“…In the most direct version of this approach, the experimenter tries to phish people in the lab, for example by having them browse real and phishing websites to see whether or not they divulge sensitive information (Gavett et al, 2017). Other lab-based experiments involve roleplaying another person checking their emails (Downs, Holbrook, & Cranor, 2007;Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010) or rating a series of emails according to how suspicious they appear or how likely the person would be to respond to such an email (Alsharnouby, Alaca, & Chiasson, 2015;Dhamija, Tygar, & Hearst, 2006;Jones, Towse, Race, & Harrison, 2019;Kelley & Bertenthal, 2016;Rajivan & Gonzalez, 2018;Wood, Liu, Hanoch, Xi, & Klapatch, 2018;Yan & Gozu, 2012). Despite the increased experimental control offered by these lab-based tasks, the extent to which these measures are ecologically valid remains unknown.…”