Existing anti-phishing tools provide only generic warnings without interpretable explanations of phishing indicators, limiting users’ ability to recognize threats. To address this, we propose PhishXplain—the first real-time, visual, context-aware phishing explanation system designed for end users. Built upon a memory-optimized lightweight LLaMA 3.2 model, it employs structured two-stage prompt engineering to automatically detect phishing features, generate natural-language explanations, and overlay salient cues onto dynamic webpage screenshots. Evaluated on 7,091 real-world phishing sites, PhishXplain achieves 94% coverage and 96% explanation accuracy. A user study demonstrates that its explanatory warnings improve threat identification accuracy by 31% in no-warning conditions, significantly enhancing threat recognition capability, warning trustworthiness, and user satisfaction—particularly among individuals with low cybersecurity literacy.

Anti-phishing tools typically display generic warnings that offer users limited explanation on why a website is considered malicious, which can prevent end-users from developing the mental models needed to recognize phishing cues on their own. This becomes especially problematic when these tools inevitably fail - particularly against evasive threats, and users are found to be ill-equipped to identify and avoid them independently. To address these limitations, we present PhishXplain (PXP), a real-time explainable phishing warning system designed to augment existing detection mechanisms. PXP empowers users by clearly articulating why a site is flagged as malicious, highlighting suspicious elements using a memory-efficient implementation of LLaMA 3.2. It utilizes a structured two-step prompt architecture to identify phishing features, generate contextual explanations, and render annotated screenshots that visually reinforce the warning. Longitudinally implementing PhishXplain over a month on 7,091 live phishing websites, we found that it can generate warnings for 94% of the sites, with a correctness of 96%. We also evaluated PhishXplain through a user study with 150 participants split into two groups: one received conventional, generic warnings, while the other interacted with PXP's explainable alerts. Participants who received the explainable warnings not only demonstrated a significantly better understanding of phishing indicators but also achieved higher accuracy in identifying phishing threats, even without any warning. Moreover, they reported greater satisfaction and trust in the warnings themselves. These improvements were especially pronounced among users with lower initial levels of cybersecurity proficiency and awareness. To encourage the adoption of this framework, we release PhishXplain as an open-source browser extension.