Phishing is a cyberattack where attackers attempt to trick victims into an activity that is against their best interests and provides some kind of benefit to the attacker. Often, this means providing sensitive information such as usernames, passwords, credit card numbers or personal data. Other times, the goal isn’t divulging information but an activity that furthers the attacker’s end goal, such as installing malware that allows the attacker to extract a ransom, use the resources of the victim’s machine or move laterally within the victim’s network. The attackers accomplish their task through various techniques, including deception, impersonation, malicious links and repetition. Recently, artificial intelligence (AI) and deepfakes have given attackers potent new methods of tricking their victims, and organizations have been slow to develop effective countermeasures.  

Social engineering has existed since the dawn of humanity and its techniques have had thousands of years to be fine-tuned, enabling their easy translation into digital communications. Phishing became widespread in the 1990s as the general population started gaining access to the internet. It did not take threat actors long to realize the potential financial gains in targeting individuals and entire organizations with phishing campaigns. Although other threat vectors have come, gone, evolved and gradually been mitigated by security professionals, phishing remains a major organizational threat. A 2022 report by Verizon indicated that 82% of breaches involved social engineering, with phishing accounting for over 65% of the incidents (Verizon, 2022). 

Given phishing’s continued dominance as an attack vector, researchers from multiple disciplines have sought to mitigate its impact. Their efforts can be broadly categorized into six key research areas — empirical studies, technical research, psychological & behavioral studies, policy & organizational research, emerging technologies research and ethical & legal studies. Research into phishing has been a significant focus for cybersecurity professionals, psychologists, insurance underwriters and business planners for decades. The main types of research are as follows: 

1. Empirical Studies: Analyze real-world data on phishing trends, attack success rates and user behavior, providing a foundation for evaluating countermeasures 
2. Technical Research: Focuses on developing and improving anti-phishing techniques and technologies 
3. Psychological & Behavioral Studies: Explore the cognitive reasons behind phishing susceptibility and relate to broader social engineering tactics 
4. Policy & Organizational Research: Human counterpart to the technical research mentioned above; aims to develop effective human responses to phishing threats 
5. Emerging Technologies Research: Investigates how disruptive technologies such as AI impact phishing attacks and defenses 
6. Ethical & Legal Studies: Address phishing from a regulatory and compliance perspective 

Many technologies and related research are extremely time-sensitive and can become outdated and less relevant soon after introduction. Research into phishing is different as although vectors and techniques may change yearly, the general themes of attacks remain largely the same. Studies on the prevalence of malware on AOL Instant Messenger from 2004 do not interest most security professionals. In contrast, a survey of successfully detecting phishing emails from the same period is still relevant. 

Reviewing existing studies can be useful as they provide a baseline for phishing metrics over time and can guide us toward effectively directing new research. Three areas of particular interest to the author for future research are: 

1. How is generative AI’s emergence and widespread adoption affecting phishing success rates? Relatedly, how is predictive AI being utilized to combat phishing? 
2. User behavioral training — in particular — how must training be adapted to best benefit distinct age groups within the workforce? 
3. How does the shift toward performing work activities on mobile devices affect phishing? What additional considerations must be taken into account with today’s workforce utilizing mobile phones more than traditional workstations? 

Reviewing Existing Research 

Each reviewed article listed within the references explores different aspects of phishing and information technology (IT) security. ‘Falling for Phishing: An Empirical Investigation into People’s Email Response Behaviors’ focuses on human susceptibility to phishing, decision-making processes in email interactions and behavioral interventions, such as nudges, to improve security awareness (Jayatilaka et al., 2021). ‘A Systematic Review and Research Challenges on Phishing Cyberattacks from an EEG and Gaze-Based Perspective’ introduces interesting physiological and cognitive variables such as eye-tracking and reading the brain’s electrical signals via electroencephalogram (EEG) data to enhance phishing detection techniques (Thomopoulos et al., 2024). ‘A Quantitative Study of SMS Phishing Detection’ examines factors influencing phishing susceptibility in mobile communications through text messaging, including message content, sender credibility and historic user security behavior (Timko et al., 2023). ‘A Comprehensive Survey of Phishing’ categorizes phishing threats and countermeasures, analyzing phishing evolution and IT security strategies (Goenka et al., 2023). ‘Phishing attacks: risks and challenges for law firms’ examines risks that law firms confront when dealing with phishing, although the lessons learned are easily relevant to other industries (Teichmann & Boticiu, 2022). Finally, a 2020 article in the Harvard Business Review — ‘Boost Your Resistance to Phishing Attacks’ — focuses on the efforts of security researchers taking on the role of attackers to build a compilation of changes to employee training that can, as the title suggests, boost an organization’s resistance to phishing (Harvard Business Review, 2020). Collectively, these articles cover psychological, technical and behavioral variables contributing to phishing susceptibility and prevention. 

Quantitative studies provide statistical insights into user behavior and phishing trends, helping identify attack patterns. Qualitative research, such as industry case studies, offers strategic insights for policy-making. Mixed-methods approaches, such as EEG-based research, bridge technical and behavioral analyses, advancing innovative defenses. The reviewed articles incorporate a mix of quantitative, qualitative and mixed-methods research, reflecting both academic and business perspectives on phishing and IT policy. 

Empirical Studies (Quantitative & Mixed-Methods Research)

1. ‘Falling for Phishing: An Empirical Investigation into People’s Email Response Behaviors’ (Jayatilaka et al., 2021) utilizes quantitative methods to analyze user behaviors when interacting with phishing emails. The study gathers statistical data on email response tendencies, examining how different phishing cues impact decision-making.
2. ‘A Quantitative Study of SMS Phishing Detection’ (Timko et al., 2023) applies quantitative analysis by assessing variables such as sender credibility, message content and user response patterns to identify phishing trends in SMS-based attacks.
3. ‘A Systematic Review and Research Challenges on Phishing Cyberattacks from an EEG and Gaze-Based Perspective’ (Thomopoulos et al., 2024) integrates mixed-methods research, combining quantitative EEG and eye-tracking data with qualitative insights into human cognitive responses to phishing attempts. 

Business-Oriented & Practical Application Studies (Qualitative Research)

1. ‘Phishing attacks: Risks and challenges for law firms’ (Teichmann & Boticiu, 2022) employs qualitative analysis by reviewing case studies of phishing attacks targeting legal firms. It evaluates industry-specific risks and discusses the best practices for cybersecurity policy implementation.
2. Harvard Business Review’s ‘Boost Your Resistance to Phishing Attacks’ (2020) focuses on practical application research, using insights from real-world corporate training programs to suggest improvements in security awareness strategies. This aligns with business-focused qualitative research.
3. ‘A Comprehensive Survey of Phishing’ (Goenka et al., 2023) takes a qualitative and systematic review approach, categorizing phishing threats, countermeasures and trends, making it more of a conceptual analysis rather than direct empirical research. 

Academic studies (Jayatilaka et al., Thomopoulos et al., Timko et al.) primarily rely on empirical data collection, behavioral analysis and cognitive research to understand phishing susceptibility and detection. Business-focused research (Teichmann & Boticiu, Harvard Business Review, Goenka et al.) centers on the practical implementation of IT policies and cybersecurity strategies, often through case studies and industry trends rather than numerical data. 

The reviewed articles present innovative ideas in IT management, particularly in phishing detection and prevention. The introduction of EEG and gaze-tracking technologies in ‘A Systematic Review and Research Challenges on Phishing Cyberattacks’ represents a novel approach to understanding human cognitive responses to cyber threats. Additionally, the work of Timko et al. highlights the importance of analyzing user interactions with text-based phishing attempts to improve mobile security policies. With our growing dependence on mobile devices and their increasing integration with our smart-device lifestyles, these lessons are becoming more critical. These innovations demonstrate a shift from traditional cybersecurity methods to more data-driven and human-centric approaches, allowing organizations to enhance security protocols while considering user behavior. Furthermore, ‘A Comprehensive Survey of Phishing’ provides a taxonomy that aids global organizations in structuring their anti-phishing strategies and policy implementations. 

The advocacy for proactive cybersecurity research and the implementation of new technological solutions are key themes across these articles. The need for behavior-based interventions and user education to complement technological defenses is also highlighted. The work of Wright and Jensen, as described in the Harvard Business Review publication, advocates for making training both personal and team-based, focusing more on the human element that technical solutions may be unable to assist with. Additionally, there is a call for developing more intuitive mobile security mechanisms based on user interaction patterns. These articles emphasize the necessity for continuous research, rigorous evaluation and iterative implementation of advanced security strategies to stay ahead of evolving cyber threats. 

Beneficial and Detrimental Topics in IT Policy and Strategy 

The reviewed articles offer insights into both beneficial and detrimental aspects of IT policy and strategy. On the advantageous side, we are provided with a structured approach to phishing threat assessment, which can aid in formulating targeted security policies. Additionally, guidelines for user-centered security training programs are presented, which can significantly reduce human error in cybersecurity. Conversely, a detrimental aspect highlighted in ‘A Systematic Review and Research Challenges on Phishing Cyberattacks’ is the potential for privacy concerns when utilizing EEG and gaze-tracking technologies in security systems. This author certainly does not advocate tracking employees’ eye movements, much less hooking up wires to their heads! Additionally, ‘A Quantitative Study of SMS Phishing Detection’ raises concerns about the limitations of current anti-phishing mechanisms, emphasizing the need for more effective SMS filtering solutions to prevent smishing attacks and that organizations do not do enough to consider users’ relationships with their mobile devices when crafting policy. 

IT Policy for Managing Technology and Innovation From a Global Perspective 

From a global perspective, the articles collectively address how IT policy should be structured to manage technology and innovation. ‘A Comprehensive Survey of Phishing’ emphasizes the necessity for international collaboration in cybersecurity frameworks, as phishing is a cross-border issue affecting organizations worldwide. ‘A Systematic Review and Research Challenges on Phishing Cyberattacks’ advocates for adopting cutting-edge technologies in different regions, ensuring a standardized yet adaptable approach to phishing mitigation. Furthermore, ‘Falling for Phishing’ and ‘A Quantitative Study of SMS Phishing Detection’ emphasize the role of cultural and behavioral differences in shaping effective IT policies for diverse user bases. While international collaboration is essential, differences in regulatory requirements, such as GDPR in Europe and varying cybersecurity standards in Asia and the U.S., create challenges for unified anti-phishing policies. Organizations must tailor their strategies while ensuring compliance with regional laws. By integrating technological advancements with behavioral insights, organizations can develop comprehensive cybersecurity strategies that cater to global needs while respecting local regulatory requirements. 

Conclusion: A Call for Continuous Innovation 

The articles reviewed offer valuable perspectives on phishing threats, IT policy and cybersecurity innovations. They collectively advocate for a multifaceted approach that combines technology, user behavior analysis and policy implementation to enhance security for global organizations. As cyber threats continue to evolve, the need for continuous innovation within the anti-phishing space is essential. Especially, with the spread of disruptive technologies such as generative AI being able to produce deepfake voice and video, proactive research, continuous evaluation and strategic implementation of advanced technologies will be essential in mitigating risks and ensuring a secure digital environment for organizations worldwide. Future research should focus on refining these strategies while addressing privacy concerns and optimizing global policy frameworks for effective cybersecurity management.