Eye-tracking in Association with Phishing Cyber Attacks: a Comprehensive Literature Review

As of 2021, it has been reported that around 90% of data breaches occur on ac- count of phishing, while about 83% of organizations experienced phishing attacks [1]. Phishing can be defined as the cybercrime in which a target is contacted through e-mail, telephone or text message by someone impersonating a legitimate institution [2]. Through psychological manipulation, the threat actor attempts to deceive users into providing sensitive information, thereby causing financial and intellectual property losses, reputational damages, and operational activity disruption. In this light, this paper presents a comprehensive review of eyetracking in association with phishing cyberattacks. To determine their impact on phishing detection accuracy, this work reviews 20 empirical studies which measure eye-tracking metrics with respect to different Areas of Interest (AOIs). The described experiments aim to produce simple cognitive user reactions, examine concentration, perception and trust in the system; all in which determine the level of susceptibility to deception and manipulation. Results suggest that longer gaze durations on AOIs, characterized by higher attention control, are strongly correlated with detection accuracy. Eye-tracking behavior also shows that technical background, domain knowledge, experience, training, and risk perception con- tribute to mitigating these attacks. Meanwhile, Time to First Fixation (TTFF), entry time and entry sequence data yielded inconclusive results regarding the impact on susceptibility to phishing attacks. The results aid in designing user-friendly URLs, visual browsing aids, and embedded and automated authentication systems. Most importantly, these findings can be used to establish user awareness through the development of training programs. be used to establish user awareness through the development of training programs.