Phishing is the attack vector of choice for many cybercriminals. Attacks are easy to perform, they are often successful, and they provide the foothold in business networks that is required for more extensive compromises. The best defense against phishing is to implement a technological solution – a spam filter – to prevent phishing emails from reaching inboxes. If phishing emails are blocked at the email gateway, they will not arrive in inboxes where they can fool employees.

End-user training is also important, as no spam filter will block all malicious emails. A recent large-scale study has been conducted to determine whether end-user training and phishing warnings are effective, how vulnerability to phishing attacks evolves over time, which employees are most likely to fall for a phishing scam, and whether employees can actually play an important role in phishing email detection, The results of the survey are interesting and provide insights into susceptibility to phishing attacks that can be used by businesses to develop effective employee training programs.

The study was conducted on 14,733 participants by researchers at ETH Zurich and over a period of 15 months and involved another company sending phishing email simulations to see who opened the messages and who clicked on links in the emails. The employees that were tested had no knowledge that simulations were being conducted to make the simulations closely mirror real-world phishing attacks.

There were notable differences in susceptibility to phishing attacks with different age groups, with younger employees more likely to respond to the phishing emails than all other age groups. 18- and 19-year-olds were by far the most likely age group to fall for phishing emails, with the over 60s the least likely. From ages 20 to 59, the percentage of dangerous actions taken in response to phishing emails increased for each age group, with 20- to 29-year olds the least likely to take dangerous actions.

Individuals who are not required to use computers for their day-to-day jobs might be considered to be most at risk of falling for a phishing scam, but that was not the case. Infrequent computer users were the least likely to fall for the scams followed by frequent users, with individuals who use specialized software for repetitive tasks the most susceptible to phishing emails.

In this study, men and women were found to be equally susceptible to phishing emails across the entire study. This contrasts with several other studies that suggest there is a gender bias, with women less likely to fall for phishing scams than men. However, there were differences between the genders when combined with the frequency of computer use data. Men who use specialist software to automate tasks were the most likely to fall for phishing emails, followed by women who used specialist software, then women who are frequent users of computers, and men who are infrequent users. Female infrequent users were the least likely to fall for phishing scams.

The study confirmed the findings of several others in that some individuals are prone to respond to phishing emails. After responding to one simulated phishing email they would go on to respond to more. 30.62% of individuals who clicked on one phishing email were repeated clickers, and 23.91% of individuals who took dangerous actions such as enabling macros in email attachments did it on more than one occasion. These findings show the importance of conducting phishing email simulations to identify weak links who can receive additional training.

Phishing simulations are often conducted by businesses to test the effectiveness of their training programs, but one notable finding was that voluntary training when a simulated phishing email attracted a response was not effective. In fact, not only was this not effective, it appeared to make employees even more susceptible to phishing emails.

Another interesting finding related to adding warnings to emails. When warnings about potential phishing emails, such as emails coming from an external email address, were included in emails, employees were less likely to be duped. However, the lengthier the warning, the less effective it is. Detailed warnings were less likely to be read and acted upon.

When a phishing email reporting option was added to the mail client, employees often reported phishing emails. This feature involved a phishing email button that sent a warning to the IT team. There did not appear to be any waning of reporting over time, with employees not appearing to suffer from reporting fatigue. A few reports would be submitted within 5 minutes of an email arriving, around 30% of reports were within 30 minutes, and over 50% came within 4 hours. The reports could give IT security teams time to take action to remove all instances of phishing emails from the mail system or send warnings to employees.

What the study clearly demonstrated is that even employees who are adept at identifying phishing emails are likely to fall for one eventually, so while security awareness training is important, having an effective spam filtering solution is vital. Even individuals who were regularly exposed to phishing emails were eventually duped into clicking a phishing link or taking a dangerous action. Across the entire study, 32.1% of employees clicked on at least one dangerous link or opened a potentially dangerous email attachment.