“Account suspension. Verify now”: using systemic-functional linguistics to improve phishing text advisories for vulnerable groups | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article “Account suspension. Verify now”: using systemic-functional linguistics to improve phishing text advisories for vulnerable groups Desiree Kawabata This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7532083/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 10 You are reading this latest preprint version Abstract Digital scams are a reality of a connected society, and vulnerable populations, particularly the elderly and individuals from non-English speaking (NESB) backgrounds, face significant risks. These groups often struggle to recognise scam tactics due to technological and language barriers, rendering them susceptible to cyberfraud victimisation. By comparing 106 phishing text messages in Australia with legitimate text messages sent by frequently imitated organisations, this study examined the threat of phishing text messages, which account for substantial financial losses and reduced wellbeing globally. Using systemic-functional linguistics (SFL), a framework that ties language choices to context and function, specific linguistic features that manipulate receivers of phishing messages were identified. Results of the analysis showed that different clause types; time, location, and manner markers; high modality; and conjunctive use, were influential in creating urgency and authority, and eliciting emotional responses to phishing messages. Many current advisory resources offer generalised advice and explanations of scam tactics, yet fail to include concrete examples of such communications. By aligning linguistic analysis with human behavioural constructs and public policy, the results of this study have implications for the protection of vulnerable community groups from growing cyber threats through enhancing advisory content, and by developing automated scam detection systems. Business and commerce/Information systems and information technology Physical sciences/Mathematics and computing Biological sciences/Psychology Social science/Psychology Social science/Science technology and society Systemic-functional linguistics scams phishing cyberfraud vulnerable populations scam detection Figures Figure 1 1 Introduction The dramatic rise in digital scams poses crippling financial and emotional risks to individuals. Vulnerable groups, such as the elderly and those from non-English speaking backgrounds (NESB), are disproportionately affected, with global losses exceeding 1 trillion US dollars annually (GASA 2024). In Australia alone, in the year to May 2025, scams accounted for almost $ AUD 119 million in personal losses - a 28% increase from the previous year (ACCC 2025). Phishing attempts via unsolicited text messages are the most common approach, and also on the rise (ACCC 2025; ScamWatch 2025 ). Despite increasing public awareness, many individuals remain ill-equipped to recognise and respond effectively to scams. The use of urgent and threatening language in phishing texts requires rapid identification, yet this can be especially difficult for those with limited digital or linguistic proficiency. Older adults often face technological challenges, while NESB individuals, who are statistically more responsive to threat-based messaging (ACCC 2022), may overlook subtle linguistic cues, even those missed by highly proficient speakers of English. As a result, people aged over 65 and those from Culturally and Linguistically Diverse (CALD) communities are consistently overrepresented in scam victim statistics (ACCC 2025; ACMA 2022; Koning et al. 2024 ; Voce and Morgan 2023 ). Systemic Functional Linguistics (SFL) offers a valuable framework for addressing this challenge. By analysing how language functions in context, particularly in constructing interpersonal meaning and shaping communicative intent, SFL enables detailed examination of the persuasive techniques embedded in scam messages. This linguistic lens provides a means to decode how scammers exploit language to evoke fear, create urgency, and prompt compliance. Scammers frequently impersonate trusted institutions such as banks, postal services, delivery companies, and government agencies. Existing resources provide general warnings; however, they tend to focus on behavioural cues and general descriptions of scams rather than unpacking the specific language features used to deceive. The ACCC’s Little Black Book of Scams offers multilingual advice regarding scams but does not contain any exemplification of scam language itself. Incorporating linguistic exemplars of patterns of grammar, vocabulary, and tone commonly found in phishing messages can offer clearer, more accessible guidance. Such insights are particularly valuable for at-risk groups who may benefit from targeted, language-focused strategies to support scam detection. The SFL framework used in this study is well-suited as an analytic tool as it describes how language functions in different contexts, particularly in relation to communicative goals and social purposes. By identifying the recurring patterns of manipulative language, the study aims to enhance advisory content and potentially inform scam detection algorithms, ultimately reducing susceptibility to phishing attempts among vulnerable community members. Institutions and governments are turning to computational and artificial intelligent systems to aid in the detection of phishing messages (GASA 2025), and SFLs rule-driven systematic frameworks are increasingly informing language processing models in multiple fields (Bateman et al. 2019 ; Mahowald et al. 2024 ; Sharoff 2025 ; Zhang 2025 ). 2 Literature review The evolution of digital communication methods enables widespread fraudulent activities. In Australia, unsolicited text messages represent a primary vehicle for scams, with a notable increase in reports over recent years (Department of Infrastructure, Transport, Regional Development, Communication and the Arts 2024). According to the Australian Government’s ScamWatch, SMS/text messages were one of the most reported contact methods for scams in 2025, highlighting the need for a critical response and research focusing on this communication mode. 2.1 Phishing ‘Phishing’ is an attempt to deceive a message’s recipient into providing personal information or passwords, subsequently used for identity theft or financial fraud. To encourage prompt action, tactics include falsely claiming suspicious account activity, creating false invoices, fabricating account issues, requesting additional or updated personal or financial information, or advising of fake refunds or offers[1] . Such messages direct recipients to fake sites through malicious links. Phishing is an all-encompassing term, and other terminology is continually emerging to describe particular phishing activity. For example, ‘smishing’ occurs via SMS messaging, and ‘vishing’ through voice messaging. The general term ‘phishing’ is used throughout for simplicity. Phishing involves sending impersonal malicious messages to large volumes of random recipients in a ‘hit-and-miss' approach. For example, as the number of online shoppers has increased, scammers may send messages about undelivered parcels to a large database of mobile numbers, with the likelihood that some recipients have recently purchased items online. Similarly, after the end of the Australian financial year, scam text messages purporting to be from the Australian Tax Office (ATO) rise (ACMA 2024; ATO 2024) as the relevance to the recipient increases during this period. 2.2 Impact The economic impact of scams is profound, affecting individuals, businesses, and wider society. The ACCC (2025) reported that of the $ 119 million lost to scams in the first four months of 2025, $ 14 million of these losses occurred through phishing attacks. Both small and large businesses bear heavy financial burdens from cyber fraud. In addition to monetary losses, individuals suffer significant personal impacts (Achuthan et al., 2025 ), and these effects on two vulnerable groups are discussed here. 2.2.1 Vulnerable populations Elderly individuals, and those from non-English speaking or CALD backgrounds, are more vulnerable to scams. Cognitive decline, limited digital literacy, and language barriers increase their susceptibility (ACCC 2024a; ACMA 2022; James et al. 2014 ; Mohammad et al. 2022 ; Voce and Morgan 2023 ). Older age increases the likelihood of falling victim to cyberfraud or scam messages (Bolimos and Choo 2017 ; Grilli et al. 2021 ; James et al. 2014 ; Whitty 2019 ), and older populations often experience greater financial losses (National Seniors Australia 2024 ). People with limited English proficiency are also overrepresented in scam statistics (NASC 2024b). Cybercriminals capitalise on lower language proficiency, making their tactics more effective. While having English as a first language does not guarantee detection of leakage clues and red flags (see section 2.4.1 below), those from NESBs face greater challenges (Hasegawa et al. 2022 ). People who have suffered financially through scam victimisation experience emotional and psychological effects along with ongoing economic impacts. Although the extant literature focuses overwhelmingly on the psychological reasons for scam susceptibility rather than the impacts of victimisation (Borwell et al. 2022 ; Palassis et al. 2021 ; Whitty and Buchanan 2015 ), there is growing evidence that victims suffer from anxiety, shame, and a deep sense of betrayal which can have consequences for emotional and mental wellbeing (Australian Human Rights Commission 2024 ; Bada and Nurse 2020 ; Button et al. 2020 ; Leukfeldt and Malsch 2019 ; Norfolk State University 2023 ). These impacts consequently affect personal relationships and overall well-being and are more pronounced in older populations (Bailey et al. 2021 ; Kemp and Erades Perez 2023. The emotional impacts of scam victimisation are compounded by financial repercussions and potential long term financial insecurity (Brenner et al. 2020 ). A comprehensive understanding of the underlying psychological mechanisms leading to these consequences is essential for developing targeted interventions and mitigating the enduring impacts of scam victimisation. 2.3 Psychological tactics Scammers employ various psychological tactics targeting human cognitive biases to manipulate their targets. Key strategies include creating a sense of urgency and using both overt and veiled threats to prompt immediate action. Given time for scrutiny, recipients can frequently identify scam messages; however, urgency and implied threats leave victims unprepared and open to deception (Reurink 2019 ; Steves et al. 2020 ). Human decision-making processes are affected when urgency cues and threats of loss are present in communication (Butavicius et al. 2022 ; Chowdhury et al. 2019 ; McAlaney and Hills 2020 ). Messages that include methods to mitigate or resolve threats are also effective in prompting phishing victims to perform actions such as clicking malicious links (House and Raja 2019 ). All anti-fraud agencies in Australia, and major institutions, include ‘urgency’ as a key indicator of a scam message in their advisory content, however few advisories include examples of representative language. Victims may possess an awareness of scam tactics, yet psychological and behavioural aspects (e.g. time pressure] can overwhelm even the best informed and ‘tech savvy’ individuals (Luo et al. 2013 ; Norris et al. 2019 ). This highlights the need for specific advisory content that can alert potential scam victims to the language used when these underlying malignant psychological tactics are present. 2.4 Current advisories With cyber fraud causing significant financial losses for Australian medium and large businesses (ASIC 2024), the Australian government’s National Anti-Scam Centre (NASC) works alongside law enforcement and the private sector to recognise and raise awareness about cyber fraud. Their efforts also involve legislating against the perpetrators of cyber-attacks and those who fail to allocate sufficient efforts to consumer protection (NASC 2024a; The Treasury 2023 ). Websites such as ScamWatch, and businesses and services commonly targeted by scammers, provide detailed information in multiple languages regarding scam types prevalent in society and cyberspace, including advice on recognising and reporting them. Two main themes are communicated through this consumer advisory content: leakage clues and red flags (see 2.4.1 below). A notable omission from many advisory sites and documents is specific language used to exemplify the characteristics and psychological tactics underpinning phishing attempts. 2.4.1 Leakage clues and red flags Deceptive clues, or ‘leakage clues’, are subtle indicators of sinister communication that persist despite a sender’s intention to appear legitimate (Ekman and Friesen 1969 ). In phishing text messages, these may manifest in non-standard grammar, inconsistent punctuation, or irregular lexical choices. These errors arise in response to amateur message development processes and when the scammers work where English is not a first language. Leakage clues are strong indicators of attempted phishing attacks; however, they can also occur as typographical errors in legitimate messages. Butavicius et al. ( 2022 ) found that although scam message identification improved when recipients focused on these errors, they rarely detected errors independently, even when advised of their presence. Existing advisory content emphasises more overt ‘red flags’ - clues that require recipients to infer deceptive intent based on common scam tactics. They are more difficult to detect and distinguish as scam messages. ‘Red flags’ include email addresses or links with incorrect domains, or language that is threatening or prompts immediate action. Despite the ubiquity of red flags in advisory content, urgent and threatening language is frequently noticed (and acted upon) before recognition of spelling errors and other leakage cues (McAlaney and Hills 2020 ). Identifying the underlying language of ‘red flags’ that carries manipulative force can be understood through the interpersonal and textual layers of meaning that SFL explores. For example, by examining features such as imperative mood, thematic choices, and clausal relations, SFL reveals how red flags function linguistically to influence behaviour and construct deceptive authority. ScamWatch’s advisories provide valuable and current information about what the public should understand to avoid becoming a phishing victim. Providing content in languages other than English and in a downloadable form (see The Little Book of Scams [2] ) is an excellent start in raising public awareness, aligning with Australia’s focus on providing information in accessible language (Skopal and Herke 2017). However, advisory sites and fact sheets do not show actual examples of language use that illustrate psychological tactics and red flags outlined in the documents and online. The Little Book of Scams has no examples of such language. Given the complex psychological and social engineering mechanisms underlying public advisory content around scams, the interpretation of threatening and/or urgent messages is likely a greater challenge for those with cognitive and linguistic disadvantages. By supporting current advisory content with concrete examples of common language used in scam messages, potential victims may recognise and report phishing messages more easily. 2.5 Systemic-functional linguistics Systemic-functional linguistics (SFL) offers a robust framework for analysing how language functions in social contexts (Halliday and Matthiessen 2014 ). SFL centres around how language choices reflect social processes and communication goals and how experiences, relationships, and channels of communication influence language. By examining the linguistic markers that scammers utilise, researchers can gain insights into how language is used to manipulate emotions, establish trust, and create urgency. SFL categorises meaning into three metafunctions: the ideational (representing ideas), the interpersonal (enacting social relationships), and the textual (organising discourse). Figure 1 below summarises the key linguistic features examined in this study and their alignment with each metafunction. The application of SFL to identify the specific language features in phishing text messages, provides a more nuanced understanding of the tactics used by scammers beyond surface level descriptions. 2.5.1 The ideational metafunction In SFL, ideational meanings refer to how language choices represent experiences and actions. Speakers and writers express themselves depending on actions (processes), those involved in a communicative act (the participants), and the context of communication (the circumstances). Scammers manipulate ideational meanings using clausal structures and contextual language to misrepresent actions or events, making scams appear legitimate or urgent. When considering the participants in an interaction, scammers use language that evokes trust or positions them as an authority figure, resulting in the greater likelihood of a successful phishing attempt (Laroche et al. 2019 ; Liu et al., 2024 ). In SFL, language and meaning are intricately linked to the context of a situation and scammers can carefully select contextual and circumstantial elements of language to appear credible, create urgency, and encourage quick decisions void of critical thinking. By strategically employing ideational resources, scammers can appeal to potential victims’ emotions and cognitive biases, creating situations that are not rooted in reality. This tactic aligns with underlying psychological strategies that make scams sound convincing and thus likely to be acted upon. 2.5.1.1 Clause complexing Clause structure is central to ideational meaning (Halliday and Matthiessen 2014 ), and the order of clauses affects how messages of authority and urgency are communicated. Table 1 below exemplifies the types of clausal relationships in SFL, with dependent and independent clauses labelled (d) and (i) respectively. Table 1 Clausal relationships in SFL SFL term Definition Example Parataxis Equal-status clauses (i) + (i) We tried to deliver your package (i) , but nobody was home (i) . Hypotaxis Dependent relationship of one clause to another (i) + (d) or (d) + (i) We noticed the address was wrong (i) while attempting delivery (d) . Hypotactic structures in which the independent clause is in head (initial) position is an unmarked, or ‘usual’ structure. In such structures, dependent clauses add detail, context, or explanation, but are not the main focus of information; they are ‘backgrounded’ to follow a main clause (Halliday and Matthiessen 2014 ; Quirk 1985). The positioning of a hypotactic or paratactic clause in a clause complex is significant as it affects how information is perceived and what is given prominence in a message. For instance, in a clause complex such as, Your package has not been delivered due to incorrect address information Result Reason the independent result clause is in first position and the reason in second position. In contrast, when placed at the beginning of a clause complex, the result is a ‘marked’ clause in which hypotactic clauses draw immediate attention to the condition, reason, time, or purpose stated. For example, in Because your account was compromised , we need your information. Reason Result the reason for the request is foregrounded, with the subsequent result or required action being secondary. Since successful phishing attempts require prompt action by recipients, foregrounding negative results in head position may create a sense of urgency to act. The meaning of these different clauses and how they function in a clause complex relies on an understanding of the logico-semantic relations between clauses (Halliday and Matthiessen 2014 ) and how these are expressed through the use of conjunctions and phrases for the purposes of enhancing, extending, or elaborating (Halliday and Matthiessen 2014 ). Halliday and Matthiessen’s ( 2014 : 483) logico-semantic categories of cause-condition (enhancement), and addition and variation (extension), and how they relate to psychological tactics are shown below in Table 2 . Table 2 SFL logico-semantic relations of cause-condition, addition, and variation, and their role in phishing language Logico-semantic meaning Function in SFL Example Deceptive use in phishing Cause: reason Justify or explain an action or event • Because your account was compromised… • Due to delivery failure… • Presents a negative situation as the reason for the message. • Provides a reason for the initiation of the message. Cause: purpose Explain intended outcome of action • To avoid account closure… • To update your details… • So that we can… Frames the message as a legitimate request; implies urgency without explicitly threatening. This weakens the perception of threat and downgrades it to a warning (Walton, 2014 ). Cause: result Present an outcome or consequence • Your account has been locked… • Your parcel has been returned… • Emphasises negative consequences to justify the current state or message. • Normalises the scammer’s demand by presenting it as a logical outcome of the recipient’s (supposed) inaction or an error. Condition Establish cause and effect or hypothetical scenarios • If this was not you… • If you do not update your details… • Positions the condition as a threat and intensifies urgency through fear of negative consequences. Addition and alternation Add, vary, or present alternate ideas. • … or your account will be locked • … and verify your details Lists options or adds pressure by presenting multiple simultaneous threats or requests. Analysis of the construction and order of clauses, and the language used to represent the meaning between them, can thus reveal underlying deceptive tactics used to communicate with potential victims. 2.5.1.2 Circumstances Circumstantial elements provide additional situational context for a clause through adverbials and prepositional phrases (Halliday and Matthiessen 2014 ). Circumstances add information about an experience, explaining the “when, where, why and how” of it (Halliday and Matthiessen 2014 : 311). Investigating the language of phishing texts through the SFL tool of circumstance allows for understanding of the contextual elements employed by scammers to deceive victims. Temporal circumstances are frequently used to create exaggerated urgency and direct the recipient toward the scammer’s preferred action pathway. Halliday and Matthiessen’s ( 2014 ) temporal, manner, and locational circumstance types are explained below in Table 3 in relation to scam text communication. Table 3 Circumstance types in SFL Circumstance type Role in phishing messages Example Temporal Create time pressure by prompting impulsive action and reducing reflection time • …within 24 hours • …immediately Manner Provide instructional and procedural information to make processes appear legitimate and simple • By clicking this link… Locational Enhance legitimacy by mimicking expected interaction patterns • at the link below Linguistic tactics through circumstantial elements provide context around links presented in a phishing message and influence the receiver’s ability to critically analyse the message given the urgency and ease presented in the texts. 2.5.2 The interpersonal metafunction Interpersonal meanings in SFL focus on how interactional language establishes and manages relationships between participants. Relevant phenomena include the roles of interactants (e.g. authority), interpersonal distance, politeness, and formality, as well as how language is used to express attitudes, evaluations, and perform communicative acts such as informing, questioning, greeting, and persuading (Halliday and Matthiessen 2014 ). SFL’s ‘mood’ system provides grammatical resources for text producers to communicate their interpersonal meanings by categorising sentences or utterances into different types (statements, questions, or commands), based on how the writer or speaker positions themselves (Halliday and Matthiessen 2014 ). The main elements of the mood system (sub-classifications exist, but are not relevant for this study), based on Halliday and Matthiessen’s ( 2014 ) classification are as follows: Indicative mood - allows a speaker/writer to express facts (declarative mood) or seek information (interrogative mood). Imperative mood - allows a speaker/writer to issue commands or requests. The type of mood (and the speaker/writer’s position in relation to the message’s recipient) is represented in a clause through the subject (the person or thing), finite (tense or modality), polarity (positive or negative), and their relative positions to one another. For example, She is reading a book. Declarative mood Is she reading a book? Interrogative mood Read a book! Imperative mood 2.5.2.1 Imperative mood The imperative mood is of particular importance when applying interpersonal meaning to language used in phishing texts. Scammers gain trust and guide emotional responses by manipulating interpersonal language. A goal of phishing is to quickly establish a trusting relationship. Scammers position themselves as organisational or institutional authority figures, or trusted individuals (usually representing a familiar organisation) to build trust (Bravo and Toska 2023 ). The tone of their messages is carefully selected to enhance the credibility and raise the likelihood of compliance. The demanding tone of imperative statements discourages reflection, creates a sense of a non-negotiable command, and establishes the scammer as an authority figure (Ferreira and Teles 2019 ). 2.5.2.2 Modality Grammatical modality refers to the degree of certainty, necessity, or possibility in a statement, typically conveyed through modal verbs (e.g., can, will, must) or modal adverbs (e.g., definitely, possibly). Modality allows speakers to express their attitudes toward the likelihood, obligation, or permission of an action or event (Halliday and Matthiessen 2014 ). SFL classifies modality into two major systems – modalization and modulation (Halliday and Matthiessen 2014 ). These systems, along with their functions and examples are tabulated here in Table 4 : Table 4 Modal processes in SFL System Modal type Function Example Modalization Probability Express likelihood may, might, will Usuality Express frequency usually, always Modulation Obligation Express required actions must, should, have to Inclination Express willingness, intention, or ability will, would, can, could Modality is expressed on a cline of low to high, with high modality representing the greatest limitation of flexibility in meaning. For example, in You must be home by 8pm , the message recipient does not have freedom to choose when they should be home, as the limitation is imposed upon them with the modal verb of obligation, ‘must’. In combination with imperative mood, modality plays a critical role in shaping the perceived authority and urgency of messages, which can be exploited in phishing attempts to manipulate recipients into compliance by reducing their agency. 2.5.3 The textual metafunction The textual metafunction in SFL considers how language is organised to create cohesive and coherent communication. Skilfully organising information allows text producers to shape their messages logically and convincingly. Logical and persuasive communication patterns commonly occurring in phishing messages - such as establishing problems, highlighting a need for immediate action, and providing a solution (usually a malicious link) - present messages naturally and convincingly. At a sentence level, two elements combine to create a coherent, persuasive phishing message: the ‘thematicised’ content, and the cohesive device of conjunction. 2.5.3.1 Theme Halliday and Matthiessen ( 2014 ) separate clausal organisation into two elements: Theme and Rheme. The Theme is the content in first position in a clause, “the point of departure for [a] message” (Halliday and Matthiessen 2014 : 83) and orients the reader to what the rest of the message (the Rheme) is about. Scammers can control the salience of a message by selecting what is in thematic position to attract attention and persuade phishing targets to act impulsively. Urgency is highlighted by placing instructions or threats at the start and suspicious details are given less prominence by placement in Rheme position. This aligns with the order of content at the ideational level by manipulating clausal structure to highlight content (see section 2.5.1 above). Whereas analysis at the ideational level is more associated with underlying meanings (such as purpose, reason), at the textual level, clausal order determines which part of a message is given prominence. 2.5.3.2 Conjunctions Cohesive devices are linguistic tools used to link sentences, clauses, or spans of text to create logical connections. They function to connect the meanings represented in the logico-semantic system (explained in 2.5.1 above). Halliday and Hasan ( 1976 ) present conjunctions as key devices for building cohesion, and these are relevant to examining phishing messages in this study. Using certain conjunctions can persuade recipients of phishing messages to act by framing the communication as a consequence of inaction or by establishing authority and placing blame on the recipient. Examples of these are underlined above in Table 2 in section 2.5.1.1 . Scammers achieve their objectives by manipulating language to exploit human vulnerabilities when threatened by prompting them to take immediate action. The ability to recognise these approaches can help with detection at both a human and automated level and facilitate the detection of, and response to, phishing messages. To better understand the role of SFL analysis in recognising these language features, the following questions are posed to guide this analysis: RQ1: What are the linguistic features of unsolicited scam texts that create urgency and obligation? RQ2: How can these features be exemplified in advisory messages tailored to the linguistic needs of vulnerable populations? 3 Methodology This study adopts a mixed-methods approach to analyse the linguistic features of scam messages. A total of 106 samples of unsolicited phishing attempts via text messages were collected in Australia, along with a comparative corpus of 16 legitimate text messages. SFL tools were employed to focus on specific language indicative of phishing strategies. 3.1 Data collection Phishing text samples were collected from online platforms including forums and communities, cyber awareness and protection websites (ScamWatch Australia, Australian Cybersecurity Centre, Australian Communication and Media Authority, PhishTank), organisation and institution advisory web pages (banks, Australia Post, delivery companies, Transport NSW, Translink QLD), and public databases. The 16 legitimate text messages were selected to reflect the messages scammers frequently imitate. Some legitimate samples were sourced from publicly available reliable sources such as ScamWatch, while the others required correspondence with government organisations, registered businesses and the submission of evidence of the legitimacy of this research project. Legitimate text messages are less likely to be reported and discussed in public domains, and organisations are reluctant to share examples of these unless they are being sent to intended recipients. There were fewer legitimate samples to compare as many of those provided included slightly altered wording. To maintain the integrity of the analytical process, only unique samples were selected and analysed. The coding of messages followed systemic-functional linguistic categories across ideational, interpersonal, and textual metafunctions, guided by Halliday and Matthiessen ( 2014 ). Coding categories included clause complexing, logico-semantic relations, mood, theme, and conjunction type. A pilot coding of 10 texts (5 phishing, 5 legitimate) was conducted to refine the category definitions. To ensure consistency, coding was cross-checked by a second SFL-informed researcher on a subset (20%) of the texts, and discrepancies were discussed and resolved collaboratively. Inter-rater reliability was not formally calculated but agreement was high during calibration. Although the legitimate message set (n = 16) is smaller than the phishing corpus, its function is comparative rather than representative. Small, focused control corpora are common in discourse analysis studies that prioritise qualitative depth over quantitative balance and can be valuable for data extraction (Rheindorf 2019 ). In this case, the legitimate texts serve to highlight contrasting linguistic patterns and functions, and their selection was based on maximum variation (e.g., institutions, message purposes). The sufficiency of this size and approach aligns with prior studies into the analytic value of smaller primary corpora in discourse studies (Bednarek 2009 ; Hunston 2022 ; Mair 2014 ; Rheindorf 2019 ). 3.2 Linguistic analysis Quantitative and qualitative examination of the samples focuses on specific language features that create a sense of urgency and obligation. All phishing messages were analysed and compared to the same analyses conducted on the legitimate samples. 3.2.1 Clause complexing Clause boundaries were delineated according to SFL conventions with a clause defined as a unit of language (written or spoken) containing a finite verb expressing tense or modality. The clauses in each message were categorised into paratactic or hypotactic structures and the head clause identified in each. The number of head clauses in initial position was calculated in comparison to the overall number of clause complexes to determine overall clause complexity. Clauses were then functionally labelled as ‘reason’, ‘purpose’, ‘result’, or ‘condition’ based on(Halliday and Matthiessen’s ( 2014 ) categorisation, and the number of occurrences of each was compared to the number of clause complexes. Since clauses contain three layers of meaning – ideational, interpersonal, and textual – the positioning of clauses in relation to one another influences urgency (ideational), tone and authority (interpersonal), and prominence (textual). 3.2.2 Circumstances Circumstantial elements were analysed to assess how temporal, manner, and location details create urgency and influence recipients' actions. The number of messages containing circumstances was calculated and labelled according to their function (‘temporal’, ‘manner’, or ‘location’). Subsequent qualitative examination investigated their role in prompting an immediate response and reducing the identification of ‘red flags’, which included analysing their proximity to malicious links. 3.2.3 Imperative mood The number of clauses containing imperative mood structures was compared to the overall number of clauses. The location of these structures in relation to malicious links was investigated qualitatively to determine how these patterns contribute to scammers’ authoritative and demanding positioning in text messages. 3.2.4 Modality To determine the influence of modality on responses to phishing texts, the percentage of messages containing modal processes was calculated. Further quantitative analysis compared the frequency of modal processes involving obligation and inclination. These were subsequently categorised into high, median, or low modality based on Halliday and Matthiessen’s ( 2014 : 171) classification. 3.2.5 Conjunctions The relationship between clauses and the use of justification, blame, or threats to prompt a recipient to action, and the types of conjunctions used to link clauses were collected and qualitatively examined. For analysing clause complexing relations, the number of clauses of alternation’, ‘reason’, ‘purpose’,’ result’, and’ condition’ were calculated by comparing the instances of these to the total number of clause complexes and qualitatively assessed for the underlying semantic constructs these represented. 4 Results The results of the analysis of scam and legitimate messages is presented below based on the SFL categories relevant to examining scam messages across the ideational, interpersonal, and textual metafunctions. Each linguistic feature is reported with findings from both the scam and legitimate samples. Samples are numbered with ‘L’ preceding the number indicating a legitimate sample, and ‘S’ being a sample from the scam data. 4.1 Clause complexing 66 scam samples (62%) contained a clause complex structure. Similarly, results of the analysis of legitimate samples showed 62.5% contained a clause complex. However, the type of clausal structure different significantly between the scam and legitimate messages. Table 5 below presents the frequencies and proportions of key clause complexing patterns identified in the scam and legitimate messages, based on Halliday and Matthiessen’s ( 2014 ) clausal function categories. Table 5 Clause complexing in scam vs legitimate messages Clausal structure Number of occurrences in scam messages containing a clause complex (n = 66) % Number of occurrences in legitimate messages containing a clause complex (n = 10) % Result - purpose 26 39.4 1 10.0 Result - reason 18 27.3 0 0.0 Purpose - result 10 15.2 1 10.0 Reason - result 5 7.6 0 0.0 Conditional 7 10.6 8 80.0 These results demonstrate that scam messages use complex clause structures more frequently to present instructions (results) alongside justifications (reasons or purposes), such as in sample S66 below: Your parcel has been redirected to your local AusPost branch due to unpaid shipping fees. In contrast, legitimate messages were mostly declarative and informational, with minimal complexing, such as in sample L2 which states: From ANZ: Your internet banking password has been updated. Notably, legitimate texts did not include any reason clauses to justify the message, which may reduce their susceptibility to misinterpretation. A striking finding is the high proportion of conditional clauses in the legitimate samples. These texts used conditional clauses to inform and offer contact pathways, for example, If nobody’s home, we will look for a safe place to leave it. (L3) If you didn’t make this change, please call us on XXXX . (L1) In contrast, scam texts used conditional clauses more sparingly, likely to avoid overly obvious threat structures. When present, they framed direct consequences of inaction, such as, Your Optus plan will be terminated if you do not update your details now (S77), or in instances when used to provide instructions to rectify an error or issue, they were followed by a highlighted link, presumably to a phishing site. The following example shows a conditional clause followed by a malicious link from sample S62. if you didn’t make this change Go To (malicious web address) immediately [sic] While conditional clauses can be used to communicate threats, and are a known ‘red flag’, threatening language in the scam texts was presented more subtly, as will be explained in Section 4.6 below. 4.2 Purpose clauses preceding links No legitimate messages contained hyperlinks, aligning with various organisational advisories stating that links are never sent. All of the scam messages contained some active method to communicate with the scammers and 62 (59%) were contained within a purpose clause complex to explain why the recipient should click a link or call a specific number. For example, To update your details, login here (link). (S53) 84 messages (79%) indicated a negative consequence of not using a provided link, but not necessarily in the same clause complex. Negative outcomes for not using links were provided as veiled threats in 37% of scam messages due to the consequences stated. For example, Login via the secure link (link) to avoid account suspension . Although lexical analysis is not the focus here, it should be noted that the language used in stating the consequences of inaction was mostly material processes (action verbs) of restriction or deletion; examples are: suspended, fined, blocked, deleted. This finding could be explored in future studies. 4.3 Circumstances The number and percentage of scam and legitimate messages containing temporal, location, and manner circumstances is given below in Table 6 , followed by an overview of the results of each circumstance type. Table 6 Circumstances in scam vs legitimate messages Circumstance type Number of occurrences in scam messages (n = 106) % Number of occurrences in legitimate messages (n = 16) % Time 61 57.5% 0 0.0% Location 25 23.6% 2 12.5% Manner 25 23.6% 2 12.5% Temporal circumstances as urgency markers Temporal circumstantial adjuncts were used in almost 58% of the scam text messages and were exclusively used to intensify urgency and reduce the recipient's reflection time. These included phrases such as within 24 hours , by (date) , immediately , or now . In significant contrast, there were no such occurrences in the legitimate samples. Location and manner circumstances In the scam text messages, 24% contained a circumstance of location such as Click here or Verify at this link , and 24% contained a circumstance of manner such as By clicking this link , and all of these instances preceded malicious links. Circumstances of manner or location appeared in 12% of legitimate samples but were preceded by phone numbers which were not hyperlinked. This difference to scam texts which tended to pair circumstances with direct links reinforces the coercive action pathways typical in phishing strategies. 4.4 Imperative mood Just over 80% of legitimate messages contained imperative forms, while 107% (often more than one) of the analysed scam messages contained imperatives (shown below in Table 7 ). Table 7 Imperatives in scam vs legitimate messages Imperative use Number of occurrences % Scam messages (n = 106) 113 107 Legitimate messages (n = 16) 13 81 While both corpora employed imperatives, their usage differed significantly in function and intensity. The legitimate messages typically used imperatives in low-pressure or informational contexts (e.g., log in, visit ) and were not followed by hyperlinks. In contrast, for scam texts, imperatives were followed by direct links or phone numbers, and the range of imperatives was greater ( click, confirm, update, correct, verify, respond, review, pay ). These were often followed by immediacy markers of temporal circumstances (e.g. Pay now ; Confirm as soon as possible ). These patterns reflect the scammers’ strategic use of imperatives to establish authority and prompt rapid, impulsive responses. Targeted recipients with lower English proficiency, for example, may perceive such directives as non-negotiable instructions rather than optional suggestions. The processes used in imperatives in the legitimate messages indicated a method of contact ( call, log in, visit ), however, most of the imperatives in the scam messages were more specific and related to required actions to rectify a problem ( Confirm, Review, etc.). This variation in the imperative processes could be explored further and considered when developing awareness campaigns and example language. 4.5 High modality Modal use in scam and legitimate messages revealed distinct patterns aligned with interpersonal strategies. Phishing messages exploited modulation, particularly high obligation and high inclination to enforce compliance and simulate institutional authority. For example: You must verify your identity. Obligation (high modality) Your account will be suspended. Inclination (high modality) In contrast, legitimate messages tended to use inclination to describe what the organisation will do. For example, We will deliver your parcel tomorrow , and avoid obligation or threats, thereby maintaining an informative rather than coercive tone. Table 8 below shows the results of the modal analysis for the scam and legitimate samples. Table 8 Modal process analysis results from scam and legitimate samples Modality Type (Halliday & Matthiessen, 2014 ) Subtype Modal operator and value Number of occurrences in scam messages (n = 106) % Number of occurrences in legitimate messages (n = 16) % All modality 48 45 9 56 Modulation Obligation must - high 6 6 0 0 Modulation Obligation have to -high 2 2 0 0 Modulation Inclination will - high 28 26 6 37.5 Modulation Inclination would - medium 1 1 1 0.5 Modulation Inclination can/cannot - medium 9 (“cannot” = 6) 8 2 (“can”) 12.5 Modalization Probability May -low 2 2 0 0 Overall, 45% of scam messages included a modal process. Scam messages predominantly utilised high modulation, especially of obligation (e.g. must , have to ) and inclination (e.g. will , cannot ), with the latter occurring most often. These modal processes were used to construct a tone of authority, urgency, and implicit threat, such as in clause complexes emphasising negative outcomes for non-compliance. One such example is, Your account will be suspended. Over half (56%) of legitimate messages also included modal processes. The modal process of inclination, will , was the most frequently used, however its function in all cases was to describe positive sender actions that required no recipient intervention, such as, We’ll take it to a local post office . The tone of the legitimate messages was notably less coercive. Interestingly, legitimate texts often employed contracted modal forms (e.g. We’ll) which were almost entirely absent from the scam corpus, suggesting a potential attempt by scammers to convey formal institutional tone by avoiding contractions. These findings demonstrate that modality functions interpersonally in phishing texts to simulate authority and pressure recipients into compliance, whereas legitimate communications use modality to convey institutional action without imposing on the recipient. 4.6 Logico-semantic relations (‘or’ as alternative vs threat) One small, but potentially significant finding, was the use of the conjunctive relations of alternation - or and otherwise . In the legitimate samples, 38% contained the conjunction or to offer an alternative means of contact. For example, Login to myetoll.transport.nsw.gov.au; visit Service NSW or call 13 18 65 , or, Track via the AusPost website or in the app There were no instances of otherwise in the legitimate samples, but these were present in the scam samples. Although only slightly more than 7% of scam samples contained or or otherwise , their purpose was to threaten a recipient for inaction, for instance, Do this via bit.ly/myGovhelp within 24 hours or your account will be locked. Or was used slightly more frequently as it is less of an overt ‘red flag’ indicating a threat. It is possible that in the samples that used otherwise , the threatening undertone may have been overlooked by scammers due to lower English proficiency; another explanation may be that some texts were generated using AI technology, which can struggle to distinguish nuance in language. 5 Discussion The findings suggest that scam messages employ certain language structures to leverage urgency and authority. A striking difference between scam and legitimate messages lies in their use of clause complexing. Scam messages typically use complex sentence structures to build urgency or necessity, combining result, purpose, and reason clauses in ways that prioritise a recipient’s immediate response. In contrast, legitimate messages are generally simpler, with fewer complex clauses and no direct links. The relative complexity and demanding structure of scam messages increases their persuasive power, especially for vulnerable recipients who may have difficulty analysing complex sentence constructions or understanding implied and nuanced language. In scam advisories, highlighting these structural differences could help recipients identify patterns of scam messages. Advisories could exemplify differences between declarative and imperative language with linked consequences. In addition, examples of clausal patterns could help in scam identification and reduced impulsive responses. For vulnerable recipients, a justification for contact may increase compliance, especially when coupled with urgency markers and hyperlinks. Scam advisories aimed at vulnerable populations could explain that scam messages tend to provide reasons to click a link or take action and more importantly, list examples of such reasons (e.g. to avoid suspension ; due to non-delivery, etc .). A marked difference in the use of imperative mood between scam and legitimate messages was evident. Scam messages commonly use imperatives ( click; verify; respond ) paired with urgent time markers and consequences for non-compliance. These imperatives preceded links to malicious sites or requests for personal information, creating immediacy and compulsion. In contrast, imperatives in legitimate messages usually indicate methods of contact rather than immediate action. For elderly individuals or those with limited English proficiency, imperatives in scam messages may be particularly disorienting. The imperative mood, particularly when coupled with urgency, can lead recipients to feel a sense of obligation, which scammers exploit to prompt hasty actions. High modality to convey certainty and inevitability was revealed as a feature of phishing texts. Phishing attempts framed the modality around consequences arising from inaction. Legitimate messages, however, used high modality to express neutral actions by the sender without detrimental effects on the recipient. The finality and necessity conveyed through high modality is effective in persuading text recipients to respond to, and follow, prompts and links contained in messages due to their instructional nature. Finally, temporal circumstances necessitating prompt action were frequently used in phishing attempts and these temporal markers state that action must be taken within limited set time frames to prevent negative consequences. In contrast, legitimate messages did not contain any temporal circumstances, highlighting the false urgency that is a hallmark of scam messages. Although this use of time-sensitive language is a known red flag in phishing messages, advisories could highlight the specific temporal circumstantial markers commonly employed by scammers. 6 Conclusion This study demonstrates the value of systemic-functional linguistics (SFL) in identifying linguistic patterns that underpin phishing text messages. By analysing clause complexing, imperative mood, modality, and conjunctions, the research reveals how scammers construct urgency, authority, and emotional manipulation to prompt compliance. These findings are particularly relevant for vulnerable populations, such as elderly individuals and those from non-English speaking backgrounds, who may struggle to detect subtle linguistic cues. The study highlights the need for advisory content that includes concrete examples of scam language, rather than generalised warnings, to support more effective public awareness and scam prevention. While the study offers important insights, several limitations should be acknowledged. The phishing sample size (n = 106) was appropriate for a pilot investigation, but future research could benefit from a larger and more diverse dataset to enhance generalisability. The control corpus of legitimate messages was relatively small (n = 16), reflecting the difficulty in accessing authentic samples from institutions. Although this size is justified for comparative purposes and aligns with discourse analytic conventions, expanding the control set could strengthen future analyses. Additionally, while inter-rater checking was conducted, formal reliability metrics were not calculated. Future studies could incorporate more rigorous reliability testing and broaden the demographic and linguistic scope of the data. These findings have implications not only for improving scam advisories but also for advancing automated detection systems. As scammers increasingly adopt AI-driven methods to craft convincing messages, integrating SFL frameworks into large language models (LLMs) and other natural language processing (NLP) systems offers a promising avenue for real-time scam detection. By recognising psychological and linguistic cues tailored to specific vulnerabilities, such systems could provide enhanced protection for at-risk communities. Ultimately, this research contributes to a growing interdisciplinary effort to mitigate the impact of cyber fraud through linguistic, technological, and policy-driven strategies. Declarations Acknowledgments The author would like to thank Transport NSW and TransLink for their specific assistance and support during the data collection stage. Funding support This research was supported by funding from the Griffith University Centre for Social and Cultural Research. The was part of the GCSCR ECR Seed Funding Grant Scheme 2024 , an internal grant at Griffith University. Competing interests The author declares no competing interests. Data availability Some organisations that provided data did not agree to having it made publicly available. Approval to access data can be made by contacting the author. Ethical approval This article does not contain any studies with human participants performed by the author. Author contributions [Author] was the only author involved in the research and writing of this article. Informed consent This study did not involve human participants or their data and was not applicable to conducting the research. References Achuthan K, Khobragade S, Kowalski R (2025) Cybercrime through the public lens: a longitudinal analysis. Humanit Soc Sci Commun 12 :282 https://doi.org/10.1057/s41599-025-04459-x Australian Communications and Media Authority (ACMA) (2022) Reducing the impact of scams delivered via short message service (SMS): Regulation Impact Statement. https://www.acma.gov.au/sites/default/files/2022-07/Reducing%20the%20impact%20of%20SMS%20scams.docx. Accessed Sept 3 2025 Australian Communications and Media Authority (ACMA) (2024) End of financial year tax scams . https://www.acma.gov.au/articles/2024-06/end-financial-year-tax-scams. Accessed Aug 22 2025 Australian Competition and Consumer Commission (ACCC) (2022) Scam losses to culturally diverse communities, people with disability and Indigenous Australians almost doubled in 2021. https://www.accc.gov.au/media-release/scam-losses-to-culturally-diverse-communities-people-with-disability-and-indigenous-australians-almost-doubled-in-2021. Accessed Aug 28 2025 Australian Competition and Consumer Commission (ACCC) (2025) National anti-scam centre calls for stronger business role to disrupt scams. https://www.accc.gov.au/media-release/national-anti-scam-centre-calls-for-stronger-business-role-to-disrupt-scams. Accessed Aug 18 2025 Australian Human Rights Commission (2024) Cyberbullying, Human rights and bystanders. https://humanrights.gov.au/our-work/commission-general/cyberbullying-human-rights-and-bystanders-0#:~:text=Victims%20can%20experience%20significant%20social,committing%20suicide%20have%20also%20occurred. Accessed Aug 21 2025 Australian Securities and Investment Commission (ASIC) (2024) ASIC warns small businesses to be on high alert for scams. https://asic.gov.au/about-asic/news-centre/news-items/asic-warns-small-businesses-to-be-on-high-alert-for-scams/#:~:text=According%20to%20the%20Australian%20Competition,million%20of%20the%20total%20lost. Accessed Aug 22 2025 Australian Taxation Office (ATO (2024) Scam alerts . https://www.ato.gov.au/online-services/scams-cyber-safety-and-identity-protection/scam-alerts#August2023taxtimeSMSandemailscams. Accessed Aug 22 2025 Bada M, Nurse JRC (2020) The social and psychological impacts of cyber-attacks. In: Benson V, McAlaney J (eds) Emerging cyberthreats and cognitive vulnerabilities. Academic Press, p 73-92 https://doi.org/10.1016/B978-0-12-816203-3.00004-6 Bailey J, Taylor L, Kingston P, Watts G (2021) Older adults and “scams”: Evidence from the Mass Observation Archive. J Adult Prot 1 http://dx.doi.org/10.1108/JAP-07-2020-0030 Bateman J, McDonald D, Hiippala T, Couto-Vale D, Costetchi E (2019) Systemic functional linguistics and computation: New directions, new challenges. In: Thompson G, Bowcher WL, Fontaine L, Schönthal D (eds) The Cambridge handbook of systemic functional linguistics. Cambridge University Press, Cambridge, p 561-586 https://doi.org/10.1017/9781316337936.024 Bednarek M (2009) Corpora and discourse: a three-pronged approach to analyzing linguistic data. In: Cascadilla Proceedings Project, Somerville, MA, USA, p 19-24. Bolimos IA, Choo K-KR (2017) Online fraud offending within an Australian jurisdiction . J Financ Crime 24(2):277-308 https://doi.org/10.1108/JFC-05-2016-0029 Borwell J, Jansen J, Wouter S (2022) The psychological and financial impact of cybercrime victimization: A novel application of the shattered assumptions theory. Soc Sci Comput Rev 40(4):933-954. https://doi.org/10.1177/0894439320983828 Bravo C, Toska D (2023) The art of social engineering: uncover the secrets behind the human dynamics in cybersecurity, 1st edn. Packt Publishing https://www.oreilly.com/library/view/-/9781804613641/ Brenner L, Meyll T, Stolper O, Walter A (2020) Consumer fraud victimization and financial well-being. J Econ Psychol 76 https://doi.org/10.1016/j.joep.2019.102243 Butavicius M, Taib R, Han SJ (2022) Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails. Comput Secur 123 https://doi.org/10.1016/j.cose.2022.102937 Button M, Sugiura L, Blackbourn D, Kapend R, Shepherd D, Wang V (2020) Victims of Computer Misuse: Main Findings . University of Portsmouth. https://pure.port.ac.uk/ws/portalfiles/portal/20818559/Victims_of_Computer_Misuse_Main_Findings.pdf Chowdhury NH, Adam MTP, Skinner G (2019) The impact of time pressure on cybersecurity behaviour: A systematic literature review. Behav Inf Technol 38 (12):1290–1308. https://doi.org/10.1080/0144929X.2019.1583769 Commonwealth Fraud Prevention Centre (2024) The total impacts of fraud. Australian Government. https://www.counterfraud.gov.au/total-impacts-fraud. Accessed Aug 22 2025 Department of Infrastructure, Transport, Regional Development, Communication and the Arts (2024) Fighting SMS Scams – What type of SMS sender ID registry should be introduced in Australia? Commonwealth of Australia. https://www.infrastructure.gov.au/sites/default/files/documents/20240218-Consultation-paper-SMS-registry.docx. Accessed Aug 21 2025 Ekman P, Friesen WV (1969) Nonverbal leakage and clues to deception. Psychiatry J 32(1):88-106 https://doi.org/10.1080/00332747.1969.11023575 Ferreira A, Teles S (2019) Persuasion: How phishing emails can influence users and bypass security measures. Int J Hum Comput Stud 125:19-31 https://doi.org/10.1016/j.ijhcs.2018.12.004 Global Anti-Scam Alliance (GASA) (2024) International scammers steal over $1 trillion in 12 months in global state of scams report 2024. https://www.gasa.org/post/global-state-of-scams-report-2024-1-trillion-stolen-in-12-months-gasa-feedzai. Accessed Aug 22 2025 Global Anti-Scam Alliance (GASA) (2025) Scaling Real-Time Scam Prevention: Best Practices for Fraud Operations from Westpac. https://www.gasa.org/post/scaling-real-time-scam-prevention-best-practices-for-fraud-operations-from-westpac. Accessed August 19 2025 Grilli MD, McVeigh KS, Hakim ZM, Wank AA, Getz SJ, Levin BE, Ebner NC, Wilson RC (2021) Is this phishing? Older age is associated with greater difficulty discriminating between safe and malicious emails. J Gerontol B Psychol Sci Soc Sci 76(9):1711-1715 https://doi.org/10.1093/geronb/gbaa228 Halliday MAK, Hasan R (1976) Cohesion in English. Longman. Halliday MAK, Matthiessen CMIM (2014) Halliday's Introduction to Functional Grammar, 4th edn. Routledge, London. Hasegawa AA, Yamashita N, Akiyama M, Mori T (2022) Experiences, behavioral tendencies, and concerns of non-native English speakers in identifying phishing emails. J Inf Process 30 :841-858 https://doi.org/10.2197/ipsjjip.30.841 House D, Raja MK (2019) Phishing: message appraisal and the exploration of fear and self-confidence. Behav Inf Technol 39(11):1204–1224 https://doi.org/10.1080/0144929X.2019.1657180 Hunston S (2022) Corpora in Applied Linguistics. Cambridge University Press. James BD, Boyle PA, Bennett DA (2014) Correlates of susceptibility to scams in older adults without dementia. J Elder Abuse Negl 26:107-22 https://doi.org/10.1080/08946566.2013.821809. Kemp S, Erades Pérez N (2023) Consumer fraud against older adults in digital society: Examining victimization and its impact. Int J Environ Res Public Health 20(7):5404 https://doi.org/10.3390/ijerph20075404 Koning L, Junger M, Veldkamp B (2024) Risk factors for fraud victimization: The role of socio-demographics, personality, mental, general, and cognitive health, activities, and fraud knowledge . Int Rev Vict 30(3):443-479 https://doi.org/10.1177/02697580231215839 Laroche H, Steyer V, Théron, C (2019) How could you be so gullible? scams and over-trust in organizations. J Bus Ethics 160:641–656. https://doi.org/10.1007/s10551-018-3941-z Leukfeldt R, Malsch M (2019) Cybercrime has serious consequences for its victims. NSCR. https://nscr.nl/en/gevolgen-cybercrime-zeer-ingrijpend-voor-slachtoffers/. Accessed Jul 26 2025 Liu M, Liang X, Chen J (2024) Constructing identities in institutional impersonation fraud: self-styling and other-styling practices through stances. Humanit Soc Sci Commun 11:1467 https://doi.org/10.1057/s41599-024-03875-9 Luo X, Zhang W, Burd S, Seazzu A (2013) Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration . Comput Secur 38:28-38 https://doi.org/10.1016/j.cose.2012.12.003 McAlaney J, Hills PJ (2020) Understanding phishing email processing and perceived trustworthiness through eye tracking. Front Psychol 11 https://doi.org/10.3389/fpsyg.2020.01756 Mahowald K, Ivanova AA, Blank IA, Kanwisher N, Tenenbaum JB, Fedorenko E (2024) Dissociating language and thought in large language models. Trends Cogn Sci 28(6):517-540 https://doi.org/10.1016/j.tics.2024.01.011 Mair C (2014) Using ‘small’ corpora to document ongoing grammatical change. In: Krug M, Schlüter J (eds) Research Methods in Language Variation and Change. Cambridge University Press, p 181-194 Mohammad T, Hussin NAM, Husin MH (2022) Online safety awareness and human factors: An application of the theory of human ecology. Technol Soc 68 https://doi.org/10.1016/j.techsoc.2021.101823 National Anti-Scam Centre (NASC) (2024a) Together, we’re an unstoppable force. https://www.nasc.gov.au/#:~:text=The%20National%20Anti%2DScam%20Centre%2C%20run%2 0by%20the%20ACCC%2C,to%20spot%20a nd%20avoid%20scams. Accessed Sept 2 2025 National Anti-Scam Centre (NASC) (2024b) The national anti-scam centre launches online ScamWatch advice in 17 languages. https://www.nasc.gov.au/news/the-national-anti-scam-centre-launches-online-scamwatch-advice-in-17-languages#:~:text=%E2%80%9CCulturally%20and%20linguistically%20diverse%20communities, Deputy%20Chair%20Catriona%20Low e%20said. Accessed Sept 2 2025 National Seniors Australia (2024) Seniors top scammers’ hit list. https://nationalseniors.com.au/news/latest-news/seniors-top-scammers-hit-list. Accessed Aug 22 2025 Norfolk State University (2023) How are cybercrime and psychology related? https://online.nsu.edu/degrees/technology/master-of-science-cyberpsychology/cybercrime-and-psychology-related/. Accessed Aug 23 2025 Norris G, Brookes A, Dowell D (2019) The psychology of internet fraud victimisation: A systematic review. J Police Crim Psychol 34(3):231-245 https://doi.org/10.1007/s11896-019-09334-5 Palassis A, Speelman CP, Pooley JA (2021) An exploration of the psychological impact of hacking victimization. Sage Open 11(4) https://doi.org/10.1177/21582440211061556 Quirk R, Greenbaum S, Leech G, Svartvik S (1985) A comprehensive grammar of the English language. Pearson Longman, London. Reurink A (2019) Financial fraud: A literature review. In: Claus I, Krippner L (eds) Contemporary topics in finance: a collection of literature surveys. John Wiley & Sons, p 79-116 https://doi.org/10.1111/joes.12298 Rheindorf M (2019) Working with corpora small and large: qualitative and quantitative methods. In: Rheindorf M (ed) Revisiting the Toolbox of Discourse Studies: Postdisciplinary Studies in Discourse. Palgrave Macmillan, p 21-75. https://doi.org/10.1007/978-3-030-19369-0_2 ScamWatch (2024) Phishing . https://www.scamwatch.gov.au/stay-protected/attempts-to-gain-your-personal-information/phishing. Accessed August22 2025 ScamWatch (2025) Scam statistics. https://www.scamwatch.gov.au/research-and-resources/scam-statistics. Accessed Aug 22 2025 Sharoff S (2025) Form and function: automatic methods for prediction of functions. In: Wegener R, Fontaine L, Sellami-Baklouti A, McCabe A (eds) The Routledge Handbook of Transdisciplinary Systemic Functional Linguistics: Halliday beyond Linguistics. Routledge Publishing. Skopal DP, Herkel M (2017) Public discourse syndrome: Reformulating for clarity. Text & Talk 37(1):141-164. Steves M, Greene K, Theofanos M (2020) Categorizing human phishing difficulty: a phish scale. J Cybersecur 1-16. https://doi.org/10.1093/cybsec/tyaa009 The Treasury (2023) Scams – Mandatory Industry Codes. Australian Government. https://treasury.gov.au/sites/default/files/2023-11/c2023-464732-cp.pdf. Accessed Aug 22 2025 Voce I, Morgan A (2023) Cybercrime in Australia 2023. AIC Reports 43. Australian Institute of Criminology https://www.aic.gov.au/sites/default/files/2023-06/sr43_cybercrime_in_australia_2023.pdf. Accessed Aug 22 2025 Walton D (2014) Speech acts and indirect threats in ad baculum arguments: a reply to Budzynska and Witek. Argument J 28(3):317-324. Whitty MT (2019) Predicting susceptibility to cyber-fraud victimhood. J Financ Crime 26(1):277-292. https://doi.org/10.1108/JFC-10-2017-0095 Whitty MT, Buchanan T (2015) The online dating romance scam: The psychological impact on victims – both financial and non-financial . Criminol Crim Justice 16(2):176–194. https://journals.sagepub.com/doi/10.1177/1748895815603773 Zhang J 2025 Context-aware annotation framework for NLP applications. In: 2025 5th International Conference on Artificial Intelligence and Industrial Technology Applications (AIITA), Xi'an, China, 2025, p 1380-1383. 10.1109/AIITA65135.2025.11047858 Footnotes ScamWatch Australia differentiates phishing from other text scams, such as fake billing, for statistical purposes. This study uses the term phishing to include any text or SMS messages that are malicious and contain links to sites that are used to make fake payments or steal personal information. The ACCC’s The Little Book of Scams is a reference booklet giving an overview of scams. Its translated copies into 17 languages as well as in simple English, are downloadable at https://www.accc.gov.au/about-us/publications/the-little-book-of-scams Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Editorial decision: Revision requested 04 Mar, 2026 Reviews received at journal 31 Jan, 2026 Reviewers agreed at journal 17 Dec, 2025 Reviews received at journal 09 Nov, 2025 Reviewers agreed at journal 01 Oct, 2025 Reviewers invited by journal 26 Sep, 2025 Editor invited by journal 26 Sep, 2025 Editor assigned by journal 24 Sep, 2025 Submission checks completed at journal 05 Sep, 2025 First submitted to journal 04 Sep, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7532083","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":525167546,"identity":"bc256f95-64ea-417c-8c2f-6215f4dd08a8","order_by":0,"name":"Desiree Kawabata","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABHElEQVRIie3QMUvDQBQH8BcCr8uZrBcCyVe4EBCkSL9KSkGXBJyKg0igEJdT13ySzicH7RI6V+hQEbLoUCmIYCueigpywYyC94f3eAfvx4MDMDH5ixH43lXZqrHARSDqgS0IAUwUib0C2xPC1BB7+W/EEdhfk5NF2OtU67vjI0ad8FzAaijBLRMt8QRKn0zqiJNsvFcxRhGdxCpnEuhcT5jo5H6K0uKQjaOcbU4RCbN3CgnQTEbP6Yvscfe+VuTtiiJbRcJGghM/K2Sf09S++SKWIqyBeBIPutuLesDn9a71QVJ2xWeHJKqW+h+bFvF1+bjYP7sc3D7kG0bDURUtn4bdIJjqr4D9PSL9nIQqot//oVdttkxMTEz+X14BjJBeGOP0mZ4AAAAASUVORK5CYII=","orcid":"","institution":"Griffith University","correspondingAuthor":true,"prefix":"","firstName":"Desiree","middleName":"","lastName":"Kawabata","suffix":""}],"badges":[],"createdAt":"2025-09-04 04:53:20","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7532083/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7532083/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":93056606,"identity":"641c6d58-2574-47cc-998e-dc5829cffb34","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"docx","order_by":0,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":109496,"visible":true,"origin":"","legend":"","description":"","filename":"HSSCarticle.docx","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/13f2df3e466ed9229730c4bc.docx"},{"id":93056605,"identity":"007c1a20-b971-43f8-b423-30835ff2feb5","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"json","order_by":1,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":3634,"visible":true,"origin":"","legend":"","description":"","filename":"f8c61645962b41fdbde0342c10dd8965.json","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/d0b2667bcb83309f48a5eeee.json"},{"id":93056611,"identity":"acde7784-5e98-4295-ae92-bbc42dc3b7d5","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"xml","order_by":2,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":157129,"visible":true,"origin":"","legend":"","description":"","filename":"f8c61645962b41fdbde0342c10dd89651enriched.xml","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/c808c419da5180e45288aa9b.xml"},{"id":93057581,"identity":"3d9d77ef-f1ae-4f48-adb4-a708ffcb8847","added_by":"auto","created_at":"2025-10-08 15:12:56","extension":"png","order_by":3,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":15025,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/238a90549e4dc562cd0ebdf4.png"},{"id":93056608,"identity":"fb5b3920-6ded-4a62-9ed7-10120563326b","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"png","order_by":4,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":8364,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/2f72bac4b9621d8fb099ecee.png"},{"id":93057582,"identity":"266b2901-afa7-4501-9bf5-7a17ac398e3e","added_by":"auto","created_at":"2025-10-08 15:12:56","extension":"xml","order_by":5,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":157685,"visible":true,"origin":"","legend":"","description":"","filename":"f8c61645962b41fdbde0342c10dd89651structuring.xml","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/a69441fc4dd1f339b716e34f.xml"},{"id":93056609,"identity":"0361be7d-6b2a-451a-8881-afb7e6f180d0","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"html","order_by":6,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":167735,"visible":true,"origin":"","legend":"","description":"","filename":"earlyproof.html","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/238ab98df1bab17e62ec48c0.html"},{"id":93056604,"identity":"381ae2ad-7f1e-48a0-82de-5f71d4e832ba","added_by":"auto","created_at":"2025-10-08 15:04:56","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":14741,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003eSFL metafunctions and language features\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/bb44918e9168b5a52625b54a.png"},{"id":93057979,"identity":"505e481d-6dfe-4189-8935-a2d51310995e","added_by":"auto","created_at":"2025-10-08 15:20:57","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1517186,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7532083/v1/c10463df-480a-4a2d-8e42-31c3d525ef95.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"“Account suspension. Verify now”: using systemic-functional linguistics to improve phishing text advisories for vulnerable groups","fulltext":[{"header":"1 Introduction","content":"\u003cp\u003eThe dramatic rise in digital scams poses crippling financial and emotional risks to individuals. Vulnerable groups, such as the elderly and those from non-English speaking backgrounds (NESB), are disproportionately affected, with global losses exceeding 1 trillion US dollars annually (GASA 2024). In Australia alone, in the year to May 2025, scams accounted for almost \u003cspan\u003e$\u003c/span\u003eAUD 119\u0026nbsp;million in personal losses - a 28% increase from the previous year (ACCC 2025). Phishing attempts via unsolicited text messages are the most common approach, and also on the rise (ACCC 2025; ScamWatch \u003cspan citationid=\"CR53\" class=\"CitationRef\"\u003e2025\u003c/span\u003e). Despite increasing public awareness, many individuals remain ill-equipped to recognise and respond effectively to scams. The use of urgent and threatening language in phishing texts requires rapid identification, yet this can be especially difficult for those with limited digital or linguistic proficiency. Older adults often face technological challenges, while NESB individuals, who are statistically more responsive to threat-based messaging (ACCC 2022), may overlook subtle linguistic cues, even those missed by highly proficient speakers of English. As a result, people aged over 65 and those from Culturally and Linguistically Diverse (CALD) communities are consistently overrepresented in scam victim statistics (ACCC 2025; ACMA 2022; Koning et al. \u003cspan citationid=\"CR34\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Voce and Morgan \u003cspan citationid=\"CR58\" class=\"CitationRef\"\u003e2023\u003c/span\u003e).\u003c/p\u003e\u003cp\u003eSystemic Functional Linguistics (SFL) offers a valuable framework for addressing this challenge. By analysing how language functions in context, particularly in constructing interpersonal meaning and shaping communicative intent, SFL enables detailed examination of the persuasive techniques embedded in scam messages. This linguistic lens provides a means to decode how scammers exploit language to evoke fear, create urgency, and prompt compliance.\u003c/p\u003e\u003cp\u003eScammers frequently impersonate trusted institutions such as banks, postal services, delivery companies, and government agencies. Existing resources provide general warnings; however, they tend to focus on behavioural cues and general descriptions of scams rather than unpacking the specific language features used to deceive. The ACCC\u0026rsquo;s \u003cem\u003eLittle Black Book of Scams\u003c/em\u003e offers multilingual advice regarding scams but does not contain any exemplification of scam language itself. Incorporating linguistic exemplars of patterns of grammar, vocabulary, and tone commonly found in phishing messages can offer clearer, more accessible guidance. Such insights are particularly valuable for at-risk groups who may benefit from targeted, language-focused strategies to support scam detection. The SFL framework used in this study is well-suited as an analytic tool as it describes how language functions in different contexts, particularly in relation to communicative goals and social purposes. By identifying the recurring patterns of manipulative language, the study aims to enhance advisory content and potentially inform scam detection algorithms, ultimately reducing susceptibility to phishing attempts among vulnerable community members. Institutions and governments are turning to computational and artificial intelligent systems to aid in the detection of phishing messages (GASA 2025), and SFLs rule-driven systematic frameworks are increasingly informing language processing models in multiple fields (Bateman et al. \u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Mahowald et al. \u003cspan citationid=\"CR40\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Sharoff \u003cspan citationid=\"CR54\" class=\"CitationRef\"\u003e2025\u003c/span\u003e; Zhang \u003cspan citationid=\"CR62\" class=\"CitationRef\"\u003e2025\u003c/span\u003e).\u003c/p\u003e"},{"header":"2 Literature review","content":"\u003cp\u003eThe evolution of digital communication methods enables widespread fraudulent activities. In Australia, unsolicited text messages represent a primary vehicle for scams, with a notable increase in reports over recent years (Department of Infrastructure, Transport, Regional Development, Communication and the Arts 2024). According to the Australian Government\u0026rsquo;s ScamWatch, SMS/text messages were one of the most reported contact methods for scams in 2025, highlighting the need for a critical response and research focusing on this communication mode.\u003c/p\u003e\u003cdiv id=\"Sec3\" class=\"Section2\"\u003e\u003ch2\u003e2.1 Phishing\u003c/h2\u003e\u003cp\u003e\u0026lsquo;Phishing\u0026rsquo; is an attempt to deceive a message\u0026rsquo;s recipient into providing personal information or passwords, subsequently used for identity theft or financial fraud. To encourage prompt action, tactics include falsely claiming suspicious account activity, creating false invoices, fabricating account issues, requesting additional or updated personal or financial information, or advising of fake refunds or offers[1]\u003ca class=\"FNLink\" href=\"#Fn1\" id=\"#FNLinkFn1\"\u003e\u003c/a\u003e. Such messages direct recipients to fake sites through malicious links. Phishing is an all-encompassing term, and other terminology is continually emerging to describe particular phishing activity. For example, \u0026lsquo;smishing\u0026rsquo; occurs via SMS messaging, and \u0026lsquo;vishing\u0026rsquo; through voice messaging. The general term \u0026lsquo;phishing\u0026rsquo; is used throughout for simplicity. Phishing involves sending impersonal malicious messages to large volumes of random recipients in a \u0026lsquo;hit-and-miss' approach. For example, as the number of online shoppers has increased, scammers may send messages about undelivered parcels to a large database of mobile numbers, with the likelihood that some recipients have recently purchased items online. Similarly, after the end of the Australian financial year, scam text messages purporting to be from the Australian Tax Office (ATO) rise (ACMA 2024; ATO 2024) as the relevance to the recipient increases during this period.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec4\" class=\"Section2\"\u003e\u003ch2\u003e2.2 Impact\u003c/h2\u003e\u003cp\u003eThe economic impact of scams is profound, affecting individuals, businesses, and wider society. The ACCC (2025) reported that of the \u003cspan\u003e$\u003c/span\u003e119\u0026nbsp;million lost to scams in the first four months of 2025, \u003cspan\u003e$\u003c/span\u003e14\u0026nbsp;million of these losses occurred through phishing attacks. Both small and large businesses bear heavy financial burdens from cyber fraud. In addition to monetary\u003c/p\u003e\u003cp\u003elosses, individuals suffer significant personal impacts (Achuthan et al., \u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e2025\u003c/span\u003e), and these effects on two vulnerable groups are discussed here.\u003c/p\u003e\u003cdiv id=\"Sec5\" class=\"Section3\"\u003e\u003ch2\u003e2.2.1 Vulnerable populations\u003c/h2\u003e\u003cp\u003eElderly individuals, and those from non-English speaking or CALD backgrounds, are more vulnerable to scams. Cognitive decline, limited digital literacy, and language barriers increase their susceptibility (ACCC 2024a; ACMA 2022; James et al. \u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e2014\u003c/span\u003e; Mohammad et al. \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Voce and Morgan \u003cspan citationid=\"CR58\" class=\"CitationRef\"\u003e2023\u003c/span\u003e). Older age increases the likelihood of falling victim to cyberfraud or scam messages (Bolimos and Choo \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e2017\u003c/span\u003e; Grilli et al. \u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; James et al. \u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e2014\u003c/span\u003e; Whitty \u003cspan citationid=\"CR60\" class=\"CitationRef\"\u003e2019\u003c/span\u003e), and older populations often experience greater financial losses (National Seniors Australia \u003cspan citationid=\"CR45\" class=\"CitationRef\"\u003e2024\u003c/span\u003e). People with limited English proficiency are also overrepresented in scam statistics (NASC 2024b). Cybercriminals capitalise on lower language proficiency, making their tactics more effective. While having English as a first language does not guarantee detection of leakage clues and red flags (see section \u003cspan refid=\"Sec8\" class=\"InternalRef\"\u003e2.4.1\u003c/span\u003e below), those from NESBs face greater challenges (Hasegawa et al. \u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e2022\u003c/span\u003e).\u003c/p\u003e\u003cp\u003ePeople who have suffered financially through scam victimisation experience emotional and psychological effects along with ongoing economic impacts. Although the extant literature focuses overwhelmingly on the psychological reasons \u003cem\u003efor\u003c/em\u003e scam susceptibility rather than the impacts of victimisation (Borwell et al. \u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Palassis et al. \u003cspan citationid=\"CR48\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Whitty and Buchanan \u003cspan citationid=\"CR61\" class=\"CitationRef\"\u003e2015\u003c/span\u003e), there is growing evidence that victims suffer from anxiety, shame, and a deep sense of betrayal which can have consequences for emotional and mental wellbeing (Australian Human Rights Commission \u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Bada and Nurse \u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e2020\u003c/span\u003e; Button et al. \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e2020\u003c/span\u003e; Leukfeldt and Malsch \u003cspan citationid=\"CR36\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Norfolk State University \u003cspan citationid=\"CR46\" class=\"CitationRef\"\u003e2023\u003c/span\u003e). These impacts consequently affect personal relationships and overall well-being and are more pronounced in older populations (Bailey et al. \u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Kemp and Erades Perez 2023. The emotional impacts of scam victimisation are compounded by financial repercussions and potential long term financial insecurity (Brenner et al. \u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e2020\u003c/span\u003e). A comprehensive understanding of the underlying psychological mechanisms leading to these consequences is essential for developing targeted interventions and mitigating the enduring impacts of scam victimisation.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec6\" class=\"Section2\"\u003e\u003ch2\u003e2.3 Psychological tactics\u003c/h2\u003e\u003cp\u003eScammers employ various psychological tactics targeting human cognitive biases to manipulate their targets. Key strategies include creating a sense of urgency and using both overt and veiled threats to prompt immediate action. Given time for scrutiny, recipients can frequently identify scam messages; however, urgency and implied threats leave victims unprepared and open to deception (Reurink \u003cspan citationid=\"CR50\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Steves et al. \u003cspan citationid=\"CR56\" class=\"CitationRef\"\u003e2020\u003c/span\u003e). Human decision-making processes are affected when urgency cues and threats of loss are present in communication (Butavicius et al. \u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Chowdhury et al. \u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; McAlaney and Hills \u003cspan citationid=\"CR39\" class=\"CitationRef\"\u003e2020\u003c/span\u003e). Messages that include methods to mitigate or resolve threats are also effective in prompting phishing victims to perform actions such as clicking malicious links (House and Raja \u003cspan citationid=\"CR30\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). All anti-fraud agencies in Australia, and major institutions, include \u0026lsquo;urgency\u0026rsquo; as a key indicator of a scam message in their advisory content, however few advisories include examples of representative language. Victims may possess an awareness of scam tactics, yet psychological and behavioural aspects (e.g. time pressure] can overwhelm even the best informed and \u0026lsquo;tech savvy\u0026rsquo; individuals (Luo et al. \u003cspan citationid=\"CR38\" class=\"CitationRef\"\u003e2013\u003c/span\u003e; Norris et al. \u003cspan citationid=\"CR47\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). This highlights the need for specific advisory content that can alert potential scam victims to the language used when these underlying malignant psychological tactics are present.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec7\" class=\"Section2\"\u003e\u003ch2\u003e2.4 Current advisories\u003c/h2\u003e\u003cp\u003eWith cyber fraud causing significant financial losses for Australian medium and large businesses (ASIC 2024), the Australian government\u0026rsquo;s National Anti-Scam Centre (NASC) works alongside law enforcement and the private sector to recognise and raise awareness about cyber fraud. Their efforts also involve legislating against the perpetrators of cyber-attacks and those who fail to allocate sufficient efforts to consumer protection (NASC 2024a; The Treasury \u003cspan citationid=\"CR57\" class=\"CitationRef\"\u003e2023\u003c/span\u003e). Websites such as ScamWatch, and businesses and services commonly targeted by scammers, provide detailed information in multiple languages regarding scam types prevalent in society and cyberspace, including advice on recognising and reporting them. Two main themes are communicated through this consumer advisory content: leakage clues and red flags (see 2.4.1 below). A notable omission from many advisory sites and documents is specific language used to exemplify the characteristics and psychological tactics underpinning phishing attempts.\u003c/p\u003e\u003cdiv id=\"Sec8\" class=\"Section3\"\u003e\u003ch2\u003e2.4.1 Leakage clues and red flags\u003c/h2\u003e\u003cp\u003eDeceptive clues, or \u0026lsquo;leakage clues\u0026rsquo;, are subtle indicators of sinister communication that persist despite a sender\u0026rsquo;s intention to appear legitimate (Ekman and Friesen \u003cspan citationid=\"CR22\" class=\"CitationRef\"\u003e1969\u003c/span\u003e). In phishing text messages, these may manifest in non-standard grammar, inconsistent punctuation, or irregular lexical choices. These errors arise in response to amateur message development processes and when the scammers work where English is not a first language. Leakage clues are strong indicators of attempted phishing attacks; however, they can also occur as typographical errors in legitimate messages. Butavicius et al. (\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e2022\u003c/span\u003e) found that although scam message identification improved when recipients focused on these errors, they rarely detected errors independently, even when advised of their presence.\u003c/p\u003e\u003cp\u003eExisting advisory content emphasises more overt \u0026lsquo;red flags\u0026rsquo; - clues that require recipients to infer deceptive intent based on common scam tactics. They are more difficult to detect and distinguish as scam messages. \u0026lsquo;Red flags\u0026rsquo; include email addresses or links with incorrect domains, or language that is threatening or prompts immediate action. Despite the ubiquity of red flags in advisory content, urgent and threatening language is frequently noticed (and acted upon) before recognition of spelling errors and other leakage cues (McAlaney and Hills \u003cspan citationid=\"CR39\" class=\"CitationRef\"\u003e2020\u003c/span\u003e). Identifying the underlying language of \u0026lsquo;red flags\u0026rsquo; that carries manipulative force can be understood through the interpersonal and textual layers of meaning that SFL explores. For example, by examining features such as imperative mood, thematic choices, and clausal relations, SFL reveals how red flags function linguistically to influence behaviour and construct deceptive authority.\u003c/p\u003e\u003cp\u003eScamWatch\u0026rsquo;s advisories provide valuable and current information about what the public should understand to avoid becoming a phishing victim. Providing content in languages other than English and in a downloadable form (see \u003cem\u003eThe Little Book of Scams\u003c/em\u003e[2]\u003ca class=\"FNLink\" href=\"#Fn2\" id=\"#FNLinkFn2\"\u003e\u003c/a\u003e) is an excellent start in raising public awareness, aligning with Australia\u0026rsquo;s focus on providing information in accessible language (Skopal and Herke 2017). However, advisory sites and fact sheets do not show actual examples of language use that illustrate psychological tactics and red flags outlined in the documents and online. \u003cem\u003eThe Little Book of Scams\u003c/em\u003e has no examples of such language. Given the complex psychological and social engineering mechanisms underlying public advisory content around scams, the interpretation of threatening and/or urgent messages is likely a greater challenge for those with cognitive and linguistic disadvantages. By supporting current advisory content with concrete examples of common language used in scam messages, potential victims may recognise and report phishing messages more easily.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec9\" class=\"Section2\"\u003e\u003ch2\u003e2.5 Systemic-functional linguistics\u003c/h2\u003e\u003cp\u003e\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eSystemic-functional linguistics (SFL) offers a robust framework for analysing how language functions in social contexts (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). SFL centres around how language choices reflect social processes and communication goals and how experiences, relationships, and channels of communication influence language. By examining the linguistic markers that scammers utilise, researchers can gain insights into how language is used to manipulate emotions, establish trust, and create urgency. SFL categorises meaning into three metafunctions: the ideational (representing ideas), the interpersonal (enacting social relationships), and the textual (organising discourse). Figure\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e below summarises the key linguistic features examined in this study and their alignment with each metafunction.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThe application of SFL to identify the specific language features in phishing text messages, provides a more nuanced understanding of the tactics used by scammers beyond surface level descriptions.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e\u003cdiv id=\"Sec10\" class=\"Section3\"\u003e\u003ch2\u003e2.5.1 The ideational metafunction\u003c/h2\u003e\u003cp\u003e\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eIn SFL, ideational meanings refer to how language choices represent experiences and actions. Speakers and writers express themselves depending on actions (processes), those involved in a communicative act (the participants), and the context of communication (the circumstances). Scammers manipulate ideational meanings using clausal structures and contextual language to misrepresent actions or events, making scams appear legitimate or urgent. When considering the participants in an interaction, scammers use language that evokes trust or positions them as an authority figure, resulting in the greater likelihood of a successful phishing attempt (Laroche et al. \u003cspan citationid=\"CR35\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Liu et al., \u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e2024\u003c/span\u003e). In SFL, language and meaning are intricately linked to the context of a situation and scammers can carefully select contextual and circumstantial elements of language to appear credible, create urgency, and encourage quick decisions void of critical thinking. By strategically employing ideational resources, scammers can appeal to potential victims\u0026rsquo; emotions and cognitive biases, creating situations that are not rooted in reality. This tactic aligns with underlying psychological strategies that make scams sound convincing and thus likely to be acted upon.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e\u003cdiv id=\"Sec11\" class=\"Section4\"\u003e\u003ch2\u003e2.5.1.1 Clause complexing\u003c/h2\u003e\u003cp\u003eClause structure is central to ideational meaning (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e), and the order of clauses affects how messages of authority and urgency are communicated. Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e below exemplifies the types of clausal relationships in SFL, with dependent and independent clauses labelled \u003cem\u003e(d)\u003c/em\u003e and \u003cem\u003e(i)\u003c/em\u003e respectively.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eClausal relationships in SFL\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSFL term\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDefinition\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExample\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eParataxis\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEqual-status clauses \u003cem\u003e(i)\u003c/em\u003e + \u003cem\u003e(i)\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eWe tried to deliver your package \u003cem\u003e(i)\u003c/em\u003e, but nobody was home \u003cem\u003e(i)\u003c/em\u003e.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eHypotaxis\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDependent relationship of one clause to another\u003c/p\u003e\u003cp\u003e\u003cem\u003e(i)\u003c/em\u003e + \u003cem\u003e(d)\u003c/em\u003e or \u003cem\u003e(d)\u003c/em\u003e + \u003cem\u003e(i)\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eWe noticed the address was wrong \u003cem\u003e(i)\u003c/em\u003e while attempting delivery \u003cem\u003e(d)\u003c/em\u003e.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eHypotactic structures in which the independent clause is in head (initial) position is an unmarked, or \u0026lsquo;usual\u0026rsquo; structure. In such structures, dependent clauses add detail, context, or explanation, but are not the main focus of information; they are \u0026lsquo;backgrounded\u0026rsquo; to follow a main clause (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e; Quirk 1985). The positioning of a hypotactic or paratactic clause in a clause complex is significant as it affects how information is perceived and what is given prominence in a message. For instance, in a clause complex such as,\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Taba\" border=\"1\"\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cem\u003eYour package has not been delivered\u003c/em\u003e\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003e\u003cem\u003edue to incorrect address information\u003c/em\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eResult\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eReason\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003ethe independent result clause is in first position and the reason in second position. In contrast, when placed at the beginning of a clause complex, the result is a \u0026lsquo;marked\u0026rsquo; clause in which hypotactic clauses draw immediate attention to the condition, reason, time, or purpose stated. For example, in\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabb\" border=\"1\"\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cem\u003eBecause your account was compromised\u003c/em\u003e,\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003e\u003cem\u003ewe need your information.\u003c/em\u003e\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eReason\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eResult\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003ethe reason for the request is foregrounded, with the subsequent result or required action being secondary. Since successful phishing attempts require prompt action by recipients, foregrounding negative results in head position may create a sense of urgency to act. The meaning of these different clauses and how they function in a clause complex relies on an understanding of the logico-semantic relations between clauses (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) and how these are expressed through the use of conjunctions and phrases for the purposes of enhancing, extending, or elaborating (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e: 483) logico-semantic categories of cause-condition (enhancement), and addition and variation (extension), and how they relate to psychological tactics are shown below in Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 2\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eSFL logico-semantic relations of cause-condition, addition, and variation, and their role in phishing language\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eLogico-semantic meaning\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eFunction in SFL\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExample\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDeceptive use in phishing\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCause: reason\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eJustify or explain an action or event\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eBecause\u003c/span\u003e your account was compromised\u0026hellip;\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eDue to\u003c/span\u003e delivery failure\u0026hellip;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u0026bull; Presents a negative situation as the reason for the message.\u003c/p\u003e\u003cp\u003e\u0026bull; Provides a reason for the initiation of the message.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCause: purpose\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eExplain intended outcome of action\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eTo\u003c/span\u003e avoid account closure\u0026hellip;\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eTo\u003c/span\u003e update your details\u0026hellip;\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eSo that\u003c/span\u003e we can\u0026hellip;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eFrames the message as a legitimate request; implies urgency without explicitly threatening. This weakens the perception of threat and downgrades it to a warning (Walton, \u003cspan citationid=\"CR59\" class=\"CitationRef\"\u003e2014\u003c/span\u003e).\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCause: result\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003ePresent an outcome or consequence\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; Your account has been locked\u0026hellip;\u003c/p\u003e\u003cp\u003e\u0026bull; Your parcel has been returned\u0026hellip;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u0026bull; Emphasises negative consequences to justify the current state or message.\u003c/p\u003e\u003cp\u003e\u0026bull; Normalises the scammer\u0026rsquo;s demand by presenting it as a logical outcome of the recipient\u0026rsquo;s (supposed) inaction or an error.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCondition\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEstablish cause and effect or hypothetical scenarios\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eIf\u003c/span\u003e this was not you\u0026hellip;\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eIf\u003c/span\u003e you do not update your details\u0026hellip;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u0026bull; Positions the condition as a threat and intensifies urgency through fear of negative consequences.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAddition and alternation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAdd, vary, or present alternate ideas.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u0026hellip;\u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eor\u003c/span\u003e your account will be locked\u003c/p\u003e\u003cp\u003e\u0026bull; \u0026hellip;\u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eand\u003c/span\u003e verify your details\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eLists options or adds pressure by presenting multiple simultaneous threats or requests.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eAnalysis of the construction and order of clauses, and the language used to represent the meaning between them, can thus reveal underlying deceptive tactics used to communicate with potential victims.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec12\" class=\"Section4\"\u003e\u003ch2\u003e2.5.1.2 Circumstances\u003c/h2\u003e\u003cp\u003eCircumstantial elements provide additional situational context for a clause through adverbials and prepositional phrases (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). Circumstances add information about an experience, explaining the \u0026ldquo;when, where, why and how\u0026rdquo; of it (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e: 311). Investigating the language of phishing texts through the SFL tool of circumstance allows for understanding of the contextual elements employed by scammers to deceive victims. Temporal circumstances are frequently used to create exaggerated urgency and direct the recipient toward the scammer\u0026rsquo;s preferred action pathway. Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) temporal, manner, and locational circumstance types are explained below in Table\u0026nbsp;\u003cspan refid=\"Tab3\" class=\"InternalRef\"\u003e3\u003c/span\u003e in relation to scam text communication.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab3\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 3\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eCircumstance types in SFL\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCircumstance type\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eRole in phishing messages\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExample\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTemporal\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCreate time pressure by prompting impulsive action and reducing reflection time\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u0026hellip;within 24 hours\u003c/p\u003e\u003cp\u003e\u0026bull; \u0026hellip;immediately\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eManner\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProvide instructional and procedural information to make processes appear legitimate and simple\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eBy\u003c/span\u003e clicking this link\u0026hellip;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eLocational\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEnhance legitimacy by mimicking expected interaction patterns\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026bull; \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003eat\u003c/span\u003e the link \u003cspan type=\"Underline\" class=\"Underline\" name=\"Emphasis\"\u003ebelow\u003c/span\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eLinguistic tactics through circumstantial elements provide context around links presented in a phishing message and influence the receiver\u0026rsquo;s ability to critically analyse the message given the urgency and ease presented in the texts.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec13\" class=\"Section3\"\u003e\u003ch2\u003e2.5.2 The interpersonal metafunction\u003c/h2\u003e\u003cp\u003e\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eInterpersonal meanings in SFL focus on how interactional language establishes and manages relationships between participants. Relevant phenomena include the roles of interactants (e.g. authority), interpersonal distance, politeness, and formality, as well as how language is used to express attitudes, evaluations, and perform communicative acts such as informing, questioning, greeting, and persuading (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). SFL\u0026rsquo;s \u0026lsquo;mood\u0026rsquo; system provides grammatical resources for text producers to communicate their interpersonal meanings by categorising sentences or utterances into different types (statements, questions, or commands), based on how the writer or speaker positions themselves (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). The main elements of the mood system (sub-classifications exist, but are not relevant for this study), based on Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) classification are as follows:\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIndicative mood - allows a speaker/writer to express facts (declarative mood) or seek information (interrogative mood).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eImperative mood - allows a speaker/writer to issue commands or requests.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003eThe type of mood (and the speaker/writer\u0026rsquo;s position in relation to the message\u0026rsquo;s recipient) is represented in a clause through the subject (the person or thing), finite (tense or modality), polarity (positive or negative), and their relative positions to one another. For example,\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabc\" border=\"1\"\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cem\u003eShe is reading a book.\u003c/em\u003e\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDeclarative mood\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eIs she\u003c/b\u003e \u003cem\u003ereading a book?\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInterrogative mood\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eRead\u003c/b\u003e \u003cem\u003ea book!\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eImperative mood\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cdiv id=\"Sec14\" class=\"Section4\"\u003e\u003ch2\u003e2.5.2.1 Imperative mood\u003c/h2\u003e\u003cp\u003eThe imperative mood is of particular importance when applying interpersonal meaning to language used in phishing texts. Scammers gain trust and guide emotional responses by manipulating interpersonal language. A goal of phishing is to quickly establish a trusting relationship. Scammers position themselves as organisational or institutional authority figures, or trusted individuals (usually representing a familiar organisation) to build trust (Bravo and Toska \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2023\u003c/span\u003e). The tone of their messages is carefully selected to enhance the credibility and raise the likelihood of compliance. The demanding tone of imperative statements discourages reflection, creates a sense of a non-negotiable command, and establishes the scammer as an authority figure (Ferreira and Teles \u003cspan citationid=\"CR23\" class=\"CitationRef\"\u003e2019\u003c/span\u003e).\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec15\" class=\"Section4\"\u003e\u003ch2\u003e2.5.2.2 Modality\u003c/h2\u003e\u003cp\u003eGrammatical modality refers to the degree of certainty, necessity, or possibility in a statement, typically conveyed through modal verbs (e.g., can, will, must) or modal adverbs (e.g., definitely, possibly). Modality allows speakers to express their attitudes toward the likelihood, obligation, or permission of an action or event (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). SFL classifies modality into two major systems \u0026ndash; modalization and modulation (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). These systems, along with their functions and examples are tabulated here in Table\u0026nbsp;\u003cspan refid=\"Tab4\" class=\"InternalRef\"\u003e4\u003c/span\u003e:\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab4\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 4\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eModal processes in SFL\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSystem\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eModal type\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eFunction\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eExample\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModalization\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProbability\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExpress likelihood\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u003cem\u003emay, might, will\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUsuality\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExpress frequency\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u003cem\u003eusually, always\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eObligation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExpress required actions\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u003cem\u003emust, should, have to\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInclination\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExpress willingness, intention, or ability\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e\u003cem\u003ewill, would, can, could\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eModality is expressed on a cline of low to high, with high modality representing the greatest limitation of flexibility in meaning. For example, in\u003c/p\u003e\u003cp\u003e\u003cem\u003eYou\u003c/em\u003e \u003cb\u003emust\u003c/b\u003e \u003cem\u003ebe home by 8pm\u003c/em\u003e,\u003c/p\u003e\u003cp\u003ethe message recipient does not have freedom to choose when they should be home, as the limitation is imposed upon them with the modal verb of obligation, \u0026lsquo;must\u0026rsquo;. In combination with imperative mood, modality plays a critical role in shaping the perceived authority and urgency of messages, which can be exploited in phishing attempts to manipulate recipients into compliance by reducing their agency.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec16\" class=\"Section3\"\u003e\u003ch2\u003e2.5.3 The textual metafunction\u003c/h2\u003e\u003cp\u003eThe textual metafunction in SFL considers how language is organised to create cohesive and coherent communication. Skilfully organising information allows text producers to shape their messages logically and convincingly. Logical and persuasive communication patterns commonly occurring in phishing messages - such as establishing problems, highlighting a need for immediate action, and providing a solution (usually a malicious link) - present messages naturally and convincingly. At a sentence level, two elements combine to create a coherent, persuasive phishing message: the \u0026lsquo;thematicised\u0026rsquo; content, and the cohesive device of conjunction.\u003c/p\u003e\u003cdiv id=\"Sec17\" class=\"Section4\"\u003e\u003ch2\u003e2.5.3.1 Theme\u003c/h2\u003e\u003cp\u003eHalliday and Matthiessen (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) separate clausal organisation into two elements: Theme and Rheme. The Theme is the content in first position in a clause, \u0026ldquo;the point of departure for [a] message\u0026rdquo; (Halliday and Matthiessen \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e: 83) and orients the reader to what the rest of the message (the Rheme) is about. Scammers can control the salience of a message by selecting what is in thematic position to attract attention and persuade phishing targets to act impulsively. Urgency is highlighted by placing instructions or threats at the start and suspicious details are given less prominence by placement in Rheme position. This aligns with the order of content at the ideational level by manipulating clausal structure to highlight content (see section \u003cspan refid=\"Sec10\" class=\"InternalRef\"\u003e2.5.1\u003c/span\u003e above). Whereas analysis at the ideational level is more associated with underlying meanings (such as purpose, reason), at the textual level, clausal order determines which part of a message is given prominence.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec18\" class=\"Section4\"\u003e\u003ch2\u003e2.5.3.2 Conjunctions\u003c/h2\u003e\u003cp\u003eCohesive devices are linguistic tools used to link sentences, clauses, or spans of text to create logical connections. They function to connect the meanings represented in the logico-semantic system (explained in 2.5.1 above). Halliday and Hasan (\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e1976\u003c/span\u003e) present conjunctions as key devices for building cohesion, and these are relevant to examining phishing messages in this study. Using certain conjunctions can persuade recipients of phishing messages to act by framing the communication as a consequence of inaction or by establishing authority and placing blame on the recipient. Examples of these are underlined above in Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e in section \u003cspan refid=\"Sec11\" class=\"InternalRef\"\u003e2.5.1.1\u003c/span\u003e.\u003c/p\u003e\u003cp\u003eScammers achieve their objectives by manipulating language to exploit human vulnerabilities when threatened by prompting them to take immediate action. The ability to recognise these approaches can help with detection at both a human and automated level and facilitate the detection of, and response to, phishing messages. To better understand the role of SFL analysis in recognising these language features, the following questions are posed to guide this analysis:\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eRQ1: What are the linguistic features of unsolicited scam texts that create urgency and obligation?\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eRQ2: How can these features be exemplified in advisory messages tailored to the linguistic needs of vulnerable populations?\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"},{"header":"3 Methodology","content":"\u003cp\u003eThis study adopts a mixed-methods approach to analyse the linguistic features of scam messages. A total of 106 samples of unsolicited phishing attempts via text messages were collected in Australia, along with a comparative corpus of 16 legitimate text messages. SFL tools were employed to focus on specific language indicative of phishing strategies.\u003c/p\u003e\u003cdiv id=\"Sec20\" class=\"Section2\"\u003e\u003ch2\u003e3.1 Data collection\u003c/h2\u003e\u003cp\u003ePhishing text samples were collected from online platforms including forums and communities, cyber awareness and protection websites (ScamWatch Australia, Australian Cybersecurity Centre, Australian Communication and Media Authority, PhishTank), organisation and institution advisory web pages (banks, Australia Post, delivery companies, Transport NSW, Translink QLD), and public databases. The 16 legitimate text messages were selected to reflect the messages scammers frequently imitate. Some legitimate samples were sourced from publicly available reliable sources such as ScamWatch, while the others required correspondence with government organisations, registered businesses and the submission of evidence of the legitimacy of this research project. Legitimate text messages are less likely to be reported and discussed in public domains, and organisations are reluctant to share examples of these unless they are being sent to intended recipients. There were fewer legitimate samples to compare as many of those provided included slightly altered wording. To maintain the integrity of the analytical process, only unique samples were selected and analysed. The coding of messages followed systemic-functional linguistic categories across ideational, interpersonal, and textual metafunctions, guided by Halliday and Matthiessen (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e). Coding categories included clause complexing, logico-semantic relations, mood, theme, and conjunction type. A pilot coding of 10 texts (5 phishing, 5 legitimate) was conducted to refine the category definitions. To ensure consistency, coding was cross-checked by a second SFL-informed researcher on a subset (20%) of the texts, and discrepancies were discussed and resolved collaboratively. Inter-rater reliability was not formally calculated but agreement was high during calibration.\u003c/p\u003e\u003cp\u003eAlthough the legitimate message set (n\u0026thinsp;=\u0026thinsp;16) is smaller than the phishing corpus, its function is comparative rather than representative. Small, focused control corpora are common in discourse analysis studies that prioritise qualitative depth over quantitative balance and can be valuable for data extraction (Rheindorf \u003cspan citationid=\"CR51\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). In this case, the legitimate texts serve to highlight contrasting linguistic patterns and functions, and their selection was based on maximum variation (e.g., institutions, message purposes). The sufficiency of this size and approach aligns with prior studies into the analytic value of smaller primary corpora in discourse studies (Bednarek \u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e2009\u003c/span\u003e; Hunston \u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Mair \u003cspan citationid=\"CR41\" class=\"CitationRef\"\u003e2014\u003c/span\u003e; Rheindorf \u003cspan citationid=\"CR51\" class=\"CitationRef\"\u003e2019\u003c/span\u003e).\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec21\" class=\"Section2\"\u003e\u003ch2\u003e3.2 Linguistic analysis\u003c/h2\u003e\u003cp\u003eQuantitative and qualitative examination of the samples focuses on specific language features that create a sense of urgency and obligation. All phishing messages were analysed and compared to the same analyses conducted on the legitimate samples.\u003c/p\u003e\u003cdiv id=\"Sec22\" class=\"Section3\"\u003e\u003ch2\u003e3.2.1 Clause complexing\u003c/h2\u003e\u003cp\u003eClause boundaries were delineated according to SFL conventions with a clause defined as a unit of language (written or spoken) containing a finite verb expressing tense or modality. The clauses in each message were categorised into paratactic or hypotactic structures and the head clause identified in each. The number of head clauses in initial position was calculated in comparison to the overall number of clause complexes to determine overall clause complexity. Clauses were then functionally labelled as \u0026lsquo;reason\u0026rsquo;, \u0026lsquo;purpose\u0026rsquo;, \u0026lsquo;result\u0026rsquo;, or \u0026lsquo;condition\u0026rsquo; based on(Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) categorisation, and the number of occurrences of each was compared to the number of clause complexes. Since clauses contain three layers of meaning \u0026ndash; ideational, interpersonal, and textual \u0026ndash; the positioning of clauses in relation to one another influences urgency (ideational), tone and authority (interpersonal), and prominence (textual).\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec23\" class=\"Section3\"\u003e\u003ch2\u003e3.2.2 Circumstances\u003c/h2\u003e\u003cp\u003eCircumstantial elements were analysed to assess how temporal, manner, and location details create urgency and influence recipients' actions. The number of messages containing circumstances was calculated and labelled according to their function (\u0026lsquo;temporal\u0026rsquo;, \u0026lsquo;manner\u0026rsquo;, or \u0026lsquo;location\u0026rsquo;). Subsequent qualitative examination investigated their role in prompting an immediate response and reducing the identification of \u0026lsquo;red flags\u0026rsquo;, which included analysing their proximity to malicious links.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec24\" class=\"Section3\"\u003e\u003ch2\u003e3.2.3 Imperative mood\u003c/h2\u003e\u003cp\u003eThe number of clauses containing imperative mood structures was compared to the overall number of clauses. The location of these structures in relation to malicious links was investigated qualitatively to determine how these patterns contribute to scammers\u0026rsquo; authoritative and demanding positioning in text messages.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec25\" class=\"Section3\"\u003e\u003ch2\u003e3.2.4 Modality\u003c/h2\u003e\u003cp\u003eTo determine the influence of modality on responses to phishing texts, the percentage of messages containing modal processes was calculated. Further quantitative analysis compared the frequency of modal processes involving obligation and inclination. These were subsequently categorised into high, median, or low modality based on Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e: 171) classification.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec26\" class=\"Section3\"\u003e\u003ch2\u003e3.2.5 Conjunctions\u003c/h2\u003e\u003cp\u003eThe relationship between clauses and the use of justification, blame, or threats to prompt a recipient to action, and the types of conjunctions used to link clauses were collected and qualitatively examined. For analysing clause complexing relations, the number of clauses of alternation\u0026rsquo;, \u0026lsquo;reason\u0026rsquo;, \u0026lsquo;purpose\u0026rsquo;,\u0026rsquo; result\u0026rsquo;, and\u0026rsquo; condition\u0026rsquo; were calculated by comparing the instances of these to the total number of clause complexes and qualitatively assessed for the underlying semantic constructs these represented.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"},{"header":"4 Results","content":"\u003cp\u003eThe results of the analysis of scam and legitimate messages is presented below based on the SFL categories relevant to examining scam messages across the ideational, interpersonal, and textual metafunctions. Each linguistic feature is reported with findings from both the scam and legitimate samples. Samples are numbered with \u0026lsquo;L\u0026rsquo; preceding the number indicating a legitimate sample, and \u0026lsquo;S\u0026rsquo; being a sample from the scam data.\u003c/p\u003e\u003cdiv id=\"Sec28\" class=\"Section2\"\u003e\u003ch2\u003e4.1 Clause complexing\u003c/h2\u003e\u003cp\u003e66 scam samples (62%) contained a clause complex structure. Similarly, results of the analysis of legitimate samples showed 62.5% contained a clause complex. However, the type of clausal structure different significantly between the scam and legitimate messages. Table\u0026nbsp;\u003cspan refid=\"Tab5\" class=\"InternalRef\"\u003e5\u003c/span\u003e below presents the frequencies and proportions of key clause complexing patterns identified in the scam and legitimate messages, based on Halliday and Matthiessen\u0026rsquo;s (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e) clausal function categories.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab5\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 5\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eClause complexing in scam vs legitimate messages\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eClausal structure\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNumber of occurrences in scam messages containing a clause complex (n\u0026thinsp;=\u0026thinsp;66)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNumber of occurrences in legitimate messages containing a clause complex (n\u0026thinsp;=\u0026thinsp;10)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eResult - purpose\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e26\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e39.4\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e10.0\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eResult - reason\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e18\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e27.3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e0.0\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePurpose - result\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e10\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e15.2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e10.0\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eReason - result\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e7.6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e0.0\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eConditional\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e7\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e10.6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e8\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e80.0\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThese results demonstrate that scam messages use complex clause structures more frequently to present instructions (results) alongside justifications (reasons or purposes), such as in sample S66 below:\u003c/p\u003e\u003cp\u003e\u003cem\u003eYour parcel has been redirected to your local AusPost branch due to unpaid shipping fees.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eIn contrast, legitimate messages were mostly declarative and informational, with minimal complexing, such as in sample L2 which states:\u003c/p\u003e\u003cp\u003e\u003cem\u003eFrom ANZ: Your internet banking password has been updated.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eNotably, legitimate texts did not include any reason clauses to justify the message, which may reduce their susceptibility to misinterpretation. A striking finding is the high proportion of conditional clauses in the legitimate samples. These texts used conditional clauses to inform and offer contact pathways, for example,\u003c/p\u003e\u003cp\u003e\u003cem\u003eIf nobody\u0026rsquo;s home, we will look for a safe place to leave it.\u003c/em\u003e (L3)\u003c/p\u003e\u003cp\u003e\u003cem\u003eIf you didn\u0026rsquo;t make this change, please call us on XXXX\u003c/em\u003e. (L1)\u003c/p\u003e\u003cp\u003eIn contrast, scam texts used conditional clauses more sparingly, likely to avoid overly obvious threat structures. When present, they framed direct consequences of inaction, such as,\u003c/p\u003e\u003cp\u003e\u003cem\u003eYour Optus plan will be terminated if you do not update your details now\u003c/em\u003e (S77),\u003c/p\u003e\u003cp\u003eor in instances when used to provide instructions to rectify an error or issue, they were followed by a highlighted link, presumably to a phishing site. The following example shows a conditional clause followed by a malicious link from sample S62.\u003c/p\u003e\u003cp\u003e\u003cem\u003eif you didn\u0026rsquo;t make this change Go To\u003c/em\u003e (malicious web address) \u003cem\u003eimmediately\u003c/em\u003e [sic]\u003c/p\u003e\u003cp\u003eWhile conditional clauses can be used to communicate threats, and are a known \u0026lsquo;red flag\u0026rsquo;, threatening language in the scam texts was presented more subtly, as will be explained in Section \u003cspan refid=\"Sec33\" class=\"InternalRef\"\u003e4.6\u003c/span\u003e below.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec29\" class=\"Section2\"\u003e\u003ch2\u003e4.2 Purpose clauses preceding links\u003c/h2\u003e\u003cp\u003eNo legitimate messages contained hyperlinks, aligning with various organisational advisories stating that links are never sent. All of the scam messages contained some active method to communicate with the scammers and 62 (59%) were contained within a purpose clause complex to explain why the recipient should click a link or call a specific number. For example,\u003c/p\u003e\u003cp\u003e\u003cem\u003eTo update your details, login here\u003c/em\u003e (link). (S53)\u003c/p\u003e\u003cp\u003e84 messages (79%) indicated a negative consequence of not using a provided link, but not necessarily in the same clause complex. Negative outcomes for not using links were provided as veiled threats in 37% of scam messages due to the consequences stated. For example,\u003c/p\u003e\u003cp\u003e\u003cem\u003eLogin via the secure link\u003c/em\u003e (link) \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eto avoid account suspension\u003c/span\u003e.\u003c/p\u003e\u003cp\u003eAlthough lexical analysis is not the focus here, it should be noted that the language used in stating the consequences of inaction was mostly material processes (action verbs) of restriction or deletion; examples are: \u003cem\u003esuspended, fined, blocked, deleted.\u003c/em\u003e This finding could be explored in future studies.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec30\" class=\"Section2\"\u003e\u003ch2\u003e4.3 Circumstances\u003c/h2\u003e\u003cp\u003eThe number and percentage of scam and legitimate messages containing temporal, location, and manner circumstances is given below in Table\u0026nbsp;\u003cspan refid=\"Tab6\" class=\"InternalRef\"\u003e6\u003c/span\u003e, followed by an overview of the results of each circumstance type.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab6\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 6\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eCircumstances in scam vs legitimate messages\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCircumstance type\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNumber of occurrences in scam messages (n\u0026thinsp;=\u0026thinsp;106)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNumber of occurrences in legitimate messages (n\u0026thinsp;=\u0026thinsp;16)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eTime\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e61\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e57.5%\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e0.0%\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eLocation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e25\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e23.6%\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e12.5%\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eManner\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e25\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e23.6%\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e12.5%\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eTemporal circumstances as urgency markers\u003c/b\u003e\u003c/p\u003e\u003cp\u003eTemporal circumstantial adjuncts were used in almost 58% of the scam text messages and were exclusively used to intensify urgency and reduce the recipient's reflection time. These included phrases such as \u003cem\u003ewithin 24 hours\u003c/em\u003e, \u003cem\u003eby (date)\u003c/em\u003e, \u003cem\u003eimmediately\u003c/em\u003e, or \u003cem\u003enow\u003c/em\u003e. In significant contrast, there were no such occurrences in the legitimate samples.\u003c/p\u003e\u003cp\u003e\u003cb\u003eLocation and manner circumstances\u003c/b\u003e\u003c/p\u003e\u003cp\u003eIn the scam text messages, 24% contained a circumstance of location such as \u003cem\u003eClick\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003ehere\u003c/span\u003e or \u003cem\u003eVerify at\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003ethis\u003c/span\u003e \u003cem\u003elink\u003c/em\u003e, and 24% contained a circumstance of manner such as \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eBy\u003c/span\u003e \u003cem\u003eclicking this link\u003c/em\u003e, and all of these instances preceded malicious links. Circumstances of manner or location appeared in 12% of legitimate samples but were preceded by phone numbers which were not hyperlinked. This difference to scam texts which tended to pair circumstances with direct links reinforces the coercive action pathways typical in phishing strategies.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec31\" class=\"Section2\"\u003e\u003ch2\u003e4.4 Imperative mood\u003c/h2\u003e\u003cp\u003eJust over 80% of legitimate messages contained imperative forms, while 107% (often more than one) of the analysed scam messages contained imperatives (shown below in Table\u0026nbsp;\u003cspan refid=\"Tab7\" class=\"InternalRef\"\u003e7\u003c/span\u003e).\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab7\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 7\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eImperatives in scam vs legitimate messages\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eImperative use\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNumber of occurrences\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eScam messages (n\u0026thinsp;=\u0026thinsp;106)\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e113\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e107\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eLegitimate messages (n\u0026thinsp;=\u0026thinsp;16)\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e13\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e81\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eWhile both corpora employed imperatives, their usage differed significantly in function and intensity. The legitimate messages typically used imperatives in low-pressure or informational contexts (e.g., \u003cem\u003elog in, visit\u003c/em\u003e) and were not followed by hyperlinks. In contrast, for scam texts, imperatives were followed by direct links or phone numbers, and the range of imperatives was greater (\u003cem\u003eclick, confirm, update, correct, verify, respond, review, pay\u003c/em\u003e). These were often followed by immediacy markers of temporal circumstances (e.g. \u003cem\u003ePay\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003enow\u003c/span\u003e; \u003cem\u003eConfirm\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eas soon as possible\u003c/span\u003e). These patterns reflect the scammers\u0026rsquo; strategic use of imperatives to establish authority and prompt rapid, impulsive responses. Targeted recipients with lower English proficiency, for example, may perceive such directives as non-negotiable instructions rather than optional suggestions. The processes used in imperatives in the legitimate messages indicated a method of contact (\u003cem\u003ecall, log in, visit\u003c/em\u003e), however, most of the imperatives in the scam messages were more specific and related to required actions to rectify a problem (\u003cem\u003eConfirm, Review, etc.).\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThis variation in the imperative processes could be explored further and considered when developing awareness campaigns and example language.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec32\" class=\"Section2\"\u003e\u003ch2\u003e4.5 High modality\u003c/h2\u003e\u003cp\u003eModal use in scam and legitimate messages revealed distinct patterns aligned with interpersonal strategies. Phishing messages exploited modulation, particularly high obligation and high inclination to enforce compliance and simulate institutional authority. For example:\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabd\" border=\"1\"\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cem\u003eYou must verify your identity.\u003c/em\u003e\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eObligation (high modality)\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cem\u003eYour account will be suspended.\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInclination (high modality)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eIn contrast, legitimate messages tended to use inclination to describe what the organisation will do. For example,\u003c/p\u003e\u003cp\u003e\u003cem\u003eWe will deliver your parcel tomorrow\u003c/em\u003e,\u003c/p\u003e\u003cp\u003eand avoid obligation or threats, thereby maintaining an informative rather than coercive tone.\u003c/p\u003e\u003cp\u003eTable\u0026nbsp;\u003cspan refid=\"Tab8\" class=\"InternalRef\"\u003e8\u003c/span\u003e below shows the results of the modal analysis for the scam and legitimate samples.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab8\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 8\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cem\u003eModal process analysis results from scam and legitimate samples\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"9\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c6\" colnum=\"6\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c7\" colnum=\"7\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c8\" colnum=\"8\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c9\" colnum=\"9\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eModality Type (Halliday \u0026amp; Matthiessen, \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2014\u003c/span\u003e)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSubtype\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eModal operator and value\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNumber of occurrences in scam messages (n\u0026thinsp;=\u0026thinsp;106)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c6\"\u003e\u003cp\u003eNumber of occurrences in legitimate messages (n\u0026thinsp;=\u0026thinsp;16)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c7\"\u003e\u003cp\u003e%\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/th\u003e\u003cth align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAll modality\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003e48\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003e45\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c6\"\u003e\u003cp\u003e9\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c7\"\u003e\u003cp\u003e56\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/th\u003e\u003cth align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eObligation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003emust - high\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eObligation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ehave to -high\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInclination\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ewill - high\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e28\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e26\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e37.5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInclination\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ewould - medium\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e0.5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModulation\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eInclination\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ecan/cannot - medium\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e9 (\u0026ldquo;cannot\u0026rdquo; = 6)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e8\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e2 (\u0026ldquo;can\u0026rdquo;)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e12.5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eModalization\u003c/b\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProbability\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eMay -low\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c7\"\u003e\u003cp\u003e0\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c8\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c9\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eOverall, 45% of scam messages included a modal process. Scam messages predominantly utilised high modulation, especially of obligation (e.g. \u003cem\u003emust\u003c/em\u003e, \u003cem\u003ehave to\u003c/em\u003e) and inclination (e.g. \u003cem\u003ewill\u003c/em\u003e, \u003cem\u003ecannot\u003c/em\u003e), with the latter occurring most often. These modal processes were used to construct a tone of authority, urgency, and implicit threat, such as in clause complexes emphasising negative outcomes for non-compliance. One such example is,\u003c/p\u003e\u003cp\u003e\u003cem\u003eYour account will be suspended.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eOver half (56%) of legitimate messages also included modal processes. The modal process of inclination, \u003cem\u003ewill\u003c/em\u003e, was the most frequently used, however its function in all cases was to describe positive sender actions that required no recipient intervention, such as,\u003c/p\u003e\u003cp\u003e\u003cem\u003eWe\u0026rsquo;ll take it to a local post office\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe tone of the legitimate messages was notably less coercive. Interestingly, legitimate texts often employed contracted modal forms (e.g. \u003cem\u003eWe\u0026rsquo;ll)\u003c/em\u003e which were almost entirely absent from the scam corpus, suggesting a potential attempt by scammers to convey formal institutional tone by avoiding contractions. These findings demonstrate that modality functions interpersonally in phishing texts to simulate authority and pressure recipients into compliance, whereas legitimate communications use modality to convey institutional action without imposing on the recipient.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec33\" class=\"Section2\"\u003e\u003ch2\u003e4.6 Logico-semantic relations (\u0026lsquo;or\u0026rsquo; as alternative vs threat)\u003c/h2\u003e\u003cp\u003eOne small, but potentially significant finding, was the use of the conjunctive relations of alternation - \u003cem\u003eor\u003c/em\u003e and \u003cem\u003eotherwise\u003c/em\u003e. In the legitimate samples, 38% contained the conjunction \u003cem\u003eor\u003c/em\u003e to offer an alternative means of contact. For example,\u003c/p\u003e\u003cp\u003e\u003cem\u003eLogin to myetoll.transport.nsw.gov.au; visit Service NSW\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eor\u003c/span\u003e \u003cem\u003ecall 13 18 65\u003c/em\u003e,\u003c/p\u003e\u003cp\u003eor,\u003c/p\u003e\u003cp\u003e\u003cem\u003eTrack via the AusPost website\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eor\u003c/span\u003e \u003cem\u003ein the app\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThere were no instances of \u003cem\u003eotherwise\u003c/em\u003e in the legitimate samples, but these were present in the scam samples. Although only slightly more than 7% of scam samples contained \u003cem\u003eor\u003c/em\u003e or \u003cem\u003eotherwise\u003c/em\u003e, their purpose was to threaten a recipient for inaction, for instance,\u003c/p\u003e\u003cp\u003e\u003cem\u003eDo this via bit.ly/myGovhelp within 24 hours\u003c/em\u003e \u003cspan type=\"ItalicUnderline\" class=\"ItalicUnderline\" name=\"Emphasis\"\u003eor\u003c/span\u003e \u003cem\u003eyour account will be locked.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eOr\u003c/em\u003e was used slightly more frequently as it is less of an overt \u0026lsquo;red flag\u0026rsquo; indicating a threat. It is possible that in the samples that used \u003cem\u003eotherwise\u003c/em\u003e, the threatening undertone may have been overlooked by scammers due to lower English proficiency; another explanation may be that some texts were generated using AI technology, which can struggle to distinguish nuance in language.\u003c/p\u003e\u003c/div\u003e"},{"header":"5 Discussion","content":"\u003cp\u003eThe findings suggest that scam messages employ certain language structures to leverage urgency and authority. A striking difference between scam and legitimate messages lies in their use of clause complexing. Scam messages typically use complex sentence structures to build urgency or necessity, combining result, purpose, and reason clauses in ways that prioritise a recipient\u0026rsquo;s immediate response. In contrast, legitimate messages are generally simpler, with fewer complex clauses and no direct links. The relative complexity and demanding structure of scam messages increases their persuasive power, especially for vulnerable recipients who may have difficulty analysing complex sentence constructions or understanding implied and nuanced language. In scam advisories, highlighting these structural differences could help recipients identify patterns of scam messages. Advisories could exemplify differences between declarative and imperative language with linked consequences. In addition, examples of clausal patterns could help in scam identification and reduced impulsive responses. For vulnerable recipients, a justification for contact may increase compliance, especially when coupled with urgency markers and hyperlinks. Scam advisories aimed at vulnerable populations could explain that scam messages tend to provide reasons to click a link or take action and more importantly, list examples of such reasons (e.g. \u003cem\u003eto avoid suspension\u003c/em\u003e; \u003cem\u003edue to non-delivery, etc\u003c/em\u003e.).\u003c/p\u003e\u003cp\u003eA marked difference in the use of imperative mood between scam and legitimate messages was evident. Scam messages commonly use imperatives (\u003cem\u003eclick; verify; respond\u003c/em\u003e) paired with urgent time markers and consequences for non-compliance. These imperatives preceded links to malicious sites or requests for personal information, creating immediacy and compulsion. In contrast, imperatives in legitimate messages usually indicate methods of contact rather than immediate action. For elderly individuals or those with limited English proficiency, imperatives in scam messages may be particularly disorienting. The imperative mood, particularly when coupled with urgency, can lead recipients to feel a sense of obligation, which scammers exploit to prompt hasty actions.\u003c/p\u003e\u003cp\u003eHigh modality to convey certainty and inevitability was revealed as a feature of phishing texts. Phishing attempts framed the modality around consequences arising from inaction. Legitimate messages, however, used high modality to express neutral actions by the sender without detrimental effects on the recipient. The finality and necessity conveyed through high modality is effective in persuading text recipients to respond to, and follow, prompts and links contained in messages due to their instructional nature.\u003c/p\u003e\u003cp\u003eFinally, temporal circumstances necessitating prompt action were frequently used in phishing attempts and these temporal markers state that action must be taken within limited set time frames to prevent negative consequences. In contrast, legitimate messages did not contain any temporal circumstances, highlighting the false urgency that is a hallmark of scam messages. Although this use of time-sensitive language is a known red flag in phishing messages, advisories could highlight the specific temporal circumstantial markers commonly employed by scammers.\u003c/p\u003e"},{"header":"6 Conclusion","content":"\u003cp\u003eThis study demonstrates the value of systemic-functional linguistics (SFL) in identifying linguistic patterns that underpin phishing text messages. By analysing clause complexing, imperative mood, modality, and conjunctions, the research reveals how scammers construct urgency, authority, and emotional manipulation to prompt compliance. These findings are particularly relevant for vulnerable populations, such as elderly individuals and those from non-English speaking backgrounds, who may struggle to detect subtle linguistic cues. The study highlights the need for advisory content that includes concrete examples of scam language, rather than generalised warnings, to support more effective public awareness and scam prevention.\u003c/p\u003e\u003cp\u003eWhile the study offers important insights, several limitations should be acknowledged. The phishing sample size (n\u0026thinsp;=\u0026thinsp;106) was appropriate for a pilot investigation, but future research could benefit from a larger and more diverse dataset to enhance generalisability. The control corpus of legitimate messages was relatively small (n\u0026thinsp;=\u0026thinsp;16), reflecting the difficulty in accessing authentic samples from institutions. Although this size is justified for comparative purposes and aligns with discourse analytic conventions, expanding the control set could strengthen future analyses. Additionally, while inter-rater checking was conducted, formal reliability metrics were not calculated. Future studies could incorporate more rigorous reliability testing and broaden the demographic and linguistic scope of the data.\u003c/p\u003e\u003cp\u003eThese findings have implications not only for improving scam advisories but also for advancing automated detection systems. As scammers increasingly adopt AI-driven methods to craft convincing messages, integrating SFL frameworks into large language models (LLMs) and other natural language processing (NLP) systems offers a promising avenue for real-time scam detection. By recognising psychological and linguistic cues tailored to specific vulnerabilities, such systems could provide enhanced protection for at-risk communities. Ultimately, this research contributes to a growing interdisciplinary effort to mitigate the impact of cyber fraud through linguistic, technological, and policy-driven strategies.\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e\u003cstrong\u003eAcknowledgments\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe author would like to thank Transport NSW and TransLink for their specific assistance and support during the data collection stage.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFunding support\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThis research was supported by funding from the Griffith University Centre for Social and Cultural Research. The was part of the \u003cem\u003eGCSCR ECR Seed Funding Grant Scheme 2024\u003c/em\u003e, an internal grant at Griffith University.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCompeting interests\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe author declares no competing interests.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eData availability\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eSome organisations that provided data did not agree to having it made publicly available. Approval to access data can be made by contacting the author.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eEthical approval\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThis article does not contain any studies with human participants performed by the author.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAuthor contributions\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e[Author] was the only author involved in the research and writing of this article.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eInformed consent\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThis study did not involve human participants or their data and was not applicable to conducting the research.\u003c/p\u003e\n"},{"header":"References","content":"\u003col\u003e\n\u003cli\u003eAchuthan K, Khobragade S, Kowalski R (2025) Cybercrime through the public lens: a longitudinal analysis. Humanit Soc Sci Commun \u003cem\u003e12\u003c/em\u003e:282 https://doi.org/10.1057/s41599-025-04459-x\u003c/li\u003e\n\u003cli\u003eAustralian Communications and Media Authority (ACMA) (2022)\u003cem\u003e \u003c/em\u003eReducing the impact of scams delivered via short message service (SMS): Regulation Impact Statement. https://www.acma.gov.au/sites/default/files/2022-07/Reducing%20the%20impact%20of%20SMS%20scams.docx. Accessed Sept 3 2025\u003c/li\u003e\n\u003cli\u003eAustralian Communications and Media Authority (ACMA) (2024) End of financial year tax scams\u003cem\u003e.\u003c/em\u003e https://www.acma.gov.au/articles/2024-06/end-financial-year-tax-scams. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eAustralian Competition and Consumer Commission (ACCC) (2022) Scam losses to culturally diverse communities, people with disability and Indigenous Australians almost doubled in 2021.\u003cem\u003e \u003c/em\u003ehttps://www.accc.gov.au/media-release/scam-losses-to-culturally-diverse-communities-people-with-disability-and-indigenous-australians-almost-doubled-in-2021. Accessed Aug 28 2025\u003c/li\u003e\n\u003cli\u003eAustralian Competition and Consumer Commission (ACCC) (2025) National anti-scam centre calls for stronger business role to disrupt scams.\u003cem\u003e \u003c/em\u003ehttps://www.accc.gov.au/media-release/national-anti-scam-centre-calls-for-stronger-business-role-to-disrupt-scams. Accessed Aug 18 2025\u003c/li\u003e\n\u003cli\u003eAustralian Human Rights Commission (2024)\u003cem\u003e \u003c/em\u003eCyberbullying, Human rights and bystanders.\u003cem\u003e \u003c/em\u003ehttps://humanrights.gov.au/our-work/commission-general/cyberbullying-human-rights-and-bystanders-0#:~:text=Victims%20can%20experience%20significant%20social,committing%20suicide%20have%20also%20occurred. Accessed Aug 21 2025\u003c/li\u003e\n\u003cli\u003eAustralian Securities and Investment Commission (ASIC) (2024)\u003cem\u003e \u003c/em\u003eASIC warns small businesses to be on high alert for scams. https://asic.gov.au/about-asic/news-centre/news-items/asic-warns-small-businesses-to-be-on-high-alert-for-scams/#:~:text=According%20to%20the%20Australian%20Competition,million%20of%20the%20total%20lost. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eAustralian Taxation Office (ATO (2024)\u003cem\u003e \u003c/em\u003eScam alerts\u003cem\u003e.\u003c/em\u003e https://www.ato.gov.au/online-services/scams-cyber-safety-and-identity-protection/scam-alerts#August2023taxtimeSMSandemailscams. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eBada M, Nurse JRC (2020) The social and psychological impacts of cyber-attacks. In: Benson V, McAlaney J (eds) Emerging cyberthreats and cognitive vulnerabilities.\u003cem\u003e \u003c/em\u003eAcademic Press, p 73-92 https://doi.org/10.1016/B978-0-12-816203-3.00004-6 \u003c/li\u003e\n\u003cli\u003eBailey J, Taylor L, Kingston P, Watts G (2021) Older adults and \u0026ldquo;scams\u0026rdquo;: Evidence from the Mass Observation Archive. J Adult Prot 1 http://dx.doi.org/10.1108/JAP-07-2020-0030\u003c/li\u003e\n\u003cli\u003eBateman J, McDonald D, Hiippala T, Couto-Vale D, Costetchi E (2019) Systemic functional linguistics and computation: New directions, new challenges. In: Thompson G, Bowcher WL, Fontaine L, Sch\u0026ouml;nthal D (eds) The Cambridge handbook of systemic functional linguistics. Cambridge University Press, Cambridge, p 561-586 https://doi.org/10.1017/9781316337936.024\u003c/li\u003e\n\u003cli\u003eBednarek M (2009) Corpora and discourse: a three-pronged approach to analyzing linguistic data. In: Cascadilla Proceedings Project, Somerville, MA, USA, p 19-24.\u003c/li\u003e\n\u003cli\u003eBolimos IA, Choo K-KR (2017) Online fraud offending within an Australian jurisdiction\u003cem\u003e.\u003c/em\u003e\u003cem\u003e \u003c/em\u003eJ Financ Crime 24(2):277-308 https://doi.org/10.1108/JFC-05-2016-0029\u003c/li\u003e\n\u003cli\u003eBorwell J, Jansen J, Wouter S (2022) The psychological and financial impact of cybercrime victimization: A novel application of the shattered assumptions theory. Soc Sci Comput Rev 40(4):933-954. https://doi.org/10.1177/0894439320983828\u003c/li\u003e\n\u003cli\u003eBravo C, Toska D (2023) The art of social engineering: uncover the secrets behind the human dynamics in cybersecurity, 1st edn. Packt Publishing https://www.oreilly.com/library/view/-/9781804613641/ \u003c/li\u003e\n\u003cli\u003eBrenner L, Meyll T, Stolper O, Walter A (2020) Consumer fraud victimization and financial well-being.\u003cem\u003e \u003c/em\u003eJ Econ Psychol 76 https://doi.org/10.1016/j.joep.2019.102243\u003c/li\u003e\n\u003cli\u003eButavicius M, Taib R, Han SJ (2022) Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails. Comput Secur\u003cem\u003e \u003c/em\u003e123 https://doi.org/10.1016/j.cose.2022.102937\u003c/li\u003e\n\u003cli\u003eButton M, Sugiura L, Blackbourn D, Kapend R, Shepherd D, Wang V (2020) Victims of Computer Misuse: Main Findings\u003cem\u003e.\u003c/em\u003e University of Portsmouth. https://pure.port.ac.uk/ws/portalfiles/portal/20818559/Victims_of_Computer_Misuse_Main_Findings.pdf \u003c/li\u003e\n\u003cli\u003eChowdhury NH, Adam MTP, Skinner G (2019) The impact of time pressure on cybersecurity behaviour: A systematic literature review. Behav Inf Technol \u003cem\u003e38\u003c/em\u003e(12):1290\u0026ndash;1308. https://doi.org/10.1080/0144929X.2019.1583769\u003c/li\u003e\n\u003cli\u003eCommonwealth Fraud Prevention Centre (2024) The total impacts of fraud. Australian Government. https://www.counterfraud.gov.au/total-impacts-fraud. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eDepartment of Infrastructure, Transport, Regional Development, Communication and the Arts (2024) Fighting SMS Scams \u0026ndash; What type of SMS sender ID registry should be\u003cem\u003e \u003c/em\u003eintroduced in Australia? Commonwealth of Australia. https://www.infrastructure.gov.au/sites/default/files/documents/20240218-Consultation-paper-SMS-registry.docx. Accessed Aug 21 2025\u003c/li\u003e\n\u003cli\u003eEkman P, Friesen WV (1969) Nonverbal leakage and clues to deception. Psychiatry J 32(1):88-106 https://doi.org/10.1080/00332747.1969.11023575\u003c/li\u003e\n\u003cli\u003eFerreira A, Teles S (2019) Persuasion: How phishing emails can influence users and bypass security measures. Int J Hum Comput Stud 125:19-31 https://doi.org/10.1016/j.ijhcs.2018.12.004\u003c/li\u003e\n\u003cli\u003eGlobal Anti-Scam Alliance (GASA) (2024) International scammers steal over $1 trillion in 12 months in global state of scams report 2024.\u003cem\u003e \u003c/em\u003ehttps://www.gasa.org/post/global-state-of-scams-report-2024-1-trillion-stolen-in-12-months-gasa-feedzai. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eGlobal Anti-Scam Alliance (GASA) (2025) Scaling Real-Time Scam Prevention: Best Practices for Fraud Operations from Westpac. https://www.gasa.org/post/scaling-real-time-scam-prevention-best-practices-for-fraud-operations-from-westpac. Accessed August 19 2025\u003c/li\u003e\n\u003cli\u003eGrilli MD, McVeigh KS, Hakim ZM, Wank AA, Getz SJ, Levin BE, Ebner NC, Wilson RC (2021) Is this phishing? Older age is associated with greater difficulty discriminating between safe and malicious emails. J Gerontol B Psychol Sci Soc Sci\u003cem\u003e \u003c/em\u003e76(9):1711-1715 https://doi.org/10.1093/geronb/gbaa228\u003c/li\u003e\n\u003cli\u003eHalliday MAK, Hasan R (1976)\u003cem\u003e \u003c/em\u003eCohesion in English. Longman. \u003c/li\u003e\n\u003cli\u003eHalliday MAK, Matthiessen CMIM (2014) Halliday\u0026apos;s Introduction to Functional Grammar, 4th edn. Routledge, London.\u003c/li\u003e\n\u003cli\u003eHasegawa AA, Yamashita N, Akiyama M, Mori T (2022) Experiences, behavioral tendencies, and concerns of non-native English speakers in identifying phishing emails. J Inf Process 30 :841-858 https://doi.org/10.2197/ipsjjip.30.841\u003c/li\u003e\n\u003cli\u003eHouse D, Raja MK (2019) Phishing: message appraisal and the exploration of fear and self-confidence. Behav Inf Technol 39(11):1204\u0026ndash;1224 https://doi.org/10.1080/0144929X.2019.1657180\u003c/li\u003e\n\u003cli\u003eHunston S (2022) Corpora in Applied Linguistics. Cambridge University Press.\u003c/li\u003e\n\u003cli\u003eJames BD, Boyle PA, Bennett DA (2014) Correlates of susceptibility to scams in older adults without dementia. J Elder Abuse Negl 26:107-22 https://doi.org/10.1080/08946566.2013.821809. \u003c/li\u003e\n\u003cli\u003eKemp S, Erades P\u0026eacute;rez N (2023) Consumer fraud against older adults in digital society: Examining victimization and its impact. Int J Environ Res Public Health 20(7):5404 https://doi.org/10.3390/ijerph20075404\u003c/li\u003e\n\u003cli\u003eKoning L, Junger M, Veldkamp B (2024) Risk factors for fraud victimization: The role of socio-demographics, personality, mental, general, and cognitive health, activities, and fraud knowledge\u003cem\u003e. \u003c/em\u003eInt Rev Vict 30(3):443-479 https://doi.org/10.1177/02697580231215839\u003c/li\u003e\n\u003cli\u003eLaroche H, Steyer V, Th\u0026eacute;ron, C (2019) How could you be so gullible? scams and over-trust in organizations. J Bus Ethics 160:641\u0026ndash;656. https://doi.org/10.1007/s10551-018-3941-z\u003c/li\u003e\n\u003cli\u003eLeukfeldt R, Malsch M (2019) Cybercrime has serious consequences for its victims. NSCR. https://nscr.nl/en/gevolgen-cybercrime-zeer-ingrijpend-voor-slachtoffers/. Accessed Jul 26 2025\u003c/li\u003e\n\u003cli\u003eLiu M, Liang X, Chen J (2024) Constructing identities in institutional impersonation fraud: self-styling and other-styling practices through stances. Humanit Soc Sci Commun 11:1467 https://doi.org/10.1057/s41599-024-03875-9\u003c/li\u003e\n\u003cli\u003eLuo X, Zhang W, Burd S, Seazzu A (2013) Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration\u003cem\u003e. \u003c/em\u003eComput Secur 38:28-38 https://doi.org/10.1016/j.cose.2012.12.003 \u003c/li\u003e\n\u003cli\u003eMcAlaney J, Hills PJ (2020) Understanding phishing email processing and perceived trustworthiness through eye tracking. Front Psychol 11 https://doi.org/10.3389/fpsyg.2020.01756\u003c/li\u003e\n\u003cli\u003eMahowald K, Ivanova AA, Blank IA, Kanwisher N, Tenenbaum JB, Fedorenko E (2024) Dissociating language and thought in large language models. Trends Cogn Sci 28(6):517-540 https://doi.org/10.1016/j.tics.2024.01.011\u003c/li\u003e\n\u003cli\u003eMair C (2014) Using \u0026lsquo;small\u0026rsquo; corpora to document ongoing grammatical change. In: Krug M, Schl\u0026uuml;ter J (eds) Research Methods in Language Variation and Change. Cambridge University Press, p 181-194\u003c/li\u003e\n\u003cli\u003eMohammad T, Hussin NAM, Husin MH (2022) Online safety awareness and human factors: An application of the theory of human ecology. Technol Soc 68 https://doi.org/10.1016/j.techsoc.2021.101823 \u003c/li\u003e\n\u003cli\u003eNational Anti-Scam Centre (NASC) (2024a) Together, we\u0026rsquo;re an unstoppable force. https://www.nasc.gov.au/#:~:text=The%20National%20Anti%2DScam%20Centre%2C%20run%2\n0by%20the%20ACCC%2C,to%20spot%20a\nnd%20avoid%20scams. Accessed Sept 2 2025\u003c/li\u003e\n\u003cli\u003eNational Anti-Scam Centre (NASC) (2024b) The national anti-scam centre launches online ScamWatch advice in 17 languages. https://www.nasc.gov.au/news/the-national-anti-scam-centre-launches-online-scamwatch-advice-in-17-languages#:~:text=%E2%80%9CCulturally%20and%20linguistically%20diverse%20communities,\nDeputy%20Chair%20Catriona%20Low\ne%20said. Accessed Sept 2 2025\u003c/li\u003e\n\u003cli\u003eNational Seniors Australia (2024) Seniors top scammers\u0026rsquo; hit list. https://nationalseniors.com.au/news/latest-news/seniors-top-scammers-hit-list. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eNorfolk State University (2023) How are cybercrime and psychology related? https://online.nsu.edu/degrees/technology/master-of-science-cyberpsychology/cybercrime-and-psychology-related/. Accessed Aug 23 2025\u003c/li\u003e\n\u003cli\u003eNorris G, Brookes A, Dowell D (2019) The psychology of internet fraud victimisation: A systematic review.\u003cem\u003e \u003c/em\u003eJ Police Crim Psychol 34(3):231-245 https://doi.org/10.1007/s11896-019-09334-5\u003c/li\u003e\n\u003cli\u003ePalassis A, Speelman CP, Pooley JA (2021) An exploration of the psychological impact of hacking victimization. Sage Open 11(4) https://doi.org/10.1177/21582440211061556\u003c/li\u003e\n\u003cli\u003eQuirk R, Greenbaum S, Leech G, Svartvik S (1985) A comprehensive grammar of the English language. Pearson Longman, London.\u003c/li\u003e\n\u003cli\u003eReurink A (2019) Financial fraud: A literature review. In: Claus I, Krippner L (eds) Contemporary topics in finance: a collection of literature surveys. John Wiley \u0026amp; Sons, p 79-116 https://doi.org/10.1111/joes.12298 \u003c/li\u003e\n\u003cli\u003eRheindorf M (2019) Working with corpora small and large: qualitative and quantitative methods. In: Rheindorf M (ed) Revisiting the Toolbox of Discourse Studies: Postdisciplinary Studies in Discourse. Palgrave Macmillan, p 21-75. https://doi.org/10.1007/978-3-030-19369-0_2\u003c/li\u003e\n\u003cli\u003eScamWatch (2024) Phishing\u003cem\u003e.\u003c/em\u003e https://www.scamwatch.gov.au/stay-protected/attempts-to-gain-your-personal-information/phishing. Accessed August22 2025\u003c/li\u003e\n\u003cli\u003eScamWatch (2025) Scam statistics. https://www.scamwatch.gov.au/research-and-resources/scam-statistics. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eSharoff S (2025) Form and function: automatic methods for prediction of functions. In: Wegener R, Fontaine L, Sellami-Baklouti A, McCabe A (eds) The Routledge Handbook of Transdisciplinary Systemic Functional Linguistics: Halliday beyond Linguistics.\u003cem\u003e \u003c/em\u003eRoutledge Publishing.\u003c/li\u003e\n\u003cli\u003eSkopal DP, Herkel M (2017) Public discourse syndrome: Reformulating for clarity. Text \u0026amp; Talk 37(1):141-164.\u003c/li\u003e\n\u003cli\u003eSteves M, Greene K, Theofanos M (2020) Categorizing human phishing difficulty: a phish scale. J Cybersecur\u003cem\u003e \u003c/em\u003e1-16. https://doi.org/10.1093/cybsec/tyaa009\u003c/li\u003e\n\u003cli\u003eThe Treasury (2023)\u003cem\u003e \u003c/em\u003eScams \u0026ndash; Mandatory Industry Codes. Australian Government. https://treasury.gov.au/sites/default/files/2023-11/c2023-464732-cp.pdf. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eVoce I, Morgan A (2023) Cybercrime in Australia 2023. AIC Reports 43. Australian Institute of Criminology https://www.aic.gov.au/sites/default/files/2023-06/sr43_cybercrime_in_australia_2023.pdf. Accessed Aug 22 2025\u003c/li\u003e\n\u003cli\u003eWalton D (2014) Speech acts and indirect threats in ad baculum arguments: a reply to Budzynska and Witek. Argument J\u003cem\u003e \u003c/em\u003e28(3):317-324. \u003c/li\u003e\n\u003cli\u003eWhitty MT (2019) Predicting susceptibility to cyber-fraud victimhood. J Financ Crime 26(1):277-292. https://doi.org/10.1108/JFC-10-2017-0095\u003c/li\u003e\n\u003cli\u003eWhitty MT, Buchanan T (2015) The online dating romance scam: The psychological impact on victims \u0026ndash; both financial and non-financial\u003cem\u003e.\u003c/em\u003e Criminol Crim Justice\u003cem\u003e \u003c/em\u003e16(2):176\u0026ndash;194. https://journals.sagepub.com/doi/10.1177/1748895815603773\u003c/li\u003e\n\u003cli\u003eZhang J 2025 Context-aware annotation framework for NLP applications. In: 2025 5th International Conference on Artificial Intelligence and Industrial Technology Applications (AIITA), Xi\u0026apos;an, China, 2025, p 1380-1383. 10.1109/AIITA65135.2025.11047858\u003c/li\u003e\n\u003c/ol\u003e"},{"header":"Footnotes","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003e ScamWatch Australia differentiates phishing from other text scams, such as fake billing, for statistical purposes. This study uses the term phishing to include any text or SMS messages that are malicious and contain links to sites that are used to make fake payments or steal personal information.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003e The ACCC\u0026rsquo;s \u003cem\u003eThe Little Book of Scams\u003c/em\u003e is a reference booklet giving an overview of scams. Its translated copies into 17 languages as well as in simple English, are downloadable at \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.accc.gov.au/about-us/publications/the-little-book-of-scams\u003c/span\u003e\u003cspan address=\"https://www.accc.gov.au/about-us/publications/the-little-book-of-scams\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"humanities-and-social-sciences-communications","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"palcomms","sideBox":"Learn more about [Humanities \u0026 Social Sciences Communications](http://www.nature.com/palcomms/)","snPcode":"41599","submissionUrl":"https://submission.springernature.com/new-submission/41599/3","title":"Humanities and Social Sciences Communications","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Nature AJ","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Systemic-functional linguistics, scams, phishing, cyberfraud, vulnerable populations, scam detection","lastPublishedDoi":"10.21203/rs.3.rs-7532083/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7532083/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eDigital scams are a reality of a connected society, and vulnerable populations, particularly the elderly and individuals from non-English speaking (NESB) backgrounds, face significant risks. These groups often struggle to recognise scam tactics due to technological and language barriers, rendering them susceptible to cyberfraud victimisation. By comparing 106 phishing text messages in Australia with legitimate text messages sent by frequently imitated organisations, this study examined the threat of phishing text messages, which account for substantial financial losses and reduced wellbeing globally. Using systemic-functional linguistics (SFL), a framework that ties language choices to context and function, specific linguistic features that manipulate receivers of phishing messages were identified. Results of the analysis showed that different clause types; time, location, and manner markers; high modality; and conjunctive use, were influential in creating urgency and authority, and eliciting emotional responses to phishing messages. Many current advisory resources offer generalised advice and explanations of scam tactics, yet fail to include concrete examples of such communications. By aligning linguistic analysis with human behavioural constructs and public policy, the results of this study have implications for the protection of vulnerable community groups from growing cyber threats through enhancing advisory content, and by developing automated scam detection systems.\u003c/p\u003e","manuscriptTitle":"“Account suspension. Verify now”: using systemic-functional linguistics to improve phishing text advisories for vulnerable groups","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-10-08 15:04:51","doi":"10.21203/rs.3.rs-7532083/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2026-03-04T19:29:50+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-01-31T09:52:42+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"244650318880356377406916420934567282757","date":"2025-12-17T09:00:09+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-11-09T11:01:41+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"25921901339944409392978637878471830051","date":"2025-10-01T10:01:50+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2025-09-26T06:47:06+00:00","index":"","fulltext":""},{"type":"editorInvited","content":"","date":"2025-09-26T06:14:50+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-09-24T07:09:10+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-09-05T09:30:18+00:00","index":"","fulltext":""},{"type":"submitted","content":"Humanities and Social Sciences Communications","date":"2025-09-04T04:49:38+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"humanities-and-social-sciences-communications","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"palcomms","sideBox":"Learn more about [Humanities \u0026 Social Sciences Communications](http://www.nature.com/palcomms/)","snPcode":"41599","submissionUrl":"https://submission.springernature.com/new-submission/41599/3","title":"Humanities and Social Sciences Communications","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Nature AJ","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"e60f8733-9c62-4b9f-9748-c52c66947a45","owner":[],"postedDate":"October 8th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[{"id":55807155,"name":"Business and commerce/Information systems and information technology"},{"id":55807156,"name":"Physical sciences/Mathematics and computing"},{"id":55807157,"name":"Biological sciences/Psychology"},{"id":55807159,"name":"Social science/Psychology"},{"id":55807161,"name":"Social science/Science technology and society"}],"tags":[],"updatedAt":"2026-05-19T03:10:15+00:00","versionOfRecord":[],"versionCreatedAt":"2025-10-08 15:04:51","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7532083","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7532083","identity":"rs-7532083","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.