Abstract
Phishing is the most common and potentially dangerous cyber attack that organizations are forced to deal with on a constant basis, rendering its automated detection as early as possible a necessity to ensure the security of computer systems. Focusing on the email level, this work improves content-based phishing email detection by integrating stylometric features with the commonly-used vectorization techniques, as well as by utilizing classifier stacking. Leveraging a diverse set of stylometric features, we systematically explore different methods of combining them with vectorized text as well as multiple stacking configurations for the machine learning algorithms. Our findings demonstrate that the proposed methods consistently outperform vectorization-only baselines on an imbalanced dataset, with a smaller improvement to a balanced one. Specifically, we achieved an \(F_1\) measure of 0.9843 on the balanced set and 0.9656 on the imbalanced one by stacking multiple different classifiers that were trained on the content and stylometric features separately, improving baselines by more than 2.2% for the imbalanced dataset. As such, our work contributes to the ongoing efforts in cybersecurity by further enhancing the performance of state-of-the-art phishing email detection systems.


Similar content being viewed by others
Data availibility
All of the data used are publicly available at https://monkey.org/~jose/phishing/ and https://www.cs.cmu.edu/~./enron/
Notes
In cases where there are no references for a feature in the table, the feature was proposed by us.
The list used is Python’s string.punctuation which can be referenced in the official documentation: https://docs.python.org/3/library/string.html#string.punctuation
References
Radicati Group: Email Statistics Report 2022-2026 Executive Summary. Tech. rep., https://www.radicati.com/wp/wp-content/uploads/2022/11/Email-Statistics-Report-2022-2026-Executive-Summary.pdf (2022)
Federal Bureau of Investigation. 2022 Internet Crime Report. Tech. rep., (2022). https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
Anti-Phishing Working Group. APWG Phishing Activity Trends Report 4th Quarter 2022. Tech. rep., Publications Office of the European Union, Luxembourg (2022). https://docs.apwg.org/reports/apwg_trends_report_q4_2022.pdf
Anti-Phishing Working Group. APWG Phishing Activity Trends Report 2nd Quarter 2023. Tech. rep., Publications Office of the European Union, Luxembourg (2023). https://docs.apwg.org/reports/apwg_trends_report_q2_2023.pdf
Das, A., Baki, S., Aassal, A.E., Verma, R.M., Dunbar, A.: SoK: a comprehensive reexamination of phishing research from the security perspective. IEEE Commun. Surv. Tutor. 22(1), 671–708 (2020). https://doi.org/10.1109/COMST.2019.2957750
Abdillah, R., Shukur, Z., Mohd, M., Murah, M.Z.: Phishing classification techniques: a systematic literature review. IEEE Access 10, 41574–41591 (2022). https://doi.org/10.1109/ACCESS.2022.3166474
Aleroud, A., Karabatis, G.: Bypassing detection of url-based phishing attacks using generative adversarial deep neural networks. In: Verma RM, Khan L, Mohan CK (eds) IWSPA@CODASPY ’20: Proceedings of the 6th International Workshop on Security and Privacy Analytics, New Orleans, LA, USA, March 18, 2020, ACM, pp. 53–60, (2020), https://doi.org/10.1145/3375708.3380315
Almomani, A., Gupta, B.B., Atawneh, S., Meulenberg, A., Almomani, E.: A survey of phishing email filtering techniques. IEEE Commun. Surv. Tutor. 15(4), 2070–2090 (2013). https://doi.org/10.1109/SURV.2013.030713.00020
Chandrasekaran, M., Narayanan, K., Upadhyaya, S.: Phishing email detection based on structural properties. In: New York State Cyber Security Conference, Albany, NY, USA, (2006)
Fette, I., Sadeh, N.M., Tomasic, A.: Learning to detect phishing emails. In: Williamson CL, Zurko ME, Patel-Schneider PF, Shenoy PJ (eds) Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada, May 8-12, 2007, ACM, pp. 649–656, (2007). https://doi.org/10.1145/1242572.1242660
Bergholz, A., Beer, J.D., Glahn, S., Moens, M., Paaß, G., Strobel, S.: New filtering approaches for phishing email. J Comput. Secur. 18(1), 7–35 (2010). https://doi.org/10.3233/JCS-2010-0371
Moradpoor, N., Clavie, B., Buchanan, B.: Employing machine learning techniques for detection and classification of phishing emails. In: 2017 Computing Conference, pp. 149–156, (2017). https://doi.org/10.1109/SAI.2017.8252096
Nguyen, M., Nguyen, T., Nguyen, T.H.: A deep learning model with hierarchical lstms and supervised attention for anti-phishing, (2018). CoRR abs/1805.01554, arXiv:1805.01554
Fang, Y., Zhang, C., Huang, C., Liu, L., Yang, Y.: Phishing email detection using improved RCNN model with multilevel vectors and attention mechanism. IEEE Access 7, 56329–56340 (2019). https://doi.org/10.1109/ACCESS.2019.2913705
Bountakas, P., Koutroumpouchos, K., Xenakis, C.: A comparison of natural language processing and machine learning methods for phishing email detection. In: Reinhardt D, Müller T (eds) ARES 2021: The 16th International Conference on Availability, Reliability and Security, Vienna, Austria, August 17-20, 2021, ACM, pp. 127:1–127:12, (2021). https://doi.org/10.1145/3465481.3469205
Lee, J., Tang, F., Ye, P., Abbasi, F., Hay, P., Divakaran, D.M.: D-fence: A flexible, efficient, and comprehensive phishing email detection system. In: IEEE European Symposium on Security and Privacy, EuroS &P 2021, Vienna, Austria, September 6-10, 2021, IEEE, pp. 578–597, (2021). https://doi.org/10.1109/EUROSP51992.2021.00045
Abdallah, E.E., Abdallah, A.E., Bsoul, M., Otoom, A.F., Al-Daoud, E.: Simplified features for email authorship identification. Int. J. Secur. Netw. 8(2), 72–81 (2013). https://doi.org/10.1504/IJSN.2013.055941
Shams, R., Mercer, R.E.: Supervised classification of spam emails with natural language stylometry. Neural Comput. Appl. 27(8), 2315–2331 (2016). https://doi.org/10.1007/S00521-015-2069-7
Dewan, P., Kashyap, A., Kumaraguru, P.: Analyzing social and stylometric features to identify spear phishing emails. In: 2014 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–13, (2014). https://doi.org/10.1109/ECRIME.2014.6963160
Duman, S., Kalkan-Cakmakci, K., Egele, M., Robertson, W.K., Kirda, E.: Emailprofiler: Spearphishing filtering with header and stylometric features of emails. In: 40th IEEE Annual Computer Software and Applications Conference, COMPSAC 2016, Atlanta, GA, USA, June 10-14, 2016, IEEE Computer Society, pp. 408–416, (2016). https://doi.org/10.1109/COMPSAC.2016.105
Islam, M.R., Abawajy, J.H.: A multi-tier phishing detection and filtering approach. J. Netw. Comput. Appl. 36(1), 324–335 (2013). https://doi.org/10.1016/J.JNCA.2012.05.009
Shyni, C.E., Sarju, S., Swamynathan, S.: A multi-classifier based prediction model for phishing emails detection using topic modelling, named entity recognition and image processing. Circuits Syst. 07(09), 2507–2520 (2016). https://doi.org/10.4236/cs.2016.79217
Bird, S., Loper, E., Klein, E.: Natural language processing with Python. “ O’Reilly Media, Inc.” (2009)
Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. In: Bengio Y, LeCun Y (eds) 1st International Conference on Learning Representations, ICLR 2013, Scottsdale, Arizona, USA, May 2-4, 2013, Workshop Track Proceedings, (2013a). http://arxiv.org/abs/1301.3781
Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Burges CJC, Bottou L, Ghahramani Z, Weinberger KQ (eds) Advances in Neural Information Processing Systems 26: 27th Annual Conference on Neural Information Processing Systems 2013. Proceedings of a meeting held December 5-8, 2013, Lake Tahoe, Nevada, United States, pp. 3111–3119, (2013b). https://proceedings.neurips.cc/paper/2013/hash/9aa42b31882ec039965f3c4923ce901b-Abstract.html
Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: Pre-training of deep bidirectional transformers for language understanding. In: Burstein J, Doran C, Solorio T (eds) Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019, Minneapolis, MN, USA, June 2-7, 2019, Volume 1 (Long and Short Papers), Association for Computational Linguistics, pp. 4171–4186, (2019). https://doi.org/10.18653/V1/N19-1423
Toolan, F., Carthy, J.: Feature selection for spam and phishing detection. In: 2010 eCrime Researchers Summit, eCrime 2010, Dallas, TX, USA, October 18-20, 2010, IEEE, pp. 1–12, (2010). https://doi.org/10.1109/ECRIME.2010.5706696
Fourkioti, O., Symeonidis, S., Arampatzis, A.: Language models and fusion for authorship attribution. Inf. Process Manag. 56(6), 102061 (2019). https://doi.org/10.1016/J.IPM.2019.102061
McKinney, Wes: Data Structures for Statistical Computing in Python. In: Stéfan van der Walt, Jarrod Millman (eds) Proceedings of the 9th Python in Science Conference, pp. 56–61, (2010). https://doi.org/10.25080/Majora-92bf1922-00a
Buitinck, L., Louppe, G., Blondel, M., Pedregosa, F., Mueller, A., Grisel, O., Niculae, V., Prettenhofer, P., Gramfort, A., Grobler, J., Layton, R., VanderPlas, J., Joly, A., Holt, B., Varoquaux, G.: API design for machine learning software: experiences from the scikit-learn project. In: ECML PKDD Workshop: Languages for Data Mining and Machine Learning, pp. 108–122, (2013)
Řehůřek, R., Sojka, P.: Software Framework for Topic Modelling with Large Corpora. In: Proceedings of the LREC 2010 Workshop on New Challenges for NLP Frameworks, ELRA, Valletta, Malta, pp. 45–50, (2010)
Cohen, W.W.: Enron Email Dataset. (2015), https://www.cs.cmu.edu/~./enron/, accessed: 2022-03-16
Nazario, J.: Phishing Email Corpus, (2005-2022). https://monkey.org/~jose/phishing/README.txt, accessed: 2022-03-16
Dietterich, T.G.: Approximate statistical tests for comparing supervised classification learning algorithms. Neural Comput. 10(7), 1895–1923 (1998). https://doi.org/10.1162/089976698300017197
Halgas, L., Agrafiotis, I., Nurse, J.R.C.: Catching the phish: Detecting phishing attacks using recurrent neural networks (rnns). In: You I (ed) Information Security Applications - 20th International Conference, WISA 2019, Jeju Island, South Korea, August 21-24, 2019, Revised Selected Papers, Springer, Lecture Notes in Computer Science, vol 11897, pp. 219–233, (2019). https://doi.org/10.1007/978-3-030-39303-8_17
Author information
Authors and Affiliations
Contributions
Ilias Chanis: Conceptualization, Methodology, Data curation, Formal analysis, Investigation, Resources, Software, Validation, Writing - original draft, Writing - review & editing; Avi Arampatzis: Conceptualization, Methodology, Project administration, Supervision, Validation, Writing - review & editing
Corresponding author
Ethics declarations
Conflict of interest
The authors have no competing financial or non-financial interests to declare that are relevant to the content of this article.
Human participants
No funding was received for conducting this study. The article does not contain any studies that involve human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Chanis, I., Arampatzis, A. Enhancing phishing email detection with stylometric features and classifier stacking. Int. J. Inf. Secur. 24, 15 (2025). https://doi.org/10.1007/s10207-024-00928-7
Published:
Version of record:
DOI: https://doi.org/10.1007/s10207-024-00928-7
