Phishing is a social engineering technique used by malicious agents to lure people to divulge sensitive information. Jakobsson and Myers (2006) defines phishing as “a social engineering attack wherein a phisher attempts to lure the users to obtain their sensitive information by illegally utilizing a public or trustworthy organization in an automated pattern so that the internet user trusts the message and reveals the victim’s sensitive information to the attacker” (Cited in Alkhalil et al., 2021). Perpetrators are able to craft deceptive mails masqueraded in a legitimate source by drawing information from things that interest users, mostly the most trending regional or global issue. For instance, COVID-19 pandemic attracted a lot of phishing activities from cybercriminals. Obvious reasons are that the world was terrified and everybody was anxious to read developments about the pandemic and so it was easy for internet users to click or respond to emails that have COVID-19 labelling on them. Most people Data from APWG website shows that phishing attacks saw a rise of about 2.2% between last quarter 2019 and first quarter of 2020 (Figure 2.1).

Figure 2.1: Phishing attacks indicating increasing trend during COVID-19 pandemic (Source: APWG, 2020)
IBM 2023 report ranks phishing attack as the number one cyber attack in 2022 capturing 41% of all incidence that comprise computer systems. The report also announced that phishing attacks, for 73% of the time ask for email address of victims. Generally, phishing attacks have been rampant in recent times with about 90% organisations globally encountering some form of phishing attacks in 2019 (Proofpoint, 2020). Studies have also found that susceptibility varies for different sex, age groups, academic disciplines, and organisations (Williams et al., 2018; Getsafeonline, 2017; Hadlington, 2017). APWG (2020) (Figure 2) report puts financial institutions (27.7%) as the most targeted organization for attackers followed by webmail (17.7%). Other institutions, including academic institutions make up 18.2%.

Figure 2.2: Phishing attacks by targeted institutions (Extracted from APWG, 2020)
In academic institutions, a student can be sent an email that requests for registration into a certain programme, scholarship application, publication or submission of abstracts for a conference etc. in which a victim clicking on a certain link loses some confidential details to cybercriminals. It is found that younger students are more likely to fall victim to phishing attack compared with older age students (Yeboah-Boateng and Amanor, 2014). Of greater interest in this review are the findings that reveal the wide variation in phishing susceptibility among students of different faculties. Diaz et al., (2020) observational study among 1,350 undergraduate students in University of Maryland found some relationship between demographic factors and students’ susceptibility to phishing attacks. It was found that the academic year of progression of students correlates negatively with the level of susceptibility to phishing attack. Depending on the nature of attack and target group phishing can be classified as Spear phishing, faced voice phishing (Vishing), SMS phishing (Smishing), Domain name system-based phishing (Pharming), search engine phishing etc. (Details on phishing categories can be found in Jakobson and Myers, 2006; Proofpoint, 2019a, Proofpoint, 2020).