Human-Executable Algorithms for Phishing Avoidance

Phishing attacks remain effective because they exploit human decisions at the moment of action, often before automated defenses intervene. Established countermeasures focus on detection systems or awareness campaigns but rarely provide non-expert users with a formally specified decision procedure. This work presents a lightweight, deterministic phishing avoidance algorithm that users can execute without specialized tools. The algorithm evaluates a finite set of observable indicators and applies a monotonic risk score to produce allow, caution, or block decisions. Formal properties of the procedure include monotonicity, bounded complexity, and decision traceability. A controlled study with 96 participants and 72 messages per participant showed that algorithm use increased mean classification accuracy from 68.4% to 84.7% and reduced the false-negative rate from 31.9% to 11.3%. Median decision time rose from 6.2 s to 8.7 s. These results show that phishing avoidance can be expressed as a human-executable algorithm rather than as advisory guidance, and that structured decision rules can measurably improve user level security outcomes.