Phishing Susceptibility through Theoretical Lenses: A Systematic Literature Review

Phishing attacks, which leverage effective social engineering techniques to exploit human vulnerabilities, continue to pose significant risks to internet users. This systematic literature review analyzes phishing attack research from 2010 to 2025, focusing on phishing susceptibility among internet users. Following the guidelines outlined by Kitchenham and Charters (2007), the review comprises three primary phases: planning, execution, and reporting. Study questions were formulated using the PICOC framework to examine the types of phishing attacks, the theoretical frameworks applied, the persuasive elements utilized, and the challenges and research gaps present in existing literature. A comprehensive search of ten primary digital databases yielded 23,479 studies, from which 49 empirical studies were selected for analysis based on rigorous inclusion, exclusion, and quality assessment criteria. The review indicates that email-based phishing remains the predominant form of attack, followed by social media, smishing, and vishing. In addition to commonly employed persuasion strategies such as urgency, fear appeal, and authority, the review identifies prominent theoretical frameworks. This paper also highlights significant research gaps, particularly in platform development and unexplored user demographics, and provides recommendations for future phishing-related studies. The findings advocate for the development of robust preventative strategies and enhance the systematic understanding of phishing susceptibility.