The Geometry of Suspicion: Visual Exploration Patterns in Email Phishing Detection

This study examined visual exploration strategies in phishing-email detection by integrating conventional AOI-based eye-tracking measures with a complementary scene-based indicator, the Nearest Neighbor Index (NNI), to capture the global spatial organization of fixations. Thirty-two volunteers completed an email-classification task involving 106 static email stimuli; data from 30 participants were included in the final analyses. For each stimulus, participants judged whether the email was authentic or phishing, allowing for the computation of eye-tracking metrics across Signal Detection Theory classification outcomes. Concerning the NNI, the results showed that the spatial distribution of fixations was higher for suspicious than for non-suspicious emails, indicating a broader visual exploration pattern under higher task demands. More importantly, correct and incorrect responses differed reliably: hits were associated with more dispersed and regular fixation patterns, whereas false alarms were associated with more clustered scanning; misses showed a descriptively similar tendency that did not survive correction for multiple comparisons. Participants also responded faster when correct than when incorrect. When cybersecurity awareness (CAIN) was included as a mean-centered covariate, the primary effects of Signal and Outcome on NNI and decision time remained significant, indicating that the experimental effects are robust to individual differences in cybersecurity knowledge. However, CAIN did not emerge as a reliable predictor of eye-tracking measures within these models, suggesting that its role operates more at the level of classification performance than moment-by-moment gaze organization.