Methodologies and Ethical Considerations in Phishing Research: A Comprehensive Review

Phishing is a significant security threat that causes financial and reputational losses to end-users and service providers in modern information systems. Current anti-phishing research is fragmented and does not address the issue from a pervasive computing perspective. As phishing attacks exploit human susceptibility, designing appropriate and personalized anti-phishing security frameworks that consider individual behavior is crucial. Phishing experiments raise ethical and legal concerns. Researchers carry out experiments to measure the probability and frequency that something vulnerable could happen, using this information to identify the most effective protection measures. This paper aims to identify ethical and practical issues related to the creation and execution of phishing experiments. The review examines the types of experiments conducted, ethical rules applied, user consent obtained, and the types of phishing examined in the experiments. Our aim in this review is to focus on identifying legal white spaces and ethical considerations by providing a complete review of the current approaches and processes used in phishing experiments.


INTRODUCTION
Phishing is a method by which an illegitimate message is disguised as a legitimate one, in order to mislead, pressure or manipulate subjects into inadvertently sharing confidential data with unauthorized individuals.It refers to Social Engineering practices, via email, phone calls, or social media and text messages, pretending to be from trusted service providers, aiming to induce end-users to disclose personal information and sensitive data.With the rapid increase and popularity of online social media, such types of deception have become nowadays even more a growing threat, affecting millions of individuals every day.
Phishing can be considered as a threat, which by virtue of social engineering techniques and/ or other technological or nontechnological means, facilitates the attacker to retrieve personal information from its victims, causing financial or other harm due to this data breach [1].Albeit electronic phishing appeared almost two decades ago, similar techniques can be traced back at least to the 19th century.Usually, phishing attacks are targeting a high number of "victims" and hence effective communication methods with extensive outreach are often preferred by the attackers.For example, they can be sent over e-mail, SMS (smishing), or leverage voice (vishing), and/ or social media channels (Facebook, Twitter etc.) to deploy the attack., Typically the intent is to steal the credentials or financial information from the users (aka identity thefts and cat-phishing).Identity theft involves stealing private information such as numbers of credit cards, tax security numbers, social security numbers, name, address, date of birth or other similar sensitive information aiming for the direct financial gain of the attacker, whereas cat-phishing relies mainly on impersonating someone to ask victims to send money to the attacker [2].
Research into variables that influence individuals' vulnerability to phishing is a crucial measure in enhancing awareness of cybersecurity and formulating safeguarding tactics.Numerous personal or demographic factors and specific characteristics regarding gender, age and mentality of the participants, may limit the scope of the conclusions at determining the phishing susceptibility of people.Previous research suggested that the user demographics are considerable influential factors in phishing attacks.Gender is often included within phishing vulnerability studies as a demographic variable; however, results regarding its impact on phishing detection are controversial.While some studies have concluded the existence of a statistically considerable correlation between the gender and vulnerability to phishing susceptibility [3][4][5][6], other studies have found no such connection [7][8][9][10].In the studies where a correlation has been discovered, the susceptibility of females to phishing attempts is higher of that of males, and it has been suggested that this is due, in part, to less technical training and computer knowledge among females [6].Also, a narrow demographic of the users' age, education, computer level, working environment etc. would affect the results from the experiments, thus further experimentation is needed, aiming to assess the generalizability of the studies and to address questions on the effectiveness of these methods to a wider (age-wisely) population.Finally, another limitation concerns the environment that is used for the experiments.More specifically, phishing experiments that are executed within a "secure" (for the participants) environment, may have an impact on the performance of these experiments, as the participants are not exposed to any real risk or danger about their private data, as typically happening during real world phishing attacks.
Phishing experiments may raise ethical and legal concerns.In this context, there is a growing need to review the different phishing experimental designs used in universities and triangulate them under the perspective of ethical and legal considerations.By identifying the types of experiments being conducted and the ethical and legal guidelines that should be followed, researchers can ensure that their studies are conducted safely and responsibly, while also advancing our understanding of how to safeguard against phishing attacks.

PHISHING EXPERIMENTS AND ETHICS 2.1 Empirical research in phishing
Phishing research aims to design countermeasures against malicious attempts of trying to steal confidential information from people and to protect them from falling victims of it.A basic task to accomplish such a goal is to understand the dynamics of phishing and to analyze people's decision-making strategies against phishing attacks.Phishing research strives to create safeguards against malicious endeavors of attempting to pilfer sensitive data from individuals and shield them from becoming prey to it.An essential undertaking to achieve such an objective is to comprehend the intricacies of phishing and scrutinize individuals' methods of making choices in response to phishing assaults.Generally, it is challenging to obtain experimental data from users' security practices because it has been found that people have the tendency to behave differently when they are informed that are being monitored during the experiment [11], thus the experimental data are not ecologically valid.Ecological validity is a term of psychological science that was first introduced by Brunswik [12] and evaluates the extent to which experimental results can be put into practice in real-life situations, such as circumstances or surroundings that are representative of everyday life and the credibility of a study's results based on the context or location in which the study was conducted.An experiment is said to be ecologically valid if it represents what real people would do in the real world, so the results of it can be applied to the real-life of the participants under study, and is invalid if it examines only a special sub-set of people in an artificial environment.
The existing framework of conducting experiments in phishing research is consisting of three approaches: Survey studies, Laboratory studies and Field studies are the three basic methods used in phishing research with the latter being the most morally and legally questionable, but at the same time also the most ecologically valid [13].Survey-type research utilizes a survey or interview method to gather information from individuals regarding their encounters with phishing attacks.By examining the responses, investigators can analyze the specific types of phishing emails that participants have received and their subsequent actions in response to them.Laboratory studies are used to measure users' ability to detect phishing.It is based on running research in a controlled laboratory environment where people must identify phishing tasks (emails, websites, smishing, vishing etc.) after viewing a variety of them [13].In Field studies, experiments are conducted in a manner that closely resembles genuine phishing attempts, assessing the real success rates by ensuring that the study cannot be discerned by the participants from actuality [16].In Table 1 are presented the approaches, methods used in each approach and their advantages and disadvantages.

Ethics in phishing experiments
Ethical clearance is a necessary prerequisite for phishing research.In their study D. B. Resnik and P. R. Finn [14] summarize the phishing experiments ethics by stating that these ". . .can be conducted ethically if risks are minimized, confidentiality and privacy are protected, potential participants have an opportunity to opt out of the research before it begins, and human subjects are debriefed after their participation ends.".Survey studies and laboratory experiments may embrace ethical concerns because they utilize a low-risk research format that allows participants to provide consent and does not entail distorting the nature of the experiment.Field studies in the contrary may raise serious ethical concerns because in this type of experiment, researchers simulate a real phishing attack while observing the participants' reactions to it, involving deception about the true goal of the research [13].Deception and Informed Consent are main aspects in research ethics.
Deception in experiments occurs where researchers willfully conceal certain research methods from the participants, most notably its purpose, in order to have unbiased conclusions (that might result if the participants have the knowledge of having participated in a phishing experiment).Although it is morally dubious, deception plays an important role in collecting data that precisely portrays how individuals respond to fraudulent emails under authentic circumstances and is an important tool for phishing research because when participants know they will be phished, the results may be severely biased.Sokol [18] argues that "there is a difference between intentionally giving false information and intentionally withholding information when it comes to misleading people".While the former is always deceptive, the latter depends on what expectations would be reasonable under the circumstances.In general, deceptive techniques are permitted as long as the research carries a low risk, responding to the research inquiry would be impracticable without deceit, and participants are debriefed (meaning that after the experiment, researchers reveal all of the research's flaws and explain why the deception was necessary) [19].The use of deception, which is essential in different phishing research investigations, and a complete exclusion of informed consent, which is required in genuine phishing studies, both directly contradict the concept of respect for individuals.
In general, individuals should have the freedom to choose whether or not to participate in a research.Prospective participants don't need to know everything to decide; they just need to be wellinformed enough to decide on their own whether they want to participate in the research or not.Participants do not provide informed consent when they are misinformed about important aspects of the study, such as its purpose and nature [19].Informed consent is a requirement of numerous laws, regulations, and professional codes in many countries, which may often be violated in phishing field experiments.According to the principles of informed consent, researchers must respect the decisions made by autonomous subjects, that have the capacity to reach at well-informed choices regarding their involvement in research, taking into account the information and alternatives that are accessible [14].Given that it is often essential to limit independence to promote the collective welfare, one could argue that there are situations in which it is morally permissible to utilize human participants in a research project without their explicit agreement.If the investigation involves significant issues of public concern, it cannot move forward unless the participants give their consent.Resnik and Finn [21] propose that an Institutional Review Board would be warranted in excluding the need for informed consent for experiments that have the potential to generate substantial knowledge.Furthermore, the subsequent prerequisites for waiving consent must be met: firstly, experiments in phishing cannot be conducted without a consent waiver or modification, as the participants' knowledge of the experiments could compromise the results; secondly, the individuals would receive supplementary details regarding their involvement after the trials have concluded (debriefing procedure); thirdly, the phishing trials would likely entail only minimal hazard; and fourthly, the research would not detrimentally impact the rights or well-being of the participants.Debriefing is the process by which researchers explain all aspects of the study that were misrepresented, withheld, or misleadingly presented after participants have finished participating.It is required by various research ethics guidelines and is regarded as a crucial element of honest research.The process of debriefing is voluntary, in the sense that participants may choose not to hear the debriefing if they are uninterested, but investigators are typically required to provide it [15,19].One reason for debriefing is that the need for the researcher to be truthful with the subject is embedded in the informed consent process.Another reason is that in some rare instances, the research itself is intended to examine how adverse experiences affect behavior and employs deceptive techniques to make the subject uncomfortable, so the subject fails.However, when conducting certain misleading phishing experiments, the act of debriefing could potentially lead to psychological distress as the participants might experience feelings of distress, unease, or frustration due to being tricked, participating in a research without their explicit permission, lacking the immediate chance to convey and debate their responses with the investigator, and having concerns about the security of their personal information [15].
Research and advancements in anti-phishing methodology, tactics and techniques take place in both the realm of scholarly research and in research conducted by businesses and government entities.A lot of research is done at universities where a growing number of researchers is endeavoring to measure risks and levels of susceptibilities through trials, with the aim of comprehending where to concentrate safeguarding actions.When planning phishing studies, academic researchers must deal with the requirement that any experiments are not only ethically conducted but also evaluated and authorized by their Institutional Review Board (IRB).Typically, the researcher would need to ask for permission to employ deception in a study and a exemption from specific parts of the informed consent process.The IRB is responsible for reviewing, approving or disapproving, and supervising all research using information obtained from human subjects.This is completed to guarantee that the investigation is conducted in compliance with federal legislation and the ethical principles specified in the Belmont Report, namely respect for persons, beneficence and justice [15].

MOTIVATION AND METHODOLOGY 3.1 Research Motivation
Researchers investigating phishing and internet deception, especially those performing experiments on actual users, may encounter various legal hazards that seldom affect individuals working in different security fields.These hazards encompass issues concerning copyright and trademark violation, impersonation, and fraud.Phishing research endeavors usually entail two types of legal risks: those associated with the extraction of data from the victims, and those associated with the development and execution of the phishing attack, with the latter classification being exclusive to phishing investigators [22].By "legally risky," we are referring to actions that have a significant chance of resulting in either civil or criminal responsibility.Conducting security research is crucial for the development, construction, and upkeep of safe systems.Criminalizing security research activities and raising uncertainties about their legality weaken the security of the exact systems that laws against computer crime claim to safeguard.
The legal system does not explicitly differentiate between security exploration and cyber offenses.Experts in security exploration regularly encounter legal hazards and encounter legal intimidations, resulting in well-documented inhibitory consequences on their tasks.As a result, this damages security exploration, which subsequently damages the safety of the technologies that we all increasingly depend on.In this regard, recent phishing research favors deception-based user field studies that are carried out without the awareness or prior agreement of the users.Typically, field investigations can be organized and performed by replicating genuine fraud attempts to assess the feasibility of the trials.However, in reality, it is challenging to address all potential legal and moral concerns while imitating an authentic assault.In several countries the researchers can have troubles with the law.In South Korea, the "Law on Encouragement of Utilization and Protection of Information and Communication Networks" forbids the act of gathering personal information through deceit or enticing deceived persons to disclose personal data.Japanese legislation does not explicitly outlaw phishing attacks, but it places stringent limits on spam messages that could be used for phishing purposes.In the United States, California legislation allows the Attorney General to pursue legal action against individuals who send phishing emails, which is not the case in other states.Consequently, it is advised that researchers based in California refrain from conducting actual phishing experiments [23].
Phishing experiments raise ethical and legal concerns.In this context, there is a growing need to review the different phishing experimental designs used in universities and triangulate them with ethical and legal considerations.By identifying the types of experiments being conducted and the ethical and legal guidelines that should be followed, researchers can ensure that their studies are conducted safely and responsibly, while additionally enhancing our comprehension of strategies to counter phishing attempts.The objective of this paper is to recognize moral and practical concerns associated with establishing and conducting phishing experiments.
In this review, our goal is to offer a thorough summary of the existing strategies and techniques employed in phishing experiments in university settings, with a particular focus on identifying legal white spaces and ethical considerations.By analyzing the different types of experiments conducted and the ethical rules and guidelines followed, we can gain insights into the most effective ways to conduct experiments while minimizing risks to human subjects.Our review will also highlight any gaps in current practices and provide recommendations for future research on multiple abstraction layers: a) legal, b) technological and c) procedural.

Research Methodology
The primary research goal of this review is to explore the methods used to organize and perform phishing experiments.

Research questions
The questions raised in this study are as follows: RQ1: What methodological approaches for phishing research are followed in phishing experiments?
In this Research Question we ask what are the methodological approaches that are followed at the examined papers, and how these are categorized according to the experimental subjects (type of participants), experimental targets (university, company, other) and country or continent executed at.
RQ2: Considering RQ1 what are the research ethics per methodological approach that are applied to the experiments examined?
Ethical considerations should be accounted for when designing a phishing experiment.The use of deception, informed consent and debriefing of the examined experiments needs to be revisited in such experiments.
RQ3: Are there any empirical best practices per methodological approach for ensuring ecological validity in phishing experiments?
Regarding to the experiments we examine in the reviewed published research, we will summarize the empirically inferred best practices per approach for ensuring ecological validity in phishing experiments.

Data collection and Screening
Process.The preliminary stage of our data gathering commenced with an extensive exploration for the keywords "phishing" and "experiment" in the SCOPUS Digital Library database.This yielded a total of 370 articles.To identify papers that met our specific inclusion and exclusion criteria, we conducted both abstract and full text evaluations.Our main included criteria is that papers had to primarily study the subject of phishing experiments.The following selection criteria were employed to identify, analyze and organize the relevant literature from the search query: research articles must be published in conferences, books, or journals, they should describe existing phishing experiments as well provide information on the ethical and procedural aspects during the experimental setting up, include references to the "Institutional Review Board" or "IRB", "Informed Consent" and "Deception" and have been published during 2018-2023.Papers were excluded if they were an extensive synopsis or a work in progress, the primary language in which they were written was not English, or they were deemed irrelevant to phishing, even if they referenced phishing Before a simulated field or laboratory experiment is conducted, researchers must appraise review and approval processes with the institutional review boards (IRBs) and a contract should be signed to ensure the protection and lawful processing of data.When designing a phishing experiment, ethical factors must be carefully considered.The utilization of deceit and a total relinquishment of informed agreement both directly conflict with the idea of respect for people.When deception is used in research, the subject usually gives its consent before any important information about the deception is withheld and then debriefed after the experiment is finished.
In Table 2 are presented the research ethics per methodological approach that are applied to the experimental papers examined.Overall, as Table 2 indicates, the use of Informed Consent at Laboratory experiments is almost twice as probable compared to when conducting Field experiments (55,3% to 26,9%).An explanation behind this observation could be that at Laboratory experiments the number of the participants is lower, and hence obtaining the Informed Consent is easier.Also, we observe high percentages in terms of IRB approval at both Field and Laboratory and high percentages of Informed Consent at Laboratory experiments.Informed Consent appears in low percentages for Field experiments across all categories.Debriefing appears in less than 50% of Field experiments and in very low percentages for Laboratory experiments across all categories (overall, university, US, Europe).

RQ3: Are there any empirical best practices
per methodological approach for ensuring ecological validity in phishing experiments?

Field experiments.
Field experiments typically produce findings with a strong ecological validity since their environments are connected to real-world scenarios.They score high in ecological validity because the setting is a real one and the task is usually something that would normally take place in that setting.Also, the participants are not aware they are in an experiment and hance act as they would normally do in a routine context.It is more appropriate when there is need to research on a large scale and this research cannot be easily carried out using virtual settings.Following are some best practices that ensure ecological validity in field phishing experiments.
Baillon A et al. [24] conducted an extensive field study that examined the impact of providing information on employees' response to phishing emails and in reducing the dangers of phishing.In the experiment, a fraudulent email was dispatched to the participants in order to assess their vulnerability in clicking on a questionable hyperlink and subsequently disclosing their password.The experiment took place at the Dutch Ministry of Economic Affairs, with a total of 10,929 participants, all of whom were Ministry staff members, oblivious to their involvement in the experiment.The researchers successfully observed real conduct in an ecologically authentic arrangement that closely resembles a genuine phishing assault and managed to avoid the disadvantages of the lab experiments (participants bias due to awareness of experimental conduct and absence of day-to-day distractions that may influence the phishing susceptibility in the real world).In the experiment, all ethical guidelines were adhered to: the administration of the ministry provided their written approval for the research, and a data protection impact assessment was created to identify possible privacy and informed consent issues.Additionally, before the study commenced, the overall standard of compliance with the Information Security System Policy was made available on the intranet, and the Employees Council of the Ministry was notified.Any subsequent analysis was conducted using anonymized data, any information shared by employees was not documented, and after the study concluded, the employees were given a detailed explanation and provided with the contact information of the researchers.
Nguyen et al. [25] performed an experiment on a university setting using a sample 453 undergraduate students as they were interested to examine the to the susceptibility to phishing attacks specifically to this age group [26].The objective of the study was to examine the effects of overlearning on skill retention by using repetition and developing automaticity.Therefore, a long-term experiment combining overlearning with anti-phishing digital training (rule-based, mindfulness, and control) was conducted.The individuals were provided with information regarding the objective of the research (to evaluate novel cybersecurity instruction that aids individuals in differentiating genuine emails from phishing emails) and were assigned one of three instructional sessions (based on rules, mindfulness, or control).Subsequently, they underwent email authentication evaluations (directly after and 10 weeks post-training) and simulated phishing messages were sent to their email accounts (1 week and 8 weeks after training) during regular business hours.In accordance with ethical guidelines, students were required to give their consent to take part in the study prior to any testing being carried out and were given a thorough explanation of the study's details after the experiment concluded.Consent from the university's Institutional Review Board (IRB) was obtained prior to commencing the experiment, and all required protocols were adhered to in order to safeguard the privacy of the participants throughout the duration of the study.In this experiment the ecological validity is achieved in terms that the subjects do not know when they will receive the phishing mails.
A third example of ecological validity phishing field experiment is by P. K. Yeng et al. [27].The experiment simulated an SMS-based phishing attack (smishing) against 167 healthcare employees in Ghana hospital.Healthcare personnel can become targets of phishing attacks as a result of the nature of their profession, since they frequently deal with a large number of patients and have a heavy workload.Additionally, their work occasionally involves urgent situations, which can cause their mental burden to increase.The study suggested that healthcare personnel will be sent a "malicious message" with a "malicious hyperlink" on their mobile devices.If the individual being targeted taps on the hyperlink, the action of clicking will be recorded in a counterfeit website's database and the individual will be redirected to a survey tool.The simulation attack lasted for two weeks.The study adopted a field approach coupled with quantitative and qualitative surveys.The results of the experiment indicated that 61% of the healthcare staff specifically targeted were vulnerable to the assault, and a few of the healthcare personnel may have managed to avoid the attack by placing patient care as their top priority when the simulated phishing attack took place.Regarding ethics, the participants willingly volunteered and were provided with informed consent from all individuals involved in the research.The study received ethical approval from the institutional ethics committee for health research (IEC), and the participants were briefed and reminded about their initial agreement to participate in the study.Additionally, they were given the chance to withdraw from the study if they had a change of heart.

Laboratory experiments.
To better understand human behavior, research studies are frequently carried out in laboratory settings.It is ideal for an experiment of this type to yield generalizable results in the sense that any outcomes can be later used to forecast behavior outside of the lab (i.e., guarantee the ecological validity of the study).However, laboratories are regulated spaces, with clear instructions given, distractions are kept to a minimum, and researchers make sure that all experimentation equipment is fully functional so that study participants can concentrate on the task at hand.Laboratory experiments run the risk of exhibiting demand characteristics or cues, that reveal the study's goals and might cause participants to behave differently, leading thus to lower scores in terms of ecological validity.
Sarno and Neider [28] designed a study that examined how task factors (e.g., email load, phishing prevalence) influence email performance.In three controlled laboratory experiments, participants classified emails as legitimate or not legitimate.In the first experiment seventy-five (75) undergraduate students were recruited, in the second experiment fifty-four (42) undergraduates and in the third experiment seventy-two (72) students, all from the same.The investigation adhered to the Code of Ethics of the American Psychological Association and received approval from the University's Institutional Review Board.Each participant provided informed consent, and after completing all the experiments, they were given an explanation about the actual purpose of the study.In their study, the scientists chose a more regulated laboratory layout to meticulously investigate the impacts of email burden and phishing frequency.In this experiment there was low ecological validity due to the small number of participants and unreal-world conditions (e.g., lack of multitasking, personalized emails, etc.).
Xu et al. [29] performed a controlled experiment in a laboratory setting using human participants to investigate the impact of the accessibility of information and the susceptibility of endusers to information exploitation.One hundred and twelve (112) students form a university were recruited for the experiment and participated remotely from their homes, with the average age of the participants being 21 years old.All individuals utilized a web browser of their preference on their personal computer to enter a created setting that replicates the activities associated with creating and receiving spear-phishing messages.The experimental process comprised of three stages: the initial stage involved an introduction and training for the task; the second stage encompassed the primary execution of the experiment, and in the third stage, a survey and debriefing were conducted after the experiment.The experimental procedure was authorized by the Institutional Review Board (IRB), informed consent was obtained from the users and the participants were provided with a post-experiment explanation.Scientists utilized simulation with imaginary phishing goals and imaginary target data, to carry out benign and reasonably ecologically sound laboratory tests.
McAlaney and Hills [20] conducted an experiment utilizing eye tracking technology to examine how the typical characteristics of phishing emails, such as spelling errors and the incorporation of urgency and intimidating language, impact the way individuals perceive and evaluate the emails.Twenty-two ( 22) psychology undergraduate students were recruited from a sample.Participants were presented with emails that either contained or did not contain a phishing indicator.The emails were shown to them in a random sequence, and an eye-tracking device was employed to record metrics related to eye movement (i.e., total dwell time, mean fixation count, number of regressions, mean glance duration, entry time and entry).The study was evaluated and authorized by the University Research Ethics Committee, and the participants gave their written consent to take part in this research.According to the scientists, the study's ecological validity was compromised by several constraints.These included the reduced sample size caused by the COVID-19 pandemic, the limited diversity of participants from a single geographical area, the predominantly female gender distribution within the sample, and the participants' requirement to assess the trustworthiness of the stimuli, potentially revealing the study's focus on phishing emails.

CONCLUSION
With a focus on identifying legal white spaces and ethical considerations, through this review we aim to provide a thorough overview of the current strategies and techniques used in phishing experiments.By analyzing the different types of experiments conducted and the ethical rules and guidelines followed, we can gain insights with respect to the most effective ways to conduct such experiments while minimizing the risks to the participants.Our review highlighted the gaps in current practices, mainly from a procedural and legal perspective.We concluded that although the majority of the experiments were conducted either in a laboratory or in a field environment, the percentage of those that requested and received approval from the IRB and mainly those that followed the procedure for informed consent and debriefing is rather relatively low.
The biases of participants and researchers may render selfreported surveys less ecologically valid.Due to the artificial environment that they subject participants to, the findings of laboratory studies are also often considered less generalizable.Field studies on the other end, albeit typically more ecologically valid, may raise ethical concerns as they involve deception.In all cases, obtaining moral authorization is an obligatory requirement.Hence, the ethics boards of the pertinent research establishments (IRBs) need to assess and sanction field experiments.Researchers should communicate with and obtain consent from their university's institutional review board, legal advisor, information technology division, and any other individuals who may receive a cease-and-desist letter regarding the project prior to initiating any live user phishing endeavor.In cases where phishing experiments necessitate deceit and relinquishment of informed agreement, Institutional Review Boards (IRBs) must initially endorse such experiments considering that the projected advantages of the study will surpass the expected hazards, the study fulfills specific standards outlined in the regulations governing research on human subjects and necessitate that the researchers provide a post-experiment briefing to the participants.Additionally, the members of the ethics committees along with the data protection experts and the legal professionals can contribute to a plan for supporting phishing researchers in designing studies that adhere to legal requirements.

Table 1 :
Experimental types in phishing research, methods used, advantages and drawbacks

Table 2 :
Reference of IRB approval, Informed Consent and Debriefing as referred in examined Field and Laboratory experiments