This study identifies key risk factors and vulnerable demographics contributing to phishing susceptibility among the Pakistani population. Method: A survey-based study employing convenience sampling collected data from 164 participants; multivariate statistical analysis examined the effects of demographic attributes, technical proficiency, prior victimization, and phishing email characteristics—including sender domain (e.g., Gmail, LinkedIn), authority/urgency cues, and explicit risk warnings. Contribution/Results: Significant susceptibility was observed among males, individuals aged 25+, employed persons, and frequent online shoppers. Phishing emails originating from commercial platforms (e.g., Gmail, LinkedIn) exhibited markedly higher deception rates than those from governmental or social media domains—challenging prevailing assumptions. Authority and urgency cues increased susceptibility, whereas explicit risk warnings enhanced user vigilance. This work presents the first empirical evidence from a South Asian emerging market revealing critical interaction effects between sender domain and user behavior, thereby informing targeted security awareness programs and context-aware phishing mitigation strategies.

Phishing attacks pose a significant cybersecurity threat globally. This study investigates phishing susceptibility within the Pakistani population, examining the influence of demographic factors, technological aptitude and usage, previous phishing victimization, and email characteristics. Data was collected through convenient sampling; a total of 164 people completed the questionnaire. Contrary to some assumptions, the results indicate that men, individuals over 25, employed persons and frequent online shoppers have relatively high phishing susceptibility. The characteristics of email significantly affected phishing victimization, with authority and urgency signaling increasing susceptibility, while risk cues sometimes improved vigilance. In particular, users were more susceptible to emails from communication services such as Gmail and LinkedIn compared to government or social media sources. These findings highlight the need for targeted security awareness interventions tailored to specific demographics and email types. A multifaceted approach combining technology and education is crucial to combat phishing attacks.