110398","article-title":"Phishing URL detection generalisation using Unsupervised Domain Adaptation","volume":"245","author":"Rashid","year":"2024","journal-title":"Comput. Netw."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Catal, C., Giray, G., Tekinerdogan, B., Kumar, S., and Shukla, S. (2022). Applications of Deep Learning for Phishing Detection: A Systematic Literature Review, Springer.","DOI":"10.1007\/s10115-022-01672-x"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Al-Sarem, M., Saeed, F., Al-Mekhlafi, Z.G., Mohammed, B.A., Al-Hadhrami, T., Alshammari, M.T., Alreshidi, A., and Alshammari, T.S. (2021). An optimized stacking ensemble model for phishing websites detection. Electronics, 10.","DOI":"10.3390\/electronics10111285"},{"key":"ref_31","first-page":"1","article-title":"Enhancing Spear Phishing Defense with AI: A Comprehensive Review and Future Directions","volume":"12","author":"Mohamed","year":"2024","journal-title":"ICST Trans. Scalable Inf. Syst."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"150","DOI":"10.1007\/s10462-025-11141-w","article-title":"An assessment framework for explainable AI with applications to cybersecurity","volume":"58","author":"Calzarossa","year":"2025","journal-title":"Artif. Intell. Rev."},{"key":"ref_33","unstructured":"Molnar, C. (2020). Interpretable Machine Learning: A Guide for Making Black Box Models Explainable, Independently Published. [2nd ed.]. Available online: https:\/\/books.google.com\/books\/about\/Interpretable_Machine_Learning.html?id=jBm3DwAAQBAJ."},{"key":"ref_34","unstructured":"Smith, G. (2025, June 10). Top Phishing Statistics for 2025: Latest Figures and Trends. Available online: https:\/\/www.stationx.net\/phishing-statistics\/."},{"key":"ref_35","unstructured":"(2025, June 10). Phishing Trends Report (Updated for 2025). Available online: https:\/\/hoxhunt.com\/guide\/phishing-trends-report?."},{"key":"ref_36","unstructured":"(2025, June 10). Must-Know Phishing Statistics for 2025. Available online: https:\/\/www.egress.com\/blog\/security-and-email-security\/must-know-phishing-statistics-for-2025?."},{"key":"ref_37","unstructured":"National University (2025, June 10). 101 Cybersecurity Statistics and Trends for 2025. Available online: https:\/\/www.nu.edu\/blog\/cybersecurity-statistics\/?."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Bhattacharya, T., Veeramalla, S., and Tanniru, V. (2023, January 24\u201327). A Survey on Retrieving Confidential Data Using Phishing Attack. Proceedings of the 2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE), Las Vegas, NV, USA.","DOI":"10.1109\/CSCE60160.2023.00406"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Alhashmi, S., Alneyadi, A., Alshehhi, M., and Lamaazi, H. (2023, January 19\u201323). Mobile and Web Applications Clones: A Comprehensive Study. Proceedings of the 2023 International Wireless Communications and Mobile Computing (IWCMC), Marrakesh, Morocco.","DOI":"10.1109\/IWCMC58020.2023.10182983"},{"key":"ref_40","unstructured":"Akanbi, O.A., Amiri, I.S., and Fazeldehkordi, E. (2014). A Machine-Learning Approach to Phishing Detection and Defense, Elsevier."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1007\/s11235-020-00733-2","article-title":"A comprehensive survey of AI-enabled phishing attacks detection techniques","volume":"76","author":"Basit","year":"2021","journal-title":"Telecommun. Syst."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Wang, Y., Ma, W., Xu, H., Liu, Y., and Yin, P. (2023). A Lightweight Multi-View Learning Approach for Phishing Attack Detection Using Transformer with Mixture of Experts. Appl. Sci., 13.","DOI":"10.3390\/app13137429"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Zhou, J., Cui, H., Li, X., Yang, W., and Wu, X. (2023). A Novel Phishing Website Detection Model Based on LightGBM and Domain Name Features. Symmetry, 15.","DOI":"10.3390\/sym15010180"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"747","DOI":"10.1108\/JEIM-01-2020-0036","article-title":"Intelligent phishing detection scheme using deep learning algorithms","volume":"36","author":"Adebowale","year":"2020","journal-title":"J. Enterp. Inf. Manag."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Dhanavanthini, P., and Chakkravarthy, S.S. (2023). Phish-Armour: Phishing detection using deep recurrent neural networks. Soft Comput.","DOI":"10.1007\/s00500-023-07962-y"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"129686","DOI":"10.1016\/j.neucom.2025.129686","article-title":"How robust are ensemble machine learning explanations?","volume":"630","author":"Calzarossa","year":"2025","journal-title":"Neurocomputing"},{"key":"ref_47","unstructured":"Lim, B., Huerta, R., Sotelo, A., Quintela, A., and Kumar, P. (2025). EXPLICATE: Enhancing Phishing Detection through Explainable AI and LLM-Powered Interpretability. arXiv."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"3129","DOI":"10.1016\/j.matpr.2021.07.178","article-title":"SI-BBA\u2014A novel phishing website detection based on Swarm intelligence with deep learning","volume":"80","author":"Kumar","year":"2023","journal-title":"Mater. Today Proc."},{"key":"ref_49","first-page":"471","article-title":"Detection of Phishing URLs by Using Deep Learning Approach and Multiple Features Combinations","volume":"8","author":"Rasymas","year":"2020","journal-title":"Balt. J. Mod. Comput."},{"key":"ref_50","first-page":"481","article-title":"Graph-Based phishing detection: URLGBM model driven by machine learning","volume":"46","author":"Elkouay","year":"2024","journal-title":"Int. J. Comput. Appl."},{"key":"ref_51","unstructured":"Jakob, N. (1993). Usability Engineering, Academic Press Limited."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Jo, J., Cho, J., and Moon, J. (2023). A malware detection and extraction method for the related information using the ViT attention mechanism on Android operating system. Appl. Sci., 13.","DOI":"10.3390\/app13116839"},{"key":"ref_53","doi-asserted-by":"crossref","unstructured":"Shaukat, M.W., Amin, R., Muslam, M.M.A., Alshehri, A.H., and Xie, J. (2023). A hybrid approach for alluring ads phishing attack detection using machine learning. Sensors, 23.","DOI":"10.3390\/s23198070"},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Moussavou Boussougou, M.K., and Park, D.-J. (2023). Attention-based 1D CNN-BiLSTM hybrid model enhanced with FastText word embedding for Korean voice phishing detection. Mathematics, 11.","DOI":"10.3390\/math11143217"},{"key":"ref_55","doi-asserted-by":"crossref","first-page":"1556","DOI":"10.1109\/TCSS.2022.3209827","article-title":"A Scalable RF-XGBoost Framework for Financial Fraud Mitigation","volume":"11","author":"Nti","year":"2022","journal-title":"IEEE Trans. Comput. Soc. Syst."},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Yadollahi, M.M., Shoeleh, F., Serkani, E., Madani, A., and Gharaee, H. (2019, January 24\u201325). An Adaptive Machine Learning Based Approach for Phishing Detection Using Hybrid Features. Proceedings of the 2019 5th International Conference on Web Research (ICWR), Tehran, Iran.","DOI":"10.1109\/ICWR.2019.8765265"},{"key":"ref_57","unstructured":"Green, D.M., and Swets, J.A. (1974). Signal Detection Theory and Psychophysics, Wiley & Sons, Inc."},{"key":"ref_58","doi-asserted-by":"crossref","first-page":"443","DOI":"10.1007\/s00521-013-1490-z","article-title":"Predicting phishing websites based on self-structuring neural network","volume":"25","author":"Mohammad","year":"2014","journal-title":"Neural Comput. Appl."},{"key":"ref_59","first-page":"417","article-title":"Comparative Study of Machine Learning Algorithms for Phishing Website Detection","volume":"14","author":"Omari","year":"2023","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_60","doi-asserted-by":"crossref","first-page":"3549","DOI":"10.1007\/s11277-021-08196-7","article-title":"Smart Phishing Detection in Web Pages Using Supervised Deep Learning Classification and Optimization Technique ADAM","volume":"118","author":"Lakshmi","year":"2021","journal-title":"Wirel. Pers. Commun."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/18\/1\/30\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T05:30:14Z","timestamp":1767763814000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/18\/1\/30"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,4]]},"references-count":60,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1]]}},"alternative-id":["fi18010030"],"URL":"https:\/\/doi.org\/10.3390\/fi18010030","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2026,1,4]]}}}