Let’s today talk about users. Researchers at ETH Zurich conducted a large-scale phishing study with an unnamed company to understand phishing attacks – and the data contradicts standard best practices.
Contradicting earlier studies, gender does not correlate with phishing susceptibility. Instead, the study found that younger and older people are more prone to clicking on phishing links, so age is a crucial factor. Moreover, those who use specialized software for repetitive tasks are more likely to fall for phishing traps compared to those who do not need computers for their day-to-day jobs.
An interesting finding in the ETH study is that employees continuously exposed to phishing eventually fall for it, as 32.1% of the study participants clicked on at least one dangerous link or attachment.
Warnings on suspicious emails were found to be effective, but this effectiveness didn’t grow as the warning messages got more detailed, which is a new finding.
Why do we care?
This is interesting new data – one of the findings is that warnings on suspicious emails are effective, but the effectiveness doesn’t grow with detail, and the finding that voluntary embedded training in simulation is ineffective – and that it actually made employees more susceptible to phishing.
My big takeaway was focusing on the tech… not just the idea that you need filtering and layered security. Instead, that repetitive task detail. Building systems that minimize the damage and don’t create dullness to what users are doing seems a decisive direction.