Phishing attacks by email continue to be one of the biggest cyber security threats facing people in the internet age. As phishing attacks become more advanced and innovative, there are more and more examples of AI being used to generate realistic-looking phishing emails. This work proposes and tests a framework for phishing email detection by combining hybrid deep learning and explainable AI (XAI). A large-scale, multi-source data set was built, consisting of 106,135 emails from three open corpora: Enron Email Dataset, Phishing Email Dataset, and the Education-Targeted Phishing Email Dataset. Various classification architectures were implemented and tested under the same conditions, including traditional machine learning models (SVM, Logistic Regression, Random Forest), deep learning models (CNN, LSTM, GRU, RNN, BiLSTM), transformer-based models (BERT, RoBERTa), dual hybrid models, and multi-model hybrid models. The GRU-RoBERTa hybrid model obtained the best results, with 97.81% accuracy, 97.34% precision, 98.27% recall and 97.80% F1-Score, better than all standalone models. To improve interpretability and uncover the most important phishing signals, LIME and SHAP explainability techniques were incorporated. A working prototype was implemented on the web and shown to run on standard CPU computers. The results validate the potential of a hybrid architecture comprising transformer-based contextual learning with sequential neural networks for effective and interpretable phishing detection in real-world cybersecurity applications.

This study proposed and evaluated an intelligent phishing email detection framework for modern web-based environments using traditional machine learning, deep learning, transformer-based architectures, hybrid intelligent models, and Explainable Artificial Intelligence techniques. A large-scale multi-source phishing email dataset comprising 106,135 email records was constructed through the integration of the Enron Email Dataset, the Phishing Email Dataset, and the Education-Targeted Phishing Email Dataset, thereby improving dataset diversity, contextual variability, and experimental consistency. The experimental findings demonstrated a clear performance progression across the investigated architecture categories. Traditional machine learning models achieved acceptable baseline performance, with SVM reaching 94.91% accuracy. Standalone deep learning architectures improved performance, with CNN achieving 97.22% accuracy. Transformer-based models further advanced classification through bidirectional semantic representation, with BERT achieving 97.75% accuracy. Hybrid architectures consistently outperformed standalone models, with the GRU+RoBERTa hybrid achieving the strongest overall performance with 97.81% accuracy, 97.34% precision, 98.27% recall, and 97.80% F1-score. Increasing architectural complexity through triple hybrid integration did not consistently guarantee proportional performance improvement beyond optimised dual hybrid architectures. The integration of LIME and SHAP explainability techniques significantly improved model interpretability, transparency, and trustworthiness. Key phishing-related textual indicators including urgency expressions, credential verification requests, and suspicious action words were identified as the most influential features in phishing classification decisions. The functional web-based prototype confirmed practical deployment capability on standard computing resources without GPU requirements, with response times of approximately 1–2 seconds per email.

[1] A. Alhuzali, A. Alloqmani, M. Aljabri, and F. Alharbi, “In-Depth Analysis of Phishing Email Detection: Evaluating the Performance of Machine Learning and Deep Learning Models Across Multiple Datasets,” Appl. Sci., vol. 15, no. 6, pp. 1–30, 2025, doi: 10.3390/app15063396. [2] D. Rathee and S. Mann, “Detection of E-Mail Phishing Attacks – using Machine Learning and Deep Learning,” Int. J. Comput. Appl., vol. 183, no. 47, pp. 1–7, 2022, doi: 10.5120/ijca2022921868. [3] C. S. Eze and L. Shamir, “Analysis and Prevention of AI-Based Phishing Email Attacks,” Electron., vol. 13, no. 10, 2024, doi: 10.3390/electronics13101839. [4] C. Opara, P. Modesti, and L. Golightly, “Evaluating spam filters and Stylometric Detection of AI-generated phishing emails,” Expert Syst. Appl., vol. 276, no. February, p. 127044, 2025, doi: 10.1016/j.eswa.2025.127044. [5] M. Hosseinzadeh et al., “Improving phishing email detection performance through deep learning with adaptive optimization,” Sci. Rep., vol. 15, no. 1, pp. 1–16, 2025, doi: 10.1038/s41598-025-20668-5. [6] H. Li, J. Yang, Y. Li, and K. Li, “Email phishing attack detection based on BERT transformer model,” vol. 13395, no. Oece, p. 114, 2024, doi: 10.1117/12.3049161. [7] B. B. Gupta et al., “Advanced BERT and CNN-Based Computational Model for Phishing Detection in Enterprise Systems,” C. – Comput. Model. Eng. Sci., vol. 141, no. 3, pp. 2165–2183, 2024, doi: 10.32604/cmes.2024.056473. [8] M. A. Uddin, M. Mahiuddin, and I. H. Sarker, “An Explainable Transformer-based Model for Phishing Email Detection: A Large Language Model Approach,” Comput. Networks, vol. 277, no. December 2025, p. 112061, 2025, doi: 10.1016/j.comnet.2026.112061. [9] S. Atawneh and H. Aljehani, “Phishing Email Detection Model Using Deep Learning,” Electron., vol. 12, no. 20, 2023, doi: 10.3390/electronics12204261. [10] N. Altwaijry, I. Al-Turaiki, R. Alotaibi, and F. Alakeel, “Advancing Phishing Email Detection: A Comparative Study of Deep Learning Models,” Sensors, vol. 24, no. 7, pp. 1–19, 2024, doi: 10.3390/s24072077. [11] S. Jamal, H. Wimmer, and I. H. Sarker, “An improved transformer‐based model for detecting phishing, spam and ham emails: A large language model approach,” Secur. Priv., vol. 7, no. 5, 2024, doi: 10.1002/spy2.402. [12] B. Lim, R. Huerta, A. Sotelo, A. Quintela, and P. Kumar, “EXPLICATE: Enhancing Phishing Detection through Explainable AI and LLM-Powered Interpretability,” 2025, [Online]. Available: http://arxiv.org/abs/2503.20796 [13] R. Din, A. H. Shakir, S. H. Ali, A. J. Qasim Almaliki, and S. Utama, “Exploring Steganographic Techniques for Enhanced Data Protection in Digital Files,” International Journal of Advanced Research in Computational Thinking and Data Science, vol. 1, no. 1, pp. 1-9, 04/19 2024, doi: 10.37934/ctds.1.1.19a. [14] A. J. Almaliki, O. Ghazali, and R. Din, “Advanced Steganography Methods in Modern Cybersecurity,” International Journal of Engineering and Techniques (IJET), vol. 12, no. 3, pp. 172-178, 2026/5. [15] A. J. Qasim Almaliki et al., “Application of the Canny Filter in Digital Steganography,” Journal of Advanced Research in Computing and Applications, vol. 35, no. 1, pp. 21-30, 05/17 2024, doi: 10.37934/arca.35.1.2130.

© 2025 International Journal of Engineering and Techniques (IJET).

Digital Object Identifier (DOI)

IJET assigns a unique DOI to every accepted article via Zenodo for persistent linking and citation. Your article’s DOI: https://doi.org/{{doi}}

Open DOI About Zenodo DOI

Close