Humans remain vulnerable to phishing attacks, despite awareness, training, and technical measures. The role of emotions during phishing attacks is largely unexplored. Building on the appraisal theory of emotion, we investigated (1) which emotions are invoked during a phishing attack, (2) related cognitive appraisals, (3) behavioral responses during an attack, and (4) reflections about behavior throughout the attack. We conducted a qualitative study (N=41), simulating a workplace scenario during which a phishing attack occurs. We combined observation, interviews, and questionnaires. Emotions differed based on whether the phish was detected or not. The phish was frequently appraised as an interruption, invoking negative emotions. Not clicking on the phishing link was often appraised as a possible mistake, which may lead to reputational damage. Many participants reflected detecting the phish intuitively. This work contributes to an empirical understanding of emotions and behavior during phishing and provides research avenues and implications for how anti-phishing measures could benefit from emotion-aware solutions.
Symposium on Usable Privacy and Security (SOUPS)
2026-08-23
2026-06-26