A Survey on Student Awareness of Spoofing Attacks in Saudi Arabia

Abstract

The increasing prevalence of digital communication has made students a primary target for various cyber threats, including identity deception and impersonation techniques that can lead to data breaches and financial loss. In Saudi Arabia, where the youth population is digitally active and integrated into online learning environments, understanding their vulnerability to such threats is paramount. This paper investigates university students’ awareness, confidence, and behavioral responses to different types of spoofing attacks, including email, SMS, caller ID, and website spoofing, in Saudi Arabia. A survey was conducted to gather data from 1437 students at Saudi Electronic University, and it was analyzed using a quantitative research methodology and different statistical tests, such as Chi-square tests, Friedman tests, Kruskal–Wallis tests, correlation analysis, and regression models. The analysis results indicate that students exhibit a relatively high level of awareness. However, awareness and confidence vary across demographic groups, with significant differences associated with gender and age group. The results also reveal a significant gap between perceived confidence and detection ability in scenario-based assessments, highlighting that self-reported awareness does not necessarily translate into practical identification skills. The study emphasizes the importance of strengthening practical cybersecurity education, simulation-based training, and effective awareness delivery methods to improve students’ ability to recognize impersonation-based cyber threats in the Saudi educational sector.

1. Introduction

Today, most of our daily activities, such as communication, business, marketing, shopping, and education, rely on the Internet. Although the digital world has brought many benefits to Mankind, it has made many individuals and organizations vulnerable to cyberattacks [1]. There are a growing number of incidents and breaches that specifically target vulnerabilities in human aspects of cybersecurity. According to the Verizon Data Breach Investigation Report (DBIR) provided, 82% of the breaches studied were due to human activities or errors [2,3].

Saudi Arabia has become a primary target of cyberattacks due to its large number of active Internet users and geopolitical prominence [4]. The fourth goal of the 2030 Saudi Vision is to improve the quality of life for all people on Earth, emphasizing quality education and lifelong learning opportunities. This encourages academic institutions and other stakeholders to collaborate to improve educational quality and provide resources for lifelong learning [5]. As students have become more engaged in online learning, they are supposed to be the group most aware of cybersecurity. Establishing a culture of cybersecurity awareness among students before entering the workforce is crucial, and one of the most important steps to achieve this is to evaluate the level of awareness [6].

In the post-pandemic era, academic institutions and learners have integrated distance education as an essential tool, and information security has also become a major concern for students. Recent literature reviews highlight that cyberattacks can occur and succeed due to lack of awareness [4]. There are several cyber-attack techniques, but the underlying motivation for all categories is mostly the same. The only difference between the cyberattack categories is the number of objectives and the methods used to obtain the information [2].

Phishing involves the use of fraudulent messages to deceive recipients into revealing sensitive information by using different communication systems, such as Email, URL, SMS, social media, or online games [7,8]. Phishing often relies on email spoofing or texting attacks for tricking the user into entering personal information on a fake website [9]. A spoofing attack is one of the cyber attacks that has been on the rise due to the increase in digital reliance. Spoofing is the impersonation of another person or program, typically by providing false information, such as a fake email name, a bogus URL, or a stolen IP address. In the context of information security, a spoofing attack is an event in which an attacker or malicious program successfully fools a victim by falsifying data to obtain an unauthorized advantage. There are several types of spoofing attacks, including IP spoofing, MAC spoofing, website spoofing, DNS spoofing, email spoofing, and caller ID spoofing [10].

Email spoofing is a cyberattack in which an attacker creates a false message by altering the sender’s address and other parts of the email header so that it appears to the victim as if it originated from a different source [9]. Typically, spoofed emails aim to obtain personally identifiable information (PII) from victims, which can be used for identity theft [11]. It is one of the most common forgery techniques that require no knowledge or effort on the part of adversaries, as SMTP itself provides no authentication [12].

Website Uniform Resource Locator (URL) spoofing remains a primary tactic in phishing attacks in the 21st century. According to a cybercrime fraud report, the rate of spoofing attacks increased during and after the COVID-19 Pandemic [1]. In a spoofing attack, the attacker tricks the victim into trusting a fake site and obtains their credentials for the legitimate cloned site. These fake Web pages have similar graphical user interfaces but use a different Uniform Resource Locator than the original page. Experienced users can easily spot these fake websites by looking at the URL, but a lot of users tend to ignore the entire web page address [13,14].

SMS spoofing is one of the most common types of spoofing attacks today. Although numerous studies have examined factors that make users vulnerable to email-based phishing, research on smishing remains limited [15]. Although SMS spoofing can have legitimate applications, such as setting a company’s or product’s name, it is also commonly misused to impersonate companies or products for malicious purposes. In SMS spoofing, attackers craft SMS messages that look harmless to users and change the sender’s information on a text to fool the receiver [16].

Companies used to warn customers not to trust emails and to rely only on phone calls or SMS, but this assumption is no longer valid, as caller ID spoofing has become more prevalent among attackers [17]. Caller identification typically relies on two key pieces of information: the caller ID (phone number) and the caller name. In caller ID spoofing attacks, attackers can falsify the phone number, the caller name, or both to impersonate trusted entities or individuals [18]. Caller ID spoofing is a type of attack in which an attacker manipulates the caller ID display to show a different phone number than the original number from which the call originated [19]. An attacker can easily launch caller ID spoofing using Session Initiation Protocol (SIP) trunks and VoIP technology combined with social engineering to lure victims into revealing financial data or sending money [20]. Vishing, a phishing method, exploits users’ trust in telephone service, as most users are unaware that attackers may use caller ID spoofing [21]. In a survey conducted at Effat University, students and faculty were asked whether they prefer fingerprint-based or conventional knowledge-based methods for call authentication purposes. The results show that 75% prefer that call center systems adopt fingerprint-based authentication methods [22].

These malicious activities could be particularly prevalent in academic institutions, exploiting the widespread reliance on digital technology among students and faculty to trick them into divulging sensitive information or performing actions that compromise security. The rapid growth of spoofing attacks and the increased recurrence of hacking attacks in schools and colleges require evaluating student awareness [23]. Raising students’ awareness about spoofing attacks not only helps them identify phishing emails and spoofed websites but also makes universities less vulnerable [24].

Objectives and Research Questions of the Study

Although many research papers evaluate students’ awareness of cybersecurity and phishing attacks, more attention should be paid to spoofing attacks. A Spoofing attack is an identity-deception mechanism often used as an essential step in the life cycle of multiple sophisticated attacks. Phishing often relies on spoofed identities or communication channels. The education system in Saudi Arabia is going through a major digital transformation, driven by Vision 2030. An example is the Saudi Electronic University, which employs a blended learning model that combines online education with physical attendance. The objective of this study is to address the research gap and assess the students’ awareness of spoofing attacks at Saudi Electronic University.

This study addresses the existing research gap by analyzing students’ awareness of spoofing attacks and the experiences of individuals who have been victims of such incidents. To achieve this objective, a survey was conducted among students at the Saudi Electronic University, which operates 17 branches across Saudi Arabia. The research quantitatively evaluated students’ knowledge of spoofing attacks and their prevention, thereby demonstrating the necessity for user education, training, and awareness. A quantitative research methodology was employed, and statistical tests, including analysis of variance (ANOVA), Kaiser–Meyer–Olkin (KMO), and Bartlett’s tests, were utilized to analyze the collected data. Based on these findings, the study recommends strategies to enhance awareness. The research was designed to address the following questions:

• What is the current level of awareness among university students in Saudi Arabia regarding email, SMS and website spoofing attacks?
• Is there a significant difference between students’ self-reported confidence in identifying spoofing attacks and their actual ability to recognize them in simulated scenarios?
• How do demographic factors such as academic major, age, and gender influence students’ awareness and ability to detect spoofing attacks?
• To what extent does prior cybersecurity education or training impact a student’s awareness of spoofing attacks?
• What are the most common red flags or malicious cues (e.g., fraudulent sender IDs, deceptive URLs) that students fail to identify, and how do these vary across different types of spoofing attacks?

2. Literature Review

The defense against cyberattacks has received increasing attention in recent years, with people, processes, and technology identified as the three key factors. Among these, the human factor is considered the most vulnerable [25]. Consequently, research focus has shifted from technical solutions to human-oriented aspects [26]. This section reviews recent approaches to assessing users’ knowledge of cyberattacks. While several studies have evaluated students’ awareness of cyberattacks and phishing, there is a lack of research assessing students’ awareness of spoofing attacks in Saudi Arabia.

Abdullah et al. [27] employed a quantitative research approach to examine awareness of social engineering attacks at the University of Sulaimani. The study utilized an online survey comprising 24 questions divided into demographic information and perspectives on social engineering. Data from 1500 students and staff were analyzed using IBM SPSS Version 22, with frequency analyses and ANOVA. The findings revealed statistically significant differences in age across four types of cybersecurity attacks: spear phishing, baiting, AI-pretexting, and piggybacking. Additionally, a statistically significant difference was observed based on participants’ gender.

Kasunic et al. [28] conducted a survey to evaluate cybersecurity awareness among students at Zagreb University. The sample comprised 163 undergraduate and 55 graduate participants. Data were analyzed using SPSS 20.0, employing Spearman’s correlation coefficient and Chi-square tests for statistical assessment. Although employed students exhibited greater cybersecurity awareness, this difference did not reach statistical significance.

Alzubaidi et al. [4] evaluate the level of cybersecurity awareness in Saudi Arabia, considering cybersecurity practices, awareness levels, and incident reporting. They collected responses from 1230 participants, and the questionnaire results showed that 32.5% were unaware of phishing attacks. The paper concludes with recommendations, based on the analysis of the results, to improve awareness.

Alharbi et al. [23] investigate cybersecurity awareness and user compliance among undergraduate students at Majmaah University using a questionnaire that evaluates multiple Internet safety factors. A total of 576 students participated in the survey. The findings indicate that, despite most participants having attended a formal security awareness program, they lacked knowledge on securing their Personal Identifiable Information (PII). Similarly, Aljohni et al. [6] assess cybersecurity awareness among 136 students, considering gender, location, and academic department. The results reveal that overall student awareness is average. However, students in computer and information technology departments demonstrate higher awareness than those in other departments, and urban students outperform rural students in cybersecurity awareness.

Alsulami et al. [29] measured awareness of social engineering attacks within the educational sector in the Kingdom of Saudi Arabia. The study employed a questionnaire and collected responses from 465 participants. The results indicate a substantial need for enhanced awareness and training concerning social engineering techniques and information security practices. Furthermore, the findings highlight differences in information security awareness across age groups. In a related study, Alotaibi et al. [30] developed a cybersecurity awareness model specifically for Saudi students to improve protection against social engineering attacks. The model comprises four components: education and training, policy and guideline development, enhancement of security measures in Saudi schools, and ongoing monitoring and evaluation.

Furthermore, the authors of [31] developed a questionnaire to evaluate students’ cybersecurity awareness at Fahad Bin Sultan University (FBSU), a Saudi institution. A total of 212 students participated in the survey, and the data were analyzed using descriptive statistics in Excel. The findings reveal that students possess an average level of cybersecurity awareness, with no significant differences observed across gender or class level.

A substantial body of research examines students’ awareness of phishing attacks, which represent a prevalent form of social engineering. Alqahtani et al. [2] evaluate university students’ knowledge and awareness of phishing attacks. The study identifies key factors contributing to the occurrence of phishing attacks and their influence on students’ perceptions. Data were collected from 715 students using a quantitative research approach. The findings reveal that a lack of awareness and failure to verify the authenticity of communications significantly increase students’ vulnerability to phishing. The study also demonstrates a lack of awareness regarding email and website spoofing, indicating a need for enhanced educational efforts. Similarly, Kayomb et al. [32] developed a phishing awareness framework to evaluate students at a South African university, finding that spoofing is a prominent strategy employed by phishing attackers. Aliyu et al. [33] investigate phishing awareness among 137 students, with one objective being to assess whether students from different demographic groups respond differently to specific phishing attacks. The results indicate that male students were more effective at identifying phishing attacks than female students.

Kalipi et al. [34] investigate students’ awareness of SMS security threats at the University of Namibia (UNAM), examining factors that prompt users to suspect an SMS message may be illegitimate and to discontinue interaction. Of 582 students invited, 287 responded to the survey, and the data were analyzed using IBM SPSS 20. The findings indicate that while students are aware of SMS threats, most lack knowledge of appropriate preventive measures. Furthermore, students receive insufficient warning notifications about fraudulent activity. Another study examines smartphone users’ ability to identify smishing, which combines SMS and phishing messages. In this study, 187 smartphone users participated in an online survey, and data were analyzed using frequency and ANOVA tests. The results show that users’ accuracy in detecting fake messages was 67.1%, while accuracy for real messages was 43.6%. The authors conclude that although brands communicate messages to their customers, user awareness in distinguishing between real and fake messages requires improvement [15].

Caller ID spoofing represents another increasingly prevalent spoofing attack. Verma et al. [35] examine individuals’ reactions to and perceptions of call spoofing. To test the hypothesis of a significant positive relationship between knowledge of call spoofing and trust in phone communication, a survey was administered to 680 participants. Statistical analyses, including the Heterotrait-Monotrait (HTMT) ratio and Partial Least Squares Structural Equation Modeling (PLS-SEM), were employed. The results demonstrate a significant positive relationship between call-spoofing awareness and trust in phone communications.

In summary, the literature reveals a lack of studies assessing students’ awareness of spoofing attacks, particularly in Saudi Arabia, where distance learning has become integral to many academic institutions. While previous research has explored students’ awareness of spoofing-related threats within broader cybersecurity, phishing, and social engineering contexts, limited research has comprehensively examined multiple spoofing attack types within a unified analytical framework among university students in Saudi Arabia.

Table 1. Summary of Related Studies and Positioning of the Current Study.

Study	Country/Context	Participants	Main Focus	Attack Types Covered	Key Findings	Limitations/Gap
[27]	Iraq—University of Sulaimani	1500 students and staff	Social engineering awareness	Spear phishing, baiting, pretexting, piggybacking	Significant differences by age and gender	Did not focus specifically on spoofing attacks
[28]	Croatia—Zagreb University	218 students	General cybersecurity awareness	General cyber threats	Employment status influenced awareness	No spoofing-specific assessment
[4]	Saudi Arabia	1230 participants	Cybersecurity awareness and practices	Phishing awareness included	32.5% lacked phishing awareness	Did not examine spoofing types separately
[23]	Saudi Arabia—Majmaah University	576 students	Cybersecurity awareness and compliance	General cybersecurity threats	Students lacked knowledge of protecting PII	No scenario-based spoofing evaluation
[6]	Saudi Arabia	136 students	Cybersecurity awareness	General cyber threats	Awareness differed by department and location	Limited scope and no spoofing analysis
[29]	Saudi Arabia—Educational sector	465 respondents	Social engineering awareness	Social engineering techniques	Need for stronger awareness and training	No evaluation of spoofing detection ability
[30]	Saudi Arabia	Saudi students	Cybersecurity awareness model	Social engineering	Proposed awareness framework	No empirical spoofing assessment
[31]	Saudi Arabia—FBSU	212 students	Cybersecurity awareness	General cybersecurity concepts	Average awareness level	No spoofing-specific investigation
[2]	Saudi Arabia—University students	715 students	Phishing awareness	Email and website phishing/spoofing	Lack of awareness regarding authenticity verification	Focused mainly on phishing rather than multiple spoofing channels
[32]	South Africa	University students	Phishing awareness framework	Phishing and spoofing strategies	Spoofing identified as a phishing strategy	Did not separately evaluate spoofing awareness
[33]	Students	137 students	Phishing awareness	Phishing attacks	Male students identified phishing better	Limited focus on phishing only
[34]	Namibia—UNAM	287 students	SMS security awareness	SMS threats/smishing	Students lacked preventative measures knowledge	Only SMS-related threats investigated
[15]	Smartphone users	187 participants	Smishing detection	SMS phishing	Detection accuracy remained limited	Focused only on smishing
[35]	General population	680 participants	Caller ID spoofing perception	Call spoofing	Awareness positively affected trust	Did not focus on students or multiple spoofing types
Current Study	Saudi Arabia—Saudi Electronic University	1437 students	Awareness, confidence, and behavioral responses to spoofing attacks	Email, SMS, website, and caller ID spoofing	Identified discrepancy between perceived confidence and actual detection ability	Provides integrated multi-channel spoofing assessment among Saudi university students

summarizes related studies and positions the current study within the context of existing cybersecurity awareness research in Saudi Arabia.

3. Methodology

In this section, an overview of the methodology followed is presented. The methodology for conducting this research was developed following various related works. It encompasses research instruments, ethical considerations, content validation, data collection, and data analysis.

3.1. Research Instruments

The selection of research instruments, defined as tools used to collect, measure, and analyze data for a research study, represents a critical methodological step [36]. Common research instruments include interviews, surveys, tests, and observation checklists [34]. According to the reviewed literature, this study employs a survey as its primary instrument. Surveys are widely utilized due to their ability to reach a broad participant base within a limited time frame and at reduced cost. Furthermore, surveys offer convenience to respondents by ensuring anonymity [37].

To this end, the literature review findings were used to develop the questionnaire items. A structured questionnaire was created for data collection. The questionnaire consisted of 38 closed-ended (e.g., yes/no, multiple-choice) and Likert-scale items, ranging from 1 (Not at all confident) to 5 (Extremely confident). In addition, it included both perception-based questions and practical identification questions to measure not only self-reported confidence, but also the actual ability of participants to detect spoofing indicators. Since the aim of the questionnaire was to explore the level of students’ awareness of spoofing attacks, the questionnaire was grouped into 8 sections as follows:

• Section 1: A cover page that includes a short introduction about the study and a consent form for the questionnaire.
• Section 2: Demographics, where students were asked about their age, gender, location, major, and employment status.
• Section 3: Computer Usage, which contains questions about types of devices used by students and the purpose of using Emails and SMS.
• Section 4: General Understanding of Spoofing Attacks: determining whether students have ever heard of spoofing attacks and what level of threat they pose.
• Section 5: Awareness of Specific type of Spoofing attacks: determining level of confidence in identifying spoofing attacks.
• Section 6: Experience with Spoofing Attacks: capturing students’ experience with spoofing attacks.
• Section 7: Identifying Spoofing Attacks (with Examples): determining level of awareness using scenarios.
• Section 8: Prevention and Best Practices: capturing students’ views on the best method of defense against these attacks.

The scenario-based questions were developed based on related research that primarily focuses on phishing and cybersecurity awareness; however, the current study specifically emphasized the spoofing mechanisms embedded within the attack scenarios. Specifically, it was designed to evaluate students’ ability to recognize spoofing techniques that use impersonation to bypass existing security protections. Commonly reported spoofing characteristics identified in related studies, such as spoofed sender addresses, misleading URLs, generic greetings, urgency-based language, impersonation of trusted organizations, suspicious links, and requests for sensitive information, were incorporated into the scenarios. For example, the email spoofing scenario used a fake delivery email containing urgency cues, a spoofed sender domain, and suspicious links to evaluate whether students could recognize indicators commonly used in email spoofing attacks.

3.2. Ethical Consideration

Ethical approval for the study was obtained from the Standing Committee for Research Ethics at the Saudi Electronic University. Participants were informed of potential risks via a consent form provided on the survey’s cover page. They were also advised that participation was voluntary and that they could withdraw at any time without consequence.

3.3. Content Validity and Pilot Study

The questionnaire was developed using Microsoft Forms (Microsoft Corp., Redmond, WA, USA). Recruitment was conducted by distributing the survey link via email to students at Saudi Electronic University through the Standing Committee for Research Ethics. The survey remained open for one month, and no reminder emails were issued during the data collection period. Participation was voluntary, and responses were collected anonymously.

Saudi Electronic University was chosen because it has about 60,000 students and 17 branches spread across Saudi Arabia. This allows for responses from people with different regional backgrounds. The university also uses a blended learning model that combines face-to-face teaching with online learning. This setting makes it a good place to study awareness of cybersecurity threats, such as spoofing attacks.

To ensure the quality of the survey, two content validity approaches were used: expert feedback and a pilot test. As defined in [37], an expert is “a person with expertise in the construct being developed, people familiar with the target population on whom the instrument will be used, users of the instrument”. The survey was reviewed by 4 experts: three experts from the computer science department and an expert from the English department. The feedback provided valuable suggestions for adding, removing, and updating some questions, as well as restructuring the survey.

A pilot test is a critical stage in questionnaire development, as it facilitates the identification and elimination of potential issues prior to data collection [38]. Additionally, this phase assists in estimating the time required to complete the questionnaire and in prioritizing the most significant questions [34]. To ensure clarity and detect possible ambiguities, a pilot study was conducted with 9 student participants. The survey link was distributed to approximately 90 students, resulting in 9 responses after one week.

Additionally, reliability analysis was conducted using Cronbach’s Alpha test for the Likert-scale items included in Section 5 of the survey, which evaluates students’ awareness and confidence regarding spoofing attacks. Cronbach’s Alpha is one of the most commonly used methods for measuring internal consistency [39]. The reliability analysis was conducted using the responses from 9 pilot participants. The obtained Cronbach’s Alpha coefficient ($\alpha =0.655$) exceeds 0.6, indicating moderate internal consistency and acceptable reliability given the exploratory nature of the study.

Although the pilot sample size was limited and the reliability coefficient reflected moderate internal consistency, the primary aim of the pilot study was not comprehensive psychometric validation. Rather, the pilot phase focused on evaluating question clarity, identifying ambiguous wording, estimating survey completion time, and assessing the comprehensibility of scenario-based questions prior to large-scale distribution. Feedback from the pilot led to several revisions in wording, formatting, and structure to enhance the questionnaire’s readability and clarity.

3.4. Data Collation

Data were collected using a structured, self-administered questionnaire comprising eight sections: (1) screening and consent, (2) sociodemographic characteristics, (3) device and communication usage, (4) general understanding of spoofing attacks, (5) confidence in identifying specific spoofing types, (6) personal experience with spoofing, (7) scenario-based spoofing identification, and (8) prevention behaviors and information sources. Confidence in identifying four spoofing types was assessed on a five-point Likert scale (1 = not confident at all, 5 = very confident). The scenario-based section (Section 7) was completed by respondents routed via skip logic (n = 856).

The link to the questionnaire was sent to participants via email through the Standing Committee for Research Ethics. The link was made available to students for one month, from 21 December 2025 to 21 January 2026. Respondents were eligible if they completed the survey in full, and no demographic exclusion criteria were applied.

3.5. Statistical Analysis

To answer the research questions, both descriptive and inferential statistical analyses were conducted. Descriptive statistics were first used to summarize participants’ demographic characteristics, device usage, general awareness, confidence levels, previous experiences, scenario-based responses, and prevention practices. This approach is consistent with prior cybersecurity awareness studies that used descriptive analysis to identify patterns in participants’ knowledge and behavior [4,23,31,40]. Continuous variables are reported as mean ± standard deviation (SD), while categorical and multi-select variables are presented as frequencies and percentages. The internal consistency of the four-item confidence scale was assessed using Cronbach’s $\alpha$, following survey validation practices recommended in prior questionnaire-based research [37,39].

Chi-square tests (${\chi }^2$) were employed to examine associations between categorical variables, such as spoofing awareness and demographic characteristics. This test was appropriate because several survey variables, including awareness, gender, age group, academic level, and prior experience, were categorical. Previous awareness studies have also utilized Chi-square analysis to investigate relationships between demographic factors and cybersecurity or phishing awareness [28,33,41]. Also, Cramér’s V was reported to indicate the strength of significant associations.

The Friedman test was used to compare participants’ confidence in identifying the four types of spoofing: email, website, SMS, and caller ID. This test was chosen because each participant rated their confidence for several related spoofing categories using ordinal Likert-scale responses. As a result, the Friedman test was appropriate for comparing repeated ordinal measures within the same group [42].

The Kruskal–Wallis test was employed to assess differences in confidence scores among independent demographic and awareness groups, specifically gender, age group, and awareness level. This nonparametric test was chosen because Likert-scale confidence data are ordinal and may not meet the assumptions of normality. Previous survey-based cybersecurity studies have also utilized nonparametric or group-comparison methods to investigate differences in awareness across demographic groups [27,29,34].

A one-way ANOVA was conducted to determine whether mean confidence scores differed significantly across academic levels. This method was chosen because the dependent variable, the aggregated mean confidence score, was treated as approximately continuous, and academic level consisted of multiple independent groups. Levene’s test confirmed homogeneity of variances ($p=0.112$). Games–Howell post hoc tests were used to identify pairwise differences due to unequal group sizes.

Linear regression was used to model the mean confidence score as a continuous outcome and to examine whether demographic and awareness-related variables predicted confidence. Regression analysis is commonly used in cybersecurity awareness and user-perception studies to examine the influence of demographic, behavioral, and awareness-related predictors [2,35,43].

Binary logistic regression was used to model suspected email spoofing experience as a binary outcome (Yes vs. No/Maybe). This method was selected because the dependent variable represented whether participants had experienced or suspected an email spoofing attempt. Two models were developed: Model 1 included awareness, gender, age, and email confidence, while Model 2 additionally included perceived threat level, academic level, and mean confidence.

Pearson and Spearman correlation analyses were conducted to examine relationships among key continuous and ordinal variables [43]. Pearson correlation was used for approximately continuous variables, whereas Spearman correlation was used for ordinal variables and other nonparametric associations.

Model assumptions were verified, including multicollinearity using the Variance Inflation Factor (VIF $< 2$) and residual independence using the Durbin–Watson statistic (=1.971) [44]. All statistical analyses were conducted using IBM SPSS Statistics version 29 (IBM Corp., Armonk, NY, USA).

3.6. Analysis and Results

This part presents the results of collected data from students at the University, which have responded to the questionnaire. A total of 1437 students completed the survey during a one-month period. This section presents demographic results, computer usage, general understanding of spoofing attacks, awareness of spoofing attacks, experience with spoofing attacks, scenarios, and prevention and best-practice factors that contribute to participants’ knowledge of spoofing attacks. These were illustrated using the above statistical tests, frequency, and percentage.

3.6.1. Demographic Characteristics

In section 2 of the survey, students were asked about their age, gender, location, major, and employment status to evaluate the effect of demographics on student awareness and ability to detect spoofing attacks.

Table 2. Demographic Characteristics ($N=1437$).

Variable	Category	n (%)	N
Demographics
Age (years)	—	26.4 (9.14)	1437
Gender	Woman	892 (62.1%)	1437
	Man	527 (36.7%)
	Prefer not to say	18 (1.3%)
Age group	18–24 years	841 (58.5%)	1437
	25–34 years	422 (29.4%)
	35–44 years	155 (10.8%)
	45–54 years	17 (1.2%)
	55–64 years	2 (0.1%)
Academic and Occupational Profile
Academic level	Undergraduate	1117 (79.1%)	1412
	Graduate (Master’s)	191 (13.5%)
	High School	76 (5.4%)
	PhD	20 (1.4%)
	Diploma	8 (0.6%)
Field of study	Computer Science	375 (26.1%)	1437
	Health Sciences	343 (23.9%)
	Business	311 (21.6%)
	Arts/Humanities/Social Sciences	119 (8.3%)
	Law	53 (3.7%)
	Other	236 (16.4%)
Geographic Distribution
Region	Eastern Province (Ash-Sharqiyah)	419 (29.2%)	1437
	Riyadh	352 (24.5%)
	Makkah	180 (12.5%)
	Al Madinah	120 (8.4%)
	Asir	83 (5.8%)
	Other regions	283 (19.7%)

Academic level percentages are based on valid cases (n = 1412; 25 system-missing). Field of study and region reflect the top-reported categories.

demonstrates the full demographic characteristics, and a total of 1437 respondents completed the survey. Women made up 62.1% of the sample and men 36.7%. Students’ age is shown in five age groups; most respondents were aged 18–24 years (58.5%), and the predominant academic level was undergraduate (79.1% of valid cases; $n=1412$). Computer Science (26.1%), Health Sciences (23.9%), and Business (21.6%) were the most represented fields. Geographically, the Eastern Province and Riyadh accounted for 53.7% of respondents.

3.6.2. Device and Communication Usage

Section 3 of the survey examines the types of devices used and the purposes for which Email and SMS are utilized, aiming to assess exposure to digital communication channels frequently targeted by spoofing attacks. The data indicate that smartphones were the most widely used device (91.6%), followed by laptops (69.5%). Email was primarily used for educational purposes (73.3%) and work or professional communication (66.5%). SMS was predominantly used for receiving two-factor authentication codes (75.4%), as well as for bank and service alerts (67.5%) and business delivery updates (61.0%). Device usage by field of study did not differ significantly for either smartphones or laptops (both $p>0.05$). Frequencies are presented in Figure 1, Figure 2 and Figure 3.

3.6.3. General Awareness of Spoofing Attacks

Section 4 of the survey assessed students’ awareness of spoofing attacks and their perceived threat level. A majority of respondents (74.8%) reported prior awareness of spoofing attacks. Over half (53.5%) rated spoofing as a very significant threat, while an additional 20.4% considered it moderately significant. The mean perceived threat level was 4.07 (SD = 1.23), indicating that although most participants viewed spoofing as a significant threat, there was some variation in individual ratings. Figure 4 illustrates the distribution of awareness responses, and

Table 3. Perceived Threat Level ($N=1437$).

Variable	Category	n (%)	N
Perceived Threat Level of Spoofing Attacks (coded 1–5, Mean ± SD: 4.07 ± 1.23)
Threat level	Very significant	769 (53.5%)	1437
	Moderately significant	293 (20.4%)
	Slightly significant	152 (10.6%)
	Unsure	151 (10.5%)
	Not significant at all	72 (5.0%)

Perceived threat level coded 1 = Not significant at all to 5 = Very significant.

presents the frequencies of perceived threat levels.

Factors Associated with Spoofing Awareness

Chi-square analyses revealed significant associations between spoofing awareness and three of the four variables examined (gender, age group, perceived threat, and academic level). Awareness differed significantly by gender (${\chi }^2\left(4\right)=14.20$, $p=0.007$, $V=0.070$), with men reporting higher awareness (80.3%) than women (71.7%) and those who preferred not to state their gender (66.7%), though the effect was negligible. This distribution is illustrated in Figure 5 (left panel). A stronger and highly significant association was found for age group (${\chi }^2\left(8\right)=31.16$, $p<0.001$, $V=0.104$), with awareness increasing markedly with age, varying from 70.4% among 18–24 year-olds to 88.2% among those aged 45–54 (see Figure 5, right panel). The largest effect was observed for perceived threat level (${\chi }^2\left(8\right)=239.98$, $p<0.001$, $V=0.289$), where respondents who were unsure of the threat posed by spoofing were far less likely to report awareness (33.8%) compared to those who rated it as very significant (81.9%) or not significant at all (86.1%) (see

Table 4. Spoofing Awareness by Demographic and Contextual Variables.

Variable	Group	Yes n (%)	No n (%)	Maybe n (%)	Total	${\mathit{\chi }}^2$	df	p	V
Gender ($\mathit{N}=\mathbf{1437}$)
	Woman	640 (71.7%)	130 (14.6%)	122 (13.7%)	892	14.20	4	0.007	0.070
	Man	423 (80.3%)	52 (9.9%)	52 (9.9%)	527
	Prefer not to say	12 (66.7%)	4 (22.2%)	2 (11.1%)	18
	Total	1075 (74.8%)	186 (12.9%)	176 (12.2%)	1437
Age Group ($\mathit{N}=\mathbf{1437}$)
	18–24 years	592 (70.4%)	123 (14.6%)	126 (15.0%)	841	31.16	8	<0.001	0.104
	25–34 years	331 (78.4%)	48 (11.4%)	43 (10.2%)	422
	35–44 years	136 (87.7%)	13 (8.4%)	6 (3.9%)	155
	45–54 years	15 (88.2%)	1 (5.9%)	1 (5.9%)	17
	55–64 years	1 (50.0%)	1 (50.0%)	0 (0%)	2
	Total	1075 (74.8%)	186 (12.9%)	176 (12.2%)	1437
Perceived Threat Level ($\mathit{N}=\mathbf{1437}$)
	Not significant at all	62 (86.1%)	6 (8.3%)	4 (5.6%)	72	239.98	8	<0.001	0.289
	Slightly significant	114 (75.0%)	15 (9.9%)	23 (15.1%)	152
	Unsure	51 (33.8%)	77 (51.0%)	23 (15.2%)	151
	Moderately significant	218 (74.4%)	29 (9.9%)	46 (15.7%)	293
	Very significant	630 (81.9%)	59 (7.7%)	80 (10.4%)	769
	Total	1075 (74.8%)	186 (12.9%)	176 (12.2%)	1437
Academic Level ($\mathit{n}=\mathbf{1412}$)
	High School	58 (76.3%)	8 (10.5%)	10 (13.2%)	76	12.41	8	0.134	0.066
	Diploma	5 (62.5%)	0 (0%)	3 (37.5%)	8
	Undergraduate	836 (74.8%)	138 (12.4%)	143 (12.8%)	1117
	Graduate (Master’s)	147 (77.0%)	28 (14.7%)	16 (8.4%)	191
	PhD	14 (70.0%)	5 (25.0%)	1 (5.0%)	20
	Total	1060 (75.1%)	179 (12.7%)	173 (12.2%)	1412

Cell values: n (% within group). ${\chi }^2$ and Cramér’s V statistics reported per variable. Gender: 2 cells (22.2%) had expected count $<5$. Age Group: 5 cells (33.3%) had expected count $<5$. Perceived Threat Level: all cells had expected counts $geq5$. Academic Level: 4 cells (26.7%) had expected counts $<5$; 25 respondents were excluded due to missing academic-level data.

). Academic level was the only variable not significantly associated with awareness (${\chi }^2\left(8\right)=12.41$, $p=0.134$, $V=0.066$), with proportions of aware respondents ranging narrowly from 62.5% (Diploma) to 77.0% (Graduate), as shown in Table 4.

3.6.4. Confidence in Identifying Spoofing Attack Types

Section 5 of the survey assessed students’ familiarity with and confidence in identifying four types of spoofing attacks: email, website, SMS, and caller ID. Mean confidence scores ranged from 3.22 for website spoofing to 3.55 for caller ID spoofing on a five-point scale. The four-item scale demonstrated high internal consistency (Cronbach’s $\alpha =0.889$). The Friedman test indicated significant differences in confidence across the four spoofing types (${\chi }^2\left(3\right)=219.89$, $p<0.001$), with caller ID and SMS spoofing rated higher than email and website spoofing (mean ranks: 2.70, 2.65, 2.37, 2.28, respectively). Figure 6 shows the confidence distribution by spoofing type. Bars represent the mean confidence score, and Error bars represent the standard deviation (SD). The last bar shows the mean of the overall scale. Additionally, the association with the general spoofing awareness (i.e., section 4) of the survey shows that the Mean confidence was significantly higher among respondents who had heard of spoofing attacks (Kruskal–Wallis $H\left(2\right)=51.10$, $p<0.001$), and results are presented in

Table 5. Kruskal–Wallis: Mean Confidence Score by Spoofing Awareness (Mean Rank).

Spoofing Awareness	Mean Rank	Statistic
Yes ($n=1075$)	762.34
No ($n=186$)	546.95
Maybe ($n=176$)	636.08	$H\left(2\right)=51.10,p<0.001$

.

Factors Associated with Confidence in Identifying Spoofing Attacks

A standard multiple linear regression was conducted to examine factors associated with mean confidence scores across the four spoofing types. The model was statistically significant ($F(5,1406)=12.91$, $p<0.001$), and explained 4.0% of the variance (Adj $R^2=0.040$). Having heard of spoofing (coded) and gender emerged as the only significant predictors. Participants who had heard of spoofing reported higher confidence scores when the coding direction was considered, and men reported higher confidence than women. Perceived threat level, age group, and academic level did not independently predict confidence. Multicollinearity was not a concern (all VIFs $<2$). The results are presented in

Table 6. Linear Regression: Predictors of Mean Confidence Score (DV: Mean Confidence 1–5).

Predictor	B	SE	$\mathit{\beta }$	t	p	VIF
Constant	3.305	0.202	—	16.33	<0.001	—
Heard of spoofing (coded)	−0.233	0.043	−0.143	−5.41	<0.001	1.025
Perceived threat level (coded 1–5)	−0.024	0.024	−0.026	−1.01	0.315	1.016
Gender (coded)	0.322	0.061	0.146	5.32	<0.001	1.117
Age group (coded)	−0.014	0.043	−0.009	−0.34	0.737	1.151
Academic level (coded)	0.024	0.046	0.014	0.52	0.606	1.013

DV = Mean Confidence Score across four spoofing types. $n=1412$ (listwise). All predictors were coded as ordinal integers. $\beta$ = standardised coefficient. Reference directions: higher coded values = not heard, older, male, higher academic level.

.

The results show that prior awareness of spoofing attacks and gender were significant predictors of confidence in identifying spoofing attacks. Students who had previously heard of spoofing reported higher confidence scores, and men reported slightly higher confidence than women. The perceived threat level, age group, and academic level were not significant predictors of confidence.

Extended Linear Regression: Factors Associated with Confidence in Identifying Spoofing Attacks

The extended model (15 predictors, $n=1412$) was statistically significant ($F(15,1396)=6.847$, $p<0.001$, $R^2=0.069$, Adjusted $R^2=0.059$, Durbin–Watson $=1.984$). The increase in explained variance over the five-predictor model was $\Delta R^2=0.025$, representing a modest but non-trivial gain.

Table 7. Extended Linear Regression: Predictors of Mean Confidence Score (DV: Mean Confidence 1–5).

Predictor	B	SE	$\mathit{\beta }$	t	p	VIF
Constant	3.533	0.211	—	16.71	<0.001	—
Core Demographic Predictors
Heard of spoofing (coded)	−0.227	0.043	−0.139	−5.30	<0.001	1.034
Perceived threat level (1–5)	−0.035	0.024	−0.038	−1.46	0.146	1.026
Gender (coded)	0.306	0.061	0.139	5.05	<0.001	1.136
Age group (coded)	−0.005	0.043	−0.003	−0.12	0.904	1.192
Academic level (coded)	0.030	0.046	0.017	0.65	0.514	1.022
Field of Study (ref = CS/IT)
Health Sciences	−0.242	0.084	−0.092	−2.89	0.004	1.498
Business/Finance	−0.174	0.084	−0.065	−2.06	0.040	1.476
Law	−0.176	0.149	−0.032	−1.18	0.239	1.136
Arts/Humanities	−0.091	0.117	−0.022	−0.78	0.436	1.229
Other fields	−0.185	0.096	−0.057	−1.92	0.056	1.333
Region (ref = Riyadh)
Makkah	−0.057	0.101	−0.017	−0.56	0.575	1.339
Eastern Province	0.062	0.080	0.025	0.78	0.437	1.554
Al Madinah	0.005	0.118	0.001	0.04	0.968	1.236
Asir	−0.131	0.137	−0.027	−0.95	0.341	1.171
Other regions	−0.343	0.089	−0.121	−3.86	<0.001	1.481

Note. Model fit: $R=0.262$, $R^2=0.069$, Adjusted $R^2=0.059$, $F(15,1396)=6.847$, $p<0.001$, Durbin–Watson $=1.984$. $\Delta R^2=0.025$ relative to the parsimonious model. Reference categories: Computer Science/IT (field); Riyadh (region). $n=1412$ (25 cases listwise deleted). $\beta$ = standardized coefficient. All VIF $<2$.

presents the detailed regression coefficients and model statistics.

Three field-of-study dummy variables reached significance: Health Sciences ($B=-0.242$, $p=0.004$) and Business/Finance ($B=-0.174$, $p=0.040$) students reported significantly lower confidence than Computer Science/IT students. Among region dummies, only the Other regions dummy was significant ($B=-0.343$, $p<0.001$), indicating that respondents from regions outside the five named categories reported lower confidence than Riyadh residents. All other region dummies were non-significant.

Core predictors retained their direction and significance: respondents who had heard of spoofing reported higher confidence ($B=-0.227$, $p<0.001$), and men reported higher confidence than women ($B=0.306$, $p<0.001$). All variance inflation factors (VIFs) were below 2, indicating no multicollinearity concerns.

3.6.5. Personal Experience with Spoofing Attacks

Section 6 of the survey links students’ real-world exposure to spoofing attacks with awareness and behavior. Personal exposure to suspected spoofing was prevalent across all four attack types. Website spoofing was most frequently suspected (69.1% Yes), followed by caller ID spoofing (63.5%), email spoofing (57.4%), and SMS spoofing (51.1%). Frequencies are presented in Figure 7.

Factors Associated with Email Spoofing Experience

Binary logistic regression was used to model the likelihood of reporting a suspected email spoofing experience (Yes vs. No/Maybe). Two sequential models were tested. In Model 1, which includes four factors (i.e, awareness, gender, age, email confidence), the result was statistically significant (${\chi }^2\left(4\right)=155.53$, $p<0.001$), and 63.6% of cases were correctly classified (Nagelkerke $R^2=0.138$). In Model 2, three factors—perceived threat level, academic level, and mean confidence score—were added, and the mean confidence score improved marginally (${\chi }^2\left(6\right)=161.12$, $p<0.001$; Nagelkerke $R^2=0.145$; accuracy = 64.2%). Academic level was not a significant predictor in either model. Hosmer–Lemeshow goodness-of-fit: Model 1 ${\chi }^2\left(8\right)=24.87$, $p=0.002$; Model 2 ${\chi }^2\left(8\right)=16.86$, $p=0.032$. Figure 8 presents a combined forest plot that compares logistic regression Model 1 and Model 2 to predict the suspected email spoofing experience. Points represent odds ratios, horizontal bars represent 95% confidence intervals, and the vertical reference line at OR = 1 indicates no effect.

The results indicate that students who were more aware of spoofing, older, and male were more confident in identifying email spoofing and were more likely to have encountered suspicious emails. In Model 2, perceived threat level also became a significant predictor, whereas academic level remained nonsignificant in both models.

Extended Logistic Regression: Factors Associated with Email Spoofing Experience

The extended logistic model (16 predictors, $n=1412$) was statistically significant (${\chi }^2\left(16\right)=171.40$, $p<0.001$), with Nagelkerke $R^2=0.154$, representing an increase of 0.009 over the six-predictor model (Nagelkerke $R^2=0.145$). Model calibration was acceptable (Hosmer–Lemeshow ${\chi }^2\left(8\right)=14.91$, $p=0.061$), and overall classification accuracy improved slightly to 65.0%. The detailed regression coefficients and odds ratios are presented in

Table 8. Logistic Regression: Predictors of Suspected Email Spoofing (DV: Yes vs. No/Maybe).

Predictor	B	SE	Wald	p	OR	95% CI
Constant	−2.126	0.458	21.51	<0.001	0.119	—
Core Predictors
Heard of spoofing (coded)	−0.314	0.083	14.41	<0.001	0.730	0.621–0.859
Perceived threat level (1–5)	0.224	0.047	22.81	<0.001	1.251	1.141–1.371
Gender (coded)	0.359	0.120	8.86	0.003	1.431	1.130–1.813
Age group (coded)	0.410	0.088	21.55	<0.001	1.507	1.268–1.793
Academic level (coded)	−0.012	0.091	0.02	0.898	0.988	0.827–1.181
Mean confidence score (1–5)	0.336	0.053	40.02	<0.001	1.400	1.261–1.554
Field of Study (ref = CS/IT)
Health Sciences	−0.049	0.164	0.09	0.764	0.952	0.690–1.313
Business/Finance	−0.129	0.167	0.60	0.440	0.879	0.634–1.219
Law	−0.154	0.291	0.28	0.597	0.857	0.485–1.516
Arts/Humanities	−0.088	0.231	0.14	0.704	0.916	0.582–1.441
Other fields	0.097	0.192	0.26	0.613	1.102	0.757–1.605
Region (ref = Riyadh)
Makkah	−0.146	0.200	0.53	0.466	0.864	0.584–1.280
Eastern Province	−0.149	0.159	0.88	0.347	0.862	0.631–1.176
Al Madinah	−0.322	0.231	1.94	0.164	0.725	0.460–1.140
Asir	−0.601	0.268	5.04	0.025	0.548	0.324–0.926
Other regions	−0.394	0.175	5.05	0.025	0.675	0.479–0.951

Note. ${\chi }^2\left(16\right)=171.40$, $p<0.001$; $-2LL=1752.26$; Cox & Snell $R^2=0.114$; Nagelkerke $R^2=0.154$; accuracy = 65.0%; Hosmer–Lemeshow ${\chi }^2\left(8\right)=14.91$, $p=0.061$. $\Delta$Nagelkerke $R^2=0.009$ relative to the parsimonious model. Reference categories: Computer Science/IT (field); Riyadh (region). $n=1412$. OR = odds ratio; CI = confidence interval. Both Asir and Other regions are significant at $p=0.025$ and should be interpreted cautiously given multiple comparisons.

.

All six core predictors remained significant and stable in direction. Among field-of-study dummy variables, none were statistically significant (all $p>0.44$), indicating that field of study does not independently predict suspected email spoofing after controlling for awareness and confidence.

Among region dummy variables, two reached significance: Asir (OR $=0.548$, 95% CI [0.324, 0.926], $p=0.025$) and Other regions (OR $=0.675$, 95% CI [0.479, 0.951], $p=0.025$), both indicating lower odds of reporting suspected email spoofing compared to Riyadh. Eastern Province was not significant ($p=0.347$). These regional effects should be interpreted cautiously, given the multiple comparisons conducted.

3.6.6. Scenario-Based Spoofing Identification

Section 7 of the survey assessed participants’ practical awareness using three scenarios. The scenario sub-sample ($n=856$) evaluated a simulated spoofed DHL email. Most respondents correctly identified the email as spoofed (68.6%), while 18.7% were uncertain and 12.7% classified it as legitimate. The most frequently identified red flag was that the sender’s email address was not an official DHL domain (62.5%), followed by the presence of a non-official link (54.4%). The mean confidence score in identifying different types of spoofing attacks (Email, Website, SMS, Caller ID spoofing) was positively associated with correct scenario identification (Pearson $r=0.18$, $p<0.001$; Spearman $\rho =0.18$, $p<0.001$). Furthermore, results from scenarios 2 and 3, which presented caller ID and SMS spoofing situations and required students to select the best action, demonstrate that many students adopt protective behaviors, as shown in

Table 9. Scenario-Based Spoofing Identification ($n=856$).

Item/Red Flag	n (%)	N
Scenario 1: Classification of simulated DHL email ($\mathit{n}=\mathbf{856}$)
Yes—this is spoofed	587 (68.6%)	856
Maybe	160 (18.7%)
No—looks legitimate	109 (12.7%)
Red Flags Identified (multi-select, $\mathit{n}=\mathbf{856}$)
Sender domain not official DHL	535 (62.5%)	856
Link not official DHL website	466 (54.4%)
Message creates urgency	321 (37.5%)
None—looks legitimate	137 (16.0%)

Scenario sub-sample based on survey skip logic. Red flag items are multi-select; percentages sum to more than 100%.

.

3.6.7. Prevention Behaviors and Information Sources

Section 8 of the survey collected students’ perspectives on the most effective defenses against four types of spoofing attacks and inquired about their sources of cybersecurity information. The objective was to assess students’ security behaviors and preparedness. Careful examination of the sender’s email address was the most frequently reported verification step (46.0%). For suspected spoofed calls, the predominant response was blocking the number (35.0%). In the case of suspected scam SMS, blocking the sender was the most common action (43.1%).

In addition, students were asked about the source of cybersecurity information and how often they receive Cybersecurity reminders. Social media was the leading source of cybersecurity information (41.3%), followed by educational institutions (24.8%). In the scenario sub-sample (n = 856), the most commonly reported frequencies of receiving cybersecurity reminders were never or on a monthly basis across all three source types: university, mobile provider, and email provider. Complete frequency distributions are presented in

Table 10. Students’ prevention behaviors and cybersecurity information sources..

Domain/Action	n (%)	N
Steps to Verify Email/Website Legitimacy (multi-select)
Check sender email address carefully	661 (46.0%)	1437
Avoid suspicious attachments	550 (38.3%)
Do not respond to requests for personal information	491 (34.2%)
Look for HTTPS/padlock icon	396 (27.6%)
Report suspicious communications	336 (23.4%)
Response to Suspected Spoofed Call (multi-select)
Block the number	503 (35.0%)	1437
Report to phone company/authorities	317 (22.1%)
Answer and hang up immediately	271 (18.9%)
Do not answer/let go to voicemail	255 (17.7%)
Response to Suspected Scam SMS (multi-select)
Block the sender’s number	619 (43.1%)	1437
Delete the message	398 (27.7%)
Report to mobile carrier	328 (22.8%)
Cybersecurity Information Sources (multi-select)
Social media	593 (41.3%)	1437
Educational institutions	356 (24.8%)
News/media outlets	305 (21.2%)
Friends/family	259 (18.0%)
Security blogs/websites	254 (17.7%)
Cybersecurity Reminder Frequency ($n=856$; two most frequent categories shown)
University—Never	303 (35.4%)	856
University—Monthly	295 (34.5%)
Mobile provider—Monthly	279 (32.6%)
Mobile provider—Never	278 (32.5%)
Email provider—Never	367 (42.9%)

Multi-select items: percentages sum to more than 100%; denominator $N=1437$. Reminder frequency items: $n=856$ (scenario sub-sample only).

.

3.6.8. Correlation Analysis

The correlation matrix (

Table 11. Pearson Correlation Matrix of Key Variables.

Variable	1	2	3	4	5	6	7
1. Perceived Threat	—	−0.01	−0.11 **	−0.05	−0.09 **	−0.06 *	0.04
2. Mean Confidence	−0.01	—	−0.19 **	−0.15 **	−0.15 **	−0.18 **	0.18 **
3. Email Experience	−0.11 **	−0.19 **	—	0.21 **	0.22 **	0.26 **	−0.22 **
4. Website Experience	−0.05	−0.15 **	0.21 **	—	0.17 **	0.30 **	−0.10 **
5. Caller ID Experience	−0.09 **	−0.15 **	0.22 **	0.17 **	—	0.24 **	−0.16 **
6. SMS Experience	−0.06 *	−0.18 **	0.26 **	0.30 **	0.24 **	—	−0.13 **
7. Scenario Correct	0.04	0.18 **	−0.22 **	−0.10 **	−0.16 **	−0.13 **	—

1 = Perceived Threat (1–5); 2 = Mean Confidence (1–5); 3 = Email Experience (coded); 4 = Website Experience (coded); 5 = Caller ID Experience (coded); 6 = SMS Experience (coded); 7 = Scenario Correct (binary; $n=856$). * $p<0.05$; ** $p<0.01$ (two-tailed). Coding: experience variables coded 1 = Yes, 2 = No, 3 = Maybe (higher = less experience); negative correlations with confidence indicate lower confidence associated with more experience.

) reveals several significant relationships among perceived threat level, mean confidence in identifying spoofing attacks, personal experience with different spoofing attack types, and performance in the scenario-based spoofing identification section. Pearson correlations were used, and Spearman correlations showed the same pattern and significance as shown in Figure 9.

Confidence and Spoofing Experience

Mean confidence score was negatively associated with all four spoofing experience variables, including email spoofing ($r=-0.19$), website spoofing ($r=-0.15$), caller ID spoofing ($r=-0.15$), and SMS spoofing ($r=-0.18$), all statistically significant at $p<0.001$. The negative correlations indicate that respondents who had experienced different spoofing attacks tended to be more confident in their ability to identify spoofing attacks.

Confidence and Scenario-Based Detection

The analysis shows that the mean confidence score was positively correlated with correct scenario identification ($r=0.18$, $p<0.001$). Although the association is relatively weak, it suggests that students who reported greater confidence were somewhat more likely to correctly identify the spoofed message in the scenario section.

Perceived Threat and Other Variables

Very weak correlations were observed between perceived threat level and most variables. The results show weak negative correlation with email spoofing experience ($r=-0.11$, $p<0.01$), caller ID spoofing experience ($r=-0.09$, $p<0.01$), and SMS spoofing experience ($r=-0.06$, $p<0.05$). Additionally, the correlation between perceived threat and mean confidence was not statistically significant ($r=-0.01$). These results suggest a weak relationship between perceived threat level and the two variables: confidence and spoofing experience.

Relationships Among Spoofing Experiences

The experience variables show positive correlations with one another. For example, Email spoofing experience is correlated with website spoofing experience ($r=0.21$), caller ID spoofing experience ($r=0.22$), and SMS spoofing experience ($r=0.26$). As another example, Website spoofing experience is correlated with SMS spoofing experience ($r=0.30$). Although the level of correlation is small to moderate, it indicates that students who reported experiencing one type of spoofing were more likely to report experiencing other types as well.

Scenario Identification and Spoofing Experience

The analysis results show a moderate negative correlation between correct identification of the spoofing scenario and spoofing experience variables, including email experience ($r=-0.22$), caller ID experience ($r=-0.16$), and SMS experience ($r=-0.13$). This suggests that respondents with more spoofing experience were more likely to correctly identify the spoofed scenario.

Overall, the correlation analysis suggests that experience with spoofing attacks is associated with slightly higher confidence and somewhat better performance in identifying spoofing scenarios. However, the relatively small correlation coefficients indicate that these relationships are modest, and other factors may also influence individuals’ confidence and detection ability.

3.6.9. Confidence by Academic Level

A one-way ANOVA found no significant difference in mean confidence score across academic levels ($F(4,1407)=0.13$, $p=0.971$). All pairwise post hoc comparisons (Tukey HSD and Games–Howell) were non-significant. Descriptive statistics and ANOVA results are presented in

Table 12. One-Way ANOVA: Mean Confidence Score by Academic Level ($n=1412$).

Academic Level	N	Mean	SD	Min	Max	ANOVA
						F	p
High School	76	3.31	1.22	1.00	5.00	$F(4,1407)=0.13$	0.971
Diploma	8	3.50	0.63	2.75	4.50
Undergraduate	1117	3.39	1.12	1.00	5.00
Graduate (Master’s)	191	3.40	1.15	1.00	5.00
PhD	20	3.45	1.36	1.00	5.00
Total	1412	3.39	1.13	1.00	5.00

Levene’s test of homogeneity of variances: $F(4,1407)=1.88$, $p=0.112$. ANOVA F-statistic and p are reported in merged cells to the right for each level row. No pairwise post hoc differences were significant (Tukey HSD and Games–Howell).

.

4. Discussion

Although prior studies have investigated students’ awareness of spoofing-related threats within broader cybersecurity awareness, phishing, and social engineering contexts, limited research has comprehensively examined multiple spoofing attack types within a unified analytical framework among university students in Saudi Arabia. Analysis of data collected from 1437 students provides information on the current level of awareness of spoofing attacks and the factors that influence students’ ability to recognize spoofing attempts. Although the results reveal a high level of awareness of spoofing attacks, they highlight important gaps between perceived confidence and actual detection ability, as well as variations between demographic groups and communication contexts. This section summarizes and discusses the answers to the research questions.

4.1. Awareness of Spoofing Attacks Among University Students

The first research question addressed the overall level of awareness regarding spoofing attacks. Findings demonstrate that awareness among respondents is relatively high. Specifically, 74.8% of participants indicated familiarity with spoofing attacks, while 12.9% reported no prior awareness and 12.2% were uncertain. Furthermore, 53.5% of respondents perceived spoofing attacks as a very significant threat to online security, and an additional 20.4% considered them moderately significant. The mean perceived threat level was 4.07 on a five-point scale, indicating that most respondents acknowledge the seriousness of spoofing attacks.

These findings suggest that spoofing awareness is relatively widespread among students in Saudi Arabia. The high prevalence of smartphone use (91.6%) and frequent reliance on digital communication channels, such as email and SMS, may contribute to this awareness. Exposure to security notifications, authentication codes, and online services received through SMS and emails likely increases familiarity with the types of attacks associated with these communication channels. Additionally, the relatively high awareness observed in this study may also reflect the increasing integration of digital communication technologies into students’ academic and personal activities. Similar observations were reported in prior cybersecurity awareness studies conducted in educational environments, where frequent exposure to online services and communication platforms contributed to greater familiarity with cyber threats and phishing-related attacks [4,29].

However, awareness is not uniformly distributed across the population. Chi-square analysis in Section Factors Associated with Spoofing Awareness demonstrated significant associations between spoofing awareness and both gender and age group. Males reported higher awareness (80.3%) compared with females (71.7%), although the effect size was small. Awareness also increased with age, rising from 70.4% among individuals aged 18–24 to 88.2% among respondents aged 45–54. These patterns may reflect cumulative digital experience and exposure to cyber risks over time. These findings are consistent with previous research suggesting that cybersecurity awareness is influenced not only by technical knowledge but also by behavioral and experiential factors such as prior exposure to online systems, security incidents, and digital communication practices [27,33].

4.2. Differences Between Self-Reported Confidence and Detection Ability

The second research question examined whether students’ self-reported confidence correlates with their ability to recognize spoofed attempts in simulated scenarios. Overall, respondents reported moderate confidence in identifying spoofing attacks, with a mean confidence score of 3.38 on a five-point scale. Confidence varied slightly across spoofing types, with respondents reporting the highest confidence in caller ID spoofing (mean = 3.55) and SMS spoofing (mean = 3.49), whereas confidence was lower in email spoofing (3.27) and website spoofing (3.22). Additionally, the Mean confidence score in identifying spoofing attacks indicates that students have lower confidence in detecting website and email spoofing than in Caller ID and SMS spoofing, although the level of familiarity with the four attacks is moderate. This is supported by other researchers, such as [2], whose results indicate a lack of awareness of email and website spoofing.

Despite these moderate confidence levels, scenario-based evaluation revealed that only 68.6% of respondents correctly identified a simulated spoofed email message, while 18.7% were uncertain and 12.7% incorrectly believed the message was legitimate. This discrepancy highlights an important gap between perceived ability and actual detection performance. Although most students expressed confidence in identifying spoofing attacks, a considerable portion failed to recognize a realistic spoofed email.

Nevertheless, a small but statistically significant positive relationship was observed between confidence and correct scenario identification ($r=0.18$, $p<0.001$). This indicates that individuals with higher self-reported confidence were somewhat more likely to correctly detect the spoofed email. However, the strength of this relationship was relatively weak, suggesting that confidence alone is not a reliable indicator of actual detection capability.

These findings indicate that some students may overestimate their ability to identify spoofing attacks due to general familiarity with cybersecurity concepts, while still failing to recognize key spoofing indicators in realistic scenarios. The observed gap between perceived confidence and actual detection ability likely reflects a distinction between theoretical knowledge and practical detection skills. These results support concerns raised in previous cybersecurity research regarding overconfidence in threat detection [15]. Individuals may believe they can identify malicious messages but often miss critical cues in realistic attack scenarios. Although respondents reported moderate confidence, the scenario-based evaluation demonstrates that identifying spoofing attacks in practice remains challenging for a significant proportion of students.

These results indicate that incorporating hands-on, simulation-based cybersecurity training into educational curricula is essential. Programs that emphasize only theoretical knowledge may not adequately prepare students to detect threats in practical scenarios. Realistic spoofing and phishing simulations provide students with experience in recognizing common social engineering tactics, including urgency, impersonation, and misleading messages.

4.3. Influence of Demographic Factors on Awareness and Detection

The third research question investigated whether demographic variables influence awareness and the ability to detect spoofing. Gender was a significant predictor of both awareness and confidence in identifying spoofing attacks. The regression analysis results in Section Factors Associated with Confidence in Identifying Spoofing Attacks show that males reported significantly higher mean confidence scores than females. This finding is consistent with other studies such as [27,33], which demonstrate that participants’ gender differs statistically. Another indicator of significant association with awareness is age group. Older students demonstrate higher levels of awareness, which may be attributed to greater cumulative exposure to online services and potential security incidents [27]. This finding differs from those of related studies that do not indicate any significant differences in awareness of information security among different age groups [29,31].

On the other hand, academic level did not significantly influence awareness or confidence levels. The extended analyses in Sections Extended Linear Regression: Factors Associated with Confidence in Identifying Spoofing Attacks and Extended Logistic Regression: Factors Associated with Email Spoofing Experience indicate that the inclusion of field of study and region contributes only marginally to model performance, accounting for an additional 2.5% of variance in the linear model and a negligible 0.9% increase in the logistic model. Although a small number of effects reached statistical significance—specifically, Health Sciences and Business/Finance for confidence, and Asir and Other regions for suspected email spoofing—these effects appear to be contextually constrained.

The observed field-of-study differences in confidence likely reflect discipline-specific exposure to cybersecurity concepts rather than independent effects of academic background. Similarly, regional differences may capture unmeasured sociodemographic or contextual factors, rather than indicating a direct influence of geographic location. Importantly, these additional predictors do not alter the substantive conclusions of the models.

Accordingly, the extended models support the robustness of the core predictors identified in the parsimonious models. Field of study and region are therefore best interpreted as exploratory variables, warranting further investigation using theoretically grounded measures of disciplinary exposure and regional context in future research.

Overall, these findings suggest that demographic variables explain only a small proportion of variance in spoofing awareness and detection performance. Instead, behavioral and experiential factors may play a more substantial role.

4.4. Impact of Prior Cybersecurity Knowledge and Training

The fourth research question explored the extent to which prior cybersecurity knowledge influences spoofing awareness. Individuals who had previously heard of spoofing attacks reported significantly higher confidence scores compared with those who had not. The Kruskal–Wallis test confirmed a significant difference in mean confidence scores across awareness groups ($H\left(2\right)=51.10$, $p<0.001$).

In addition, logistic regression analysis in Section Factors Associated with Email Spoofing Experience demonstrated that awareness was a significant predictor of suspected email spoofing experience. Respondents who were aware of spoofing were more likely to report having recognized or encountered suspicious emails. This relationship may reflect heightened vigilance among individuals familiar with spoofing techniques. This finding supports prior research indicating that previous exposure to cybersecurity concepts and phishing awareness training may improve users’ ability to recognize suspicious communications and increase attentiveness toward potential social engineering attacks [2,5].

Despite this association, cybersecurity education appears to remain limited in scope. Social media was reported as the most common source of cybersecurity information (41.3%), followed by educational institutions (24.8%) and news media (21.2%). In addition, participants most frequently reported that cybersecurity reminders from the university, the mobile provider, and the email provider were received monthly or never. These findings suggest that formal cybersecurity training may not yet be widely available for students. Educational organizations may consider utilizing social media to increase awareness through prepared programs as suggested in [4]. Increasing structured cybersecurity education within universities could therefore play an important role in improving both awareness and detection capability.

4.5. Identification of Spoofing Red Flags

The fifth research question examined which malicious cues respondents were most likely to recognize in spoofing attacks. In the simulated spoofed email scenario, the most frequently identified warning signs were the unusual sender email address (62.5%) and the suspicious link URL (54.4%). These cues are considered the most common indicators of phishing attacks and are commonly emphasized in related studies [2,5]. However, fewer students recognized other important indicators, such as urgent or threatening language. Only 37.5% identified the message’s urgency or threatening language as suspicious red flags, and 16% failed to identify any warning signs. These results suggest that while students may detect abnormal technical signs, such as domain mismatches, they may be more vulnerable to social engineering strategies, including urgency or pressure. This observation aligns with social engineering literature emphasizing that attackers often rely on psychological manipulation techniques, including urgency, authority, and fear, to bypass users’ rational evaluation processes [19,29].

These findings highlight the importance of developing a training program for students not only to recognize technical indicators but also to understand social engineering tactics commonly used in phishing and spoofing attacks. These findings support previous studies that identify human factors as a key source of many cyberattacks [29]. Likewise, the authors of [19] state that theoretical knowledge alone is insufficient for users to avoid phishing attacks and insist on the urgent need for practical training, even among users with a technical background. Similarly, the authors of [23] suggest improving the delivery methods for cybersecurity awareness and training programs by considering video-based, text-based, or game-based approaches.

5. Implications

Overall, the findings suggest that spoofing awareness among university students in Saudi Arabia is relatively high, but practical detection ability needs to be improved. Many respondents demonstrate moderate confidence in identifying the four spoofing attacks, yet scenario-based questions reveal that a notable proportion misclassified or were uncertain. Consequently, educational initiatives need to focus on bridging the gap between theoretical awareness and practical detection skills. Universities could integrate cybersecurity awareness modules into general education programs, emphasizing both technical indicators and social engineering strategies used in spoofing attacks.

Also, the results show significant differences in overall spoofing awareness across gender and age groups. Therefore, universities need to design training programs that account for these demographic differences, as each category may have distinct needs and requirements.

Additionally, given that many students rely on informal sources for cybersecurity information (e.g., social networks), public awareness campaigns on social networks and institutional training programs may play an important role in raising awareness of spoofing attacks.

6. Study Limitations

The findings of this study offer valuable insights for developing a spoofing-attack awareness program for students in Saudi Arabia; however, several limitations should be acknowledged. The data sample was drawn exclusively from students at Saudi Electronic University, an institution with 17 branches nationwide that employs a blended learning model combining online and face-to-face instruction. Although this approach facilitated data collection from diverse regions, the participants may not accurately represent the broader population of Saudi students, as their exposure to digital technologies may be higher due to the university’s instructional model.

Although the survey invitation was distributed across the entire institution, the precise number of students who received or viewed the invitation could not be determined; as a result, a formal response rate was not calculated. Furthermore, the voluntary nature of participation introduces the possibility of self-selection bias, as students with a stronger interest in or familiarity with cybersecurity topics may have been more inclined to participate.

The study also relied on self-reported measures for variables such as awareness, confidence in identifying spoofing attacks, and previous spoofing experiences. Consequently, participants’ responses may not fully reflect their actual behaviors or real-world detection capabilities.

Furthermore, the study used a limited number of practical spoofing scenarios in the scenario-based evaluation section, which may affect the robustness of the findings regarding spoofing detection. Although the scenarios were designed to resemble realistic communication patterns, future research should incorporate multiple simulated attack cases with varying levels of complexity and different spoofing techniques to provide a more comprehensive assessment of detection performance.

Future research should examine diverse student populations across multiple universities. Increasing the sample size is necessary to enhance statistical power. Social media platforms may be effective channels for delivering cybersecurity reminders to students, given their greater frequency of use compared to other communication channels. Moreover, cybersecurity awareness training should be enhanced by developing structured, multimedia-based programs.

7. Conclusions

As the education system in Saudi Arabia is undergoing a major digital transformation driven by Vision 2030, examining the current levels of spoofing attack awareness is crucial. Literature analysis reveals that there is a lack of studies that focus on exploring university students’ awareness of spoofing attacks in Saudi Arabia. Thus, the objective of this study was to explore the awareness, perception, confidence, and behavioral responses of Saudi Electronic University students regarding spoofing attacks using a questionnaire-based research approach. The statistical analysis of responses from 1437 participants indicates that overall awareness of spoofing attacks among students is relatively high. About half of the students rated spoofing attacks as a very significant threat, and their familiarity with and confidence in detecting four spoofing attacks were moderate.

However, the findings indicate a gap between expressed confidence in detecting spoofing attacks and the actual ability to detect real spoofed email. This highlights the importance of strengthening students’ practical detection skills in addition to improving their awareness. Additionally, the results show that awareness and confidence vary by gender and age group. This suggests that exposure to technology and cybersecurity knowledge over time may influence students’ perceptions and abilities to identify spoofing attacks. Another key finding is that many students reported that social media is the primary source of cybersecurity information, indicating that the delivery methods for cybersecurity awareness and training programs need improvement.

Furthermore, the findings reveal that students tend to focus on visible technical anomalies while overlooking psychological manipulation strategies embedded in spoofing attacks, which indicates that practical awareness training and programs are needed. Finally, this study provides valuable empirical insight into the awareness of spoofing attacks in Saudi Arabia and offers a foundation for future research exploring cybersecurity awareness and education strategies.