People Continuously Exposed to Phishing Eventually Fall for It, Research Shows

A new study focused on user behavior in the context of phishing reveals - perhaps unsurprisingly - that the more people engage with their inbox, the more likely they are to fall for a scam.

Researchers at ETH Zurich conducted a phishing test on 14,733 participants over 15 months in a controlled environment. Unlike other studies of this kind, researchers wanted to gather results without the subjects knowing they were serving as guinea pigs.

They found that participants with jobs that involve specialized computer use (branch workers who mostly use a single dedicated program) clicked on more links in phishing emails and performed more dangerous actions than participants in other comparable groups.

“While it is common to leverage the amount of computer use in participants’ jobs as a proxy for technological skills, our results suggest that the type of computer use and the expectations in one’s job might also influence phishing susceptibility,” according to the paper.

While the study found no gender-based correlations, researchers did find a correlation with age. For example, the youngest test subjects (18-19 y/o) clicked more often and performed more dangerous actions. Participants in the 50–59 age range were also more at risk than the top performers (20–29).

In another finding, people who had already fallen for a phishing scam were susceptible to fall for another, supporting a previous preliminary study thoat showed similar results.

Finally, many users will eventually fall for a phishing trick if continuously exposed.

32.10% of participants clicked on at least one link or attachment in the simulated phishing emails. A similar percentage, or 25.43%, performed dangerous actions at least once.

“These results indicate that a rather large fraction of the entire employee base will be vulnerable to phishing when exposed to phishing emails for a sufficiently long time,” the researchers said.

ETH Zurich claims it is the first research group to show this result at scale. Readers can access the full paper here.