“I didn’t click”: What users say when reporting phishing

Nikolas Pilavakis, Adam Jenkins, Nadin Kokciyan, Kami E Vaniea

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

When people identify potential malicious phishing emails one option they have is to contact a help desk to report it and receive guidance. While there is a great deal of effort put into helping people identify such emails and to encourage users to report them, there is relatively little understanding of what people say or ask when contacting a help desk about such emails. In this work, we qualitatively analyze a random sample of 270 help desk phishing tickets collected across nine months. We find that when reporting or asking about phishing emails, users often discuss evidence they have observed or gathered, potential impacts they have identified, actions they have or have not taken, and questions they have. Some users also provide clear arguments both about why the email really is phishing and why the organization needs to take action about it.
Original languageEnglish
Title of host publicationProceedings 2023 Symposium on Usable Security and Privacy (USEC)
PublisherThe Internet Society
Number of pages13
ISBN (Electronic) 1891562916
Publication statusPublished - 27 Feb 2023
EventSymposium on Usable Security and Privacy (USEC) 2023 - San Diego, United States
Duration: 27 Feb 2023 → …


SymposiumSymposium on Usable Security and Privacy (USEC) 2023
Country/TerritoryUnited States
CitySan Diego
Period27/02/23 → …
Internet address

Keywords / Materials (for Non-textual outputs)

  • Phishing
  • Security and privacy
  • phishing awareness


Dive into the research topics of '“I didn’t click”: What users say when reporting phishing'. Together they form a unique fingerprint.

Cite this