Saved in:
Bibliographic Details
Main Authors: Barwani, Abrar Hamed Al, Korba, Abdelaziz Amara, Anwar, Raja Waseem
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.21261
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915760616505344
author Barwani, Abrar Hamed Al
Korba, Abdelaziz Amara
Anwar, Raja Waseem
author_facet Barwani, Abrar Hamed Al
Korba, Abdelaziz Amara
Anwar, Raja Waseem
contents The escalating sophistication of phishing emails necessitates a shift beyond traditional rule-based and conventional machine-learning-based detectors. Although large language models (LLMs) offer strong natural language understanding, using them as standalone classifiers often yields elevated falsepositive (FP) rates, which mislabel legitimate emails as phishing and create significant operational burden. This paper presents a personalized phishing detection framework that integrates LLMs with retrieval-augmented generation (RAG). For each message, the system constructs user-specific context by retrieving a compact set of the user's historical legitimate emails and enriching it with real-time domain and URL reputation from a cyber-threat intelligence platform, then conditions the LLM's decision on this evidence. We evaluate four open-source LLMs (Llama4-Scout, DeepSeek-R1, Mistral-Saba, and Gemma2) on an email dataset collected from public and institutional sources. Results show high performance; for example, Llama4-Scout attains an F1-score of 0.9703 and achieves a 66.7% reduction in FPs with RAG. These findings validate that a RAG-based, user-profiling approach is both feasible and effective for building high-precision, low-friction email security systems that adapt to individual communication patterns.
format Preprint
id arxiv_https___arxiv_org_abs_2601_21261
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle User-Centric Phishing Detection: A RAG and LLM-Based Approach
Barwani, Abrar Hamed Al
Korba, Abdelaziz Amara
Anwar, Raja Waseem
Cryptography and Security
The escalating sophistication of phishing emails necessitates a shift beyond traditional rule-based and conventional machine-learning-based detectors. Although large language models (LLMs) offer strong natural language understanding, using them as standalone classifiers often yields elevated falsepositive (FP) rates, which mislabel legitimate emails as phishing and create significant operational burden. This paper presents a personalized phishing detection framework that integrates LLMs with retrieval-augmented generation (RAG). For each message, the system constructs user-specific context by retrieving a compact set of the user's historical legitimate emails and enriching it with real-time domain and URL reputation from a cyber-threat intelligence platform, then conditions the LLM's decision on this evidence. We evaluate four open-source LLMs (Llama4-Scout, DeepSeek-R1, Mistral-Saba, and Gemma2) on an email dataset collected from public and institutional sources. Results show high performance; for example, Llama4-Scout attains an F1-score of 0.9703 and achieves a 66.7% reduction in FPs with RAG. These findings validate that a RAG-based, user-profiling approach is both feasible and effective for building high-precision, low-friction email security systems that adapt to individual communication patterns.
title User-Centric Phishing Detection: A RAG and LLM-Based Approach
topic Cryptography and Security
url https://arxiv.org/abs/2601.21261