Search Results (61)

Email spam and phishing detection is typically evaluated using accuracy-centric metrics under implicitly unconstrained computational settings. However, in practical deployment scenarios—particularly in real-time and resource-constrained environments—models with comparable predictive performance may differ substantially in inference latency and resource usage, directly affecting their operational feasibility. This paper introduces TERA, a deployment-aware evaluation framework that formulates model assessment as a constraint-aware decision problem. Instead of aggregating performance and efficiency into a single objective, TERA treats predictive performance as a feasibility requirement that defines an admissible set of models. Within this feasible region, operational factors such as latency and resource usage are used to differentiate among candidates through structured, multi-dimensional analysis. Experiments on benchmark email datasets show that multiple models achieve comparable detection performance, forming a region of predictive equivalence. Within this region, significant variations in latency and resource consumption are observed, indicating that predictive equivalence does not imply deployment equivalence. These findings demonstrate that accuracy-based evaluation alone may provide limited guidance for deployment-oriented model selection. By explicitly separating feasibility constraints from preference-based trade-offs, TERA enables transparent and deployment-aligned model evaluation. The framework supports consistent comparison and selection among accuracy-comparable models without altering the role of detection effectiveness as a primary requirement, thereby complementing existing evaluation practices with a structured decision-oriented perspective. Full article

Phishing remains a persistent cybersecurity threat, exploiting social engineering to bypass traditional defenses. We developed a phishing detection system that integrates baseline supervised learning with Reinforcement Learning through human feedback (RLHF) to improve adaptability against evolving attack strategies. Implemented using the Huawei MindRLHF framework and deployed on Raspberry Pi hardware, the system was evaluated using a dataset of 135,325 email samples consisting of both phishing and legitimate messages. The baseline supervised model achieved 94.3% accuracy, while the RLHF-enhanced model, through 74 iterations, achieved improved adaptability, reaching a 96.8% accuracy with balanced precision and recall. A multi-component reward function was designed to incorporate correct classification, human agreement, confidence matching, and consistency, enabling the model to refine its decision boundaries beyond automated optimization. Real-time monitoring and feedback were facilitated through a hardware-integrated LCD interface. The results confirm enhanced detection accuracy and reduced error rates, demonstrating its viability for deployment. The findings highlight the potential of human-centered RLHF the resilience and scalability of phishing mitigation systems against emerging cyber threats. Full article

Spam messages are unwanted, irrelevant, or potentially harmful messages sent in bulk to large numbers of recipients via email, SMS, or social media. These messages pose a threat of spam to individual users and commercial companies. They threaten digital communication platforms by enabling phishing, malware distribution, service disruption, and unsolicited advertisements. Several mechanisms have been used in the literature to detect spam over digital communication systems. This includes rule-based filtering, Bayesian filtering, heuristic analysis, and machine learning (ML) techniques. Traditional rule-based and heuristic analyses were insufficient to cope with evolving attack patterns. Meanwhile, ML models can present modern, dynamic, appropriate, and efficient solutions in this manner. This study aims to evaluate and compare several basic ML models for spam detection, considering popular benchmark datasets on several communication platforms as a comprehensive comparative study. The experimental results demonstrate that the tested models achieve good accuracy, precision, recall, and F1-score on each investigated benchmark dataset. However, the performance of all models has decreased drastically when the trained models are tested on an unseen dataset. Recommendations for future required enhancements to handle this reduction in the performance of ML techniques for unseen datasets are provided. Finally, extra experimental tests have shown the positive impact of applying some of these recommendations. Full article

Phishing remains one of the most pervasive social engineering threats, exploiting human vulnerabilities and continuously evolving to bypass static detection mechanisms. Existing machine learning models achieve high accuracy but often act as opaque systems that lack robustness to evolving tactics and explainability, limiting trust and real-world deployment. In this research, we propose a dynamic Explainable AI (XAI) approach for phishing detection that integrates temporally aware feature extraction with dual interpretability through LIME and SHAP applied to the resulting window-level features. The novelty of this research lies in a temporally dynamic feature framework that simulates a plausible email reading progression using a heuristic temporal model and employs a sliding window aggregation method to capture behavioural and temporal patterns within email content. Using an aggregated dataset of 82,500 phishing and legitimate emails, dynamic features were extracted and used to train four classifiers: Random Forest, XGBoost, Multi-Layer Perceptron, and Logistic Regression. Ensemble models demonstrated strong performance with XGBoost achieving 94% accuracy and Random Forest 93%. This research addresses an important gap by combining dynamically constructed temporal features with transparent explanations, achieving high detection performance while preserving interpretability. These findings demonstrate that dynamic temporal modelling with explainable learning can enhance the trustworthiness and practicality of phishing detection systems, highlighting that temporally structured features and explainable learning can enhance the trustworthiness and practical deployability of phishing detection systems without incurring excessive computational overhead. Full article

One of the most harmful and deceptive forms of cybercrime is phishing, which targets users with malicious emails and websites. In this paper, we focus on the use of natural language processing (NLP) techniques and transformer models for phishing email detection. The Nazario Phishing Corpus is preprocessed and blended with real emails from the Enron dataset to create a robustly balanced dataset. Urgency, deceptive phrasing, and structural anomalies were some of the neglected features and sociolinguistic traits of the text, which underwent tokenization, lemmatization, and noise filtration. We fine-tuned two transformer models, Bidirectional Encoder Representations from Transformers (BERT) and the Robustly Optimized BERT Pretraining Approach (RoBERTa), for binary classification. The models were evaluated on the standard metrics of accuracy, precision, recall, and F1-score. Given the context of phishing, emphasis was placed on recall to reduce the number of phishing attacks that went unnoticed. The results show that RoBERTa has more general performance and fewer false negatives than BERT and is therefore a better candidate for deployment on security-critical tasks. Full article

Phishing and spam emails continue to pose a serious cybersecurity threat, leading to financial loss, information leakage, and reputational damage. Traditional email filtering approaches struggle to keep pace with increasingly sophisticated attack strategies, particularly those involving malicious content and deceptive attachments. This study proposes a dual-layer deep learning architecture designed to enhance email security by improving the detection of phishing and spam messages. The first layer employs deep learning models, including LSTM- and transformer-based classifiers, to analyze email content and structural features across legitimate, phishing, and spam emails. The second layer focuses on spam emails containing attachments and applies advanced transformer models, such as GPT-2 and XLM-RoBERTa, to assess contextual and semantic patterns associated with malicious attachments. By integrating textual analysis with attachment-level inspection, the proposed architecture overcomes limitations of single-layer approaches that rely solely on email body content. Experimental evaluation using accuracy and F1-score demonstrates that the dual-layer framework achieves a minimum F1-score of 98.75 percent in spam–ham classification and attains an attachment detection accuracy of up to 99.46 percent. These results indicate that the proposed approach offers a reliable and scalable solution for enhancing real-world email security systems. Full article

Phishing emails continue to evade conventional detection systems due to their increasingly sophisticated, multi-faceted social engineering tactics. To address the limitations of single-modality or rule-based approaches, we propose SAHF-PD, a novel phishing detection framework that integrates multi-modal feature extraction with semantic-aware hierarchical fusion, based on large language models (LLMs). Our method leverages modality-specialized large models, each guided by domain-specific prompts and constrained to a standardized output schema, to extract structured feature representations from four complementary sources associated with each phishing email: email body text; open-source intelligence (OSINT) derived from the key embedded URL; screenshot of the landing page; and the corresponding HTML/JavaScript source code. This design mitigates the unstructured and stochastic nature of raw generative outputs, yielding consistent, interpretable, and machine-readable features. These features are then integrated through our Semantic-Aware Hierarchical Fusion (SAHF) mechanism, which organizes them into core, auxiliary, and weakly associated layers according to their semantic relevance to phishing intent. This layered architecture enables dynamic weighting and redundancy reduction based on semantic relevance, which in turn highlights the most discriminative signals across modalities and enhances model interpretability. We also introduce PhishMMF, a publicly released multimodal feature dataset for phishing detection, comprising 11,672 human-verified samples with meticulously extracted structured features from all four modalities. Experiments with eight diverse classifiers demonstrate that the SAHF-PD framework enables exceptional performance. For instance, XGBoost equipped with SAHF attains an AUC of 0.99927 and an F1-score of 0.98728, outperforming the same model using the original feature representation. Moreover, SAHF compresses the original 228-dimensional feature space into a compact 56-dimensional representation (a 75.4% reduction), reducing the average training time across all eight classifiers by 43.7% while maintaining comparable detection accuracy. Ablation studies confirm the unique contribution of each modality. Our work establishes a transparent, efficient, and high-performance foundation for next-generation anti-phishing systems. Full article

With the rapid advancements in technology, there has been a noticeable increase in phishing attacks that exploit users by impersonating trusted entities. The primary attack vectors include fraudulent websites and carefully crafted emails. Early detection of such threats enables the more effective blocking of malicious sites and timely user warnings. One of the key elements in phishing detection is identifying the entity being impersonated. In this article, we conduct a comparative analysis of methods for detecting phishing websites that rely on website screenshots and recognizing their impersonation targets. The two main research objectives include binary phishing detection to identify malicious intent and multiclass classification of impersonated targets to enable specific incident response and brand protection. Three approaches are compared: two state-of-the-art methods, Phishpedia and VisualPhishNet, and a third, proposed in this work, which uses perceptual hash similarity as a baseline. To ensure consistent evaluation conditions, a dedicated framework was developed for the study and shared with the community via GitHub. The obtained results indicate that Phishpedia and the Baseline method were the most effective in terms of detection performance, outperforming VisualPhishNet. Specifically, the proposed Baseline method achieved an F1 score of 0.95 on the Phishpedia dataset for binary classification, while Phishpedia maintained a high Identification Rate (>0.9) across all tested datasets. In contrast, VisualPhishNet struggled with dataset variability, achieving an F1 score of only 0.17 on the same benchmark. Moreover, as our proposed Baseline method demonstrated superior stability and binary classification performance, it should be considered as a robust candidate for preliminary filtering in hybrid systems. Full article

Small- and Medium-sized Enterprises (SMEs) play a crucial role in the global economy, accounting for approximately two-thirds of global employment and contributing significantly to the GDP of developed countries. Despite the availability of various cybersecurity standards and frameworks, SMEs remain highly vulnerable to cyber threats. Limited resources and a lack of expertise in cybersecurity make them frequent targets for cyberattacks. It is essential to identify the challenges faced by SMEs and explore effective defensive strategies to enhance the implementation of cybersecurity measures. The study aims to bridge the gap and help these organizations in implementing cost-effective and practical cybersecurity approaches through a systematic mapping study (SMS) conducted, where 73 articles were thoroughly reviewed. This research will shed light on the current cybersecurity approaches (practices) posture for different SMEs, along with the threats they are facing, which have stopped them from deciding, planning, and implementing cybersecurity measures. The study identified a wide range of cybersecurity threats, including phishing, social engineering, insider threats, ransomware, malware, denial of services attacks, and weak password practices, which are the most prevalent for SMEs. This study identified defensive practices, such as cybersecurity awareness and training, endpoint protection tools, incident response planning, network segmentation, access control, multi-factor authentication (MFA), access controls, privilege management, email authentication and encryption, enforcing strong password policies, cloud security, secure backup solutions, supply chain visibility, and automated patch management tools, as key measures. The study provides valuable insights into the specific gaps and challenges faced by SMEs, as well as their preferred methods of seeking and consuming cybersecurity assistance. The findings can guide the development of targeted defensive practices and policies to enhance the cybersecurity posture of SMEs for successful software development. This SMS will also provide a foundation for future research and practical guidelines for SMEs to improve the process of secure software development. Full article

AI-generated phishing emails present a growing cybersecurity threat, exploiting human psychology with high-quality, context-aware language. This paper introduces a novel two-stage detection framework that combines deep learning with psychological analysis to address this challenge. A new dataset containing 2995 GPT-o1-generated phishing emails, each labelled with Cialdini’s six persuasion principles, is created across five organisational sectors—forming one of the largest and most behaviourally annotated corpora in the field. The first stage employs a fine-tuned DistilBERT model to predict the presence of persuasion principles in each email. These confidence scores then feed into a lightweight dense neural network at the second stage for final binary classification. This interpretable design balances performance with insight into attacker strategies. The full system achieves 94% accuracy and 98% AUC, outperforming comparable methods while offering a clearer explanation of model decisions. Analysis shows that principles like authority, scarcity, and social proof are highly indicative of phishing, while reciprocation and likeability occur more often in legitimate emails. This research contributes an interpretable, psychology-informed framework for phishing detection, alongside a unique dataset for future study. Results demonstrate the value of behavioural cues in identifying sophisticated phishing attacks and suggest broader applications in detecting malicious AI-generated content. Full article

One-Time Passwords (OTPs) are a core component of multi-factor authentication in banking, e-commerce, and digital platforms. However, conventional delivery channels such as SMS and email are increasingly vulnerable to SIM-swap fraud, phishing, spoofing, and session hijacking. This study proposes an end-to-end mobile authentication architecture that integrates a permissioned Hyperledger Fabric blockchain for tamper-evident identity management, an AI-driven risk engine for behavioral and SIM-swap anomaly detection, Zero-Knowledge Proofs (ZKPs) for privacy-preserving verification, and geolocation-bound OTP validation for contextual assurance. Hyperledger Fabric is selected for its permissioned governance, configurable endorsement policies, and deterministic chaincode execution, which together support regulatory compliance and high throughput without the overhead of cryptocurrency. The system is implemented as a set of modular microservices that combine encrypted off-chain storage with on-chain hash references and smart-contract–enforced policies for geofencing and privacy protection. Experimental results show sub-0.5 s total verification latency (including ZKP overhead), approximately 850 transactions per second throughput under an OR-endorsement policy, and an F1-score of 0.88 for SIM-swap detection. Collectively, these findings demonstrate a scalable, privacy-centric, and interoperable solution that strengthens OTP-based authentication while preserving user confidentiality, operational transparency, and regulatory compliance across mobile network operators. Full article

Phishing emails present a significant and persistent cybersecurity threat to individuals and organizations globally due to the difficulty in detecting these malicious messages. Large Language Models (LLMs) have inadvertently intensified this challenge by facilitating the automated creation of high-quality, covert phishing emails that can evade traditional rule-based detection systems. In this study, we examine the offensive capabilities of LLMs in generating phishing emails and introduce Phish-Master, a novel algorithm that integrates Chain-of-Thought (COT) reasoning, MetaPrompt techniques, and domain-specific insights to produce phishing emails designed to bypass enterprise-level filters. Our experiment, involving 100 malicious emails, validates Phish-Master’s real-world effectiveness, achieving a 99% evasion rate within authentic campus networks, successfully bypassing filters and targeting recipients, a testament to its capability in navigating complex network environments. To counteract the threat posed by Phish-Master and similar LLM-generated phishing emails, we have developed a multi-machine learning model integration framework trained on Kaggle’s phishing email dataset. This framework achieved an impressive detection rate of 99.87% on a rigorous test set of LLM-generated phishing emails, highlighting the critical role of our specialized dataset in enabling the detection tool to effectively recognize sophisticated patterns in LLM-crafted phishing emails. This study highlights the evolving threat of LLM-generated phishing emails and introduces an effective detection algorithm to mitigate this risk, emphasizing the importance of continued research in this domain. Full article

Email continues to serve as a primary vector for cyber-attacks, with phishing, spoofing, and polymorphic malware evolving rapidly to evade traditional defences. Conventional email security systems, often reliant on static, signature-based detection struggle to identify zero-day exploits and protect user privacy in increasingly data-driven environments. This paper introduces TwinGuard, a privacy-preserving framework that leverages digital twin technology to enable adaptive, personalised email threat detection. TwinGuard constructs dynamic behavioural models tailored to individual email ecosystems, facilitating proactive threat simulation and anomaly detection without accessing raw message content. The system integrates a BERT–LSTM hybrid for semantic and temporal profiling, alongside federated learning, secure multi-party computation (SMPC), and differential privacy to enable collaborative intelligence while preserving confidentiality. Empirical evaluations were conducted using both synthetic AI-generated email datasets and real-world datasets sourced from Hugging Face and Kaggle. TwinGuard achieved 98% accuracy, 97% precision, and a false positive rate of 3%, outperforming conventional detection methods. The framework offers a scalable, regulation-compliant solution that balances security efficacy with strong privacy protection in modern email ecosystems. Full article

Training users to correctly identify potential security threats like social engineering attacks such as phishing emails is a crucial aspect of cybersecurity. One challenge in this training is providing useful educational feedback to maximize student learning outcomes. Large Language Models (LLMs) have recently been applied to wider and wider applications, including domain-specific education and training. These applications of LLMs have many benefits, such as cost and ease of access, but there are important potential biases and constraints within LLMs. These may make LLMs worse teachers for important and vulnerable subpopulations including the elderly and those with less technical knowledge. In this work we present a dataset of LLM embeddings of conversations between human students and LLM teachers in an anti-phishing setting. We apply these embeddings onto an analysis of human–LLM educational conversations to develop specific and actionable targets for LLM training, fine-tuning, and evaluation that can potentially improve the educational quality of LLM teachers and ameliorate potential biases that may disproportionally impact specific subpopulations. Specifically, we suggest that LLM teaching platforms either speak generally or mention specific quotations of emails depending on user demographics and behaviors, and to steer conversations away from an over focus on the current example. Full article

Phishing emails remain a significant concern and a growing cybersecurity threat in online communication. They often bypass traditional filters due to their increasing sophistication. This study presents a comparative evaluation of machine learning (ML) models and transformer-based large language models (LLMs) for phishing email detection, with embedded URL analysis. This study assessed ML training and LLM fine-tuning on both balanced and imbalanced datasets. We evaluated multiple ML models, including Random Forest, Logistic Regression, Support Vector Machine, Naïve Bayes, Gradient Boosting, Decision Tree, and K-Nearest Neighbors, alongside transformer-based LLMs DistilBERT, ALBERT, BERT-Tiny, ELECTRA, MiniLM, and RoBERTa. To further enhance realism, phishing emails generated by LLMs were included in the evaluation. Across all configurations, both the ML models and the fine-tuned LLMs demonstrated robust performance. Random Forest achieved over 98% accuracy in both email detection and URL classification. DistilBERT obtained almost as high scores on emails and URLs. Balancing the dataset led to slight accuracy gains in ML models but minor decreases in LLMs, likely due to their sensitivity to majority class reductions during training. Overall, LLMs are highly effective at capturing complex language patterns, while traditional ML models remain efficient and require low computational resources. Combining both approaches through a hybrid or ensemble method could enhance phishing detection effectiveness. Full article