Jacobs, J.
, Dawkins, S.
, Sharp, J.
, Garcia, K.
, Pearson, B.
, Usman, W.
, Carey, A.
, Reynolds, J.
and Fennell, C.
(2026),
Phish Out of Water: A Large-Scale Study of Phishing Email Cues, 2026 Symposium On Usable Privacy and Security (SOUPS) , Hannover, DE, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=962225 (Accessed June 4, 2026)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Phish Out of Water: A Large-Scale Study of Phishing Email Cues
Published
Author(s)
, , , , Brandon Pearson, Warda Usman, Alycia Carey, Joshua Reynolds, Chris Fennell
Abstract
This poster presents the results of a study on people's perceptions of phishing email cues. The study, conducted in collaboration with Walmart's information security research team, examined whether the presence of certain cues impacts human phishing email detection. 26 unique cues across five cue types were tested with more than 50,000 Walmart employees; nearly 3,000 participants completed a follow-up survey. The simulated phishing campaign resulted in a 16.81% report rate and a 7.22% click rate. Preliminary survey results suggest that there are no differences in clicking behaviors between cue types.Conference Dates
August 23-26, 2026
Conference Location
Hannover, DE
Conference Title
2026 Symposium On Usable Privacy and Security (SOUPS)
Pub Type
Conferences
Download Paper
Keywords
phishing, cues, NIST Phish Scale, human-centered cybersecurity
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created June 3, 2026