ARCHIVES

Phishing attacks continue to rely heavily on deceptive URLs, making them a persistent source of credential theft and financial fraud, with over 1.35 million incidents reported globally in 2023. While machine learning models have shown strong performance in detecting such threats, their lack of transparency often makes it difficult for analysts and end-users to understand why a particular URL is flagged, which can reduce trust in real-world deployments.In this work, we present XPhishNet, an explainable framework for phishing URL detection that combines a Random Forest classifier with SHAP (SHapley Additive exPlanations) to provide clear, instance-level explanations alongside prediction outcomes. The system utilizes a set of 32 features derived from lexical patterns, host-based properties, and content-level characteristics of URLs. Experiments were conducted on a dataset of 280,945 labeled URLs collected from the PhiUSIIL and PhishTank repositories. Among the evaluated models, Random Forest consistently achieved the best performance across accuracy, precision, recall, and F1-score using stratified 5-fold cross-validation. Further analysis using SHAP highlights domain age, the use of IP addresses, and subdomain depth as the most influential indicators of phishing activity. To improve usability, a lightweight module is introduced to translate feature importance scores into simple, human-readable alerts without relying on large language model infrastructure. The reliability of these explanations is supported by strong agreement with a permutation-based feature importance baseline, with Kendall’s τ measured at 0.89. Overall, the proposed approach balances detection performance with interpretability, making it more suitable for practical and compliance- driven cybersecurity applications