ETH Zurich, together with an unnamed company, has just completed one of the largest phishing studies with more than 14,000 participants over 15 months. This gave researchers a better understanding of who is susceptible to phishing and what solutions work.
To better combat the consequences of phishing, it is important to know the profile of the people who are susceptible to it. To this end, carried out a large-scale study involving more than 14,000 employees of the same company, on a 15 months. Participants were not aware of the study, but were told the company could test them with fake messages.
Researchers sent fake phishing emails to employees’ work addresses, which were therefore mixed with legitimate emails as well as regular spam messages. They also integrated a button into the company’s email software that allowed for suspicious emails to be flagged. They were able to portray the people who interact with malicious messages and those who report them.
Younger people more susceptible to phishing
Unlike previous research, the study found no correlation between gender and susceptibility to. The authors attribute the previous results to a bias in the gender distribution of work. However, they discovered that it is first of all the youngest (18-19 years old) who click on the , with a clear decrease for 20-29 year olds. The number of dangerous actions recorded then increases up to the age of 60, after which it drops suddenly.
Employees who used specialized software were more likely to click on fraudulent messages, which qualifies the assumption often used in studies that only the time of computer use is sufficient to determine the level of computer literacy. In the end, just over 32% of employees ended up clicking at least once on a link or attachment during the 15 months of the study.
Collaborative tools are effective
The researchers also studied the effectiveness of measures against. For some of the participants, the email software displayed a short message at the top of the fake email, similar to that of indicating that he had the suspect. Others saw a more detailed message, and a third group had no warning. The presence of a warning divides the number of interactions with the email by three, but a more detailed notification is not more effective.
Half of those who clicked on an emailwere redirected to a voluntary training page against , a common practice in companies to train their employees against phishing. Oddly enough, the exercise was counterproductive, as those who participated were more susceptible to unwanted messages afterwards.
The last result is particularly interesting because it concerns the reports of unwanted messages. Just five minutes after sending a series of emails, researchers had already received 10% of reports, and 30% within half an hour. In addition, they found no decrease in the number of reports during the 15 months of the study. This means that a company can set up a collaborative tool to detect phishing campaigns, which will be effective and, and will not take a lot of employee time.
What you must remember
- The youngest employees are the most susceptible to phishing.
- Practices against phishing after clicking on a fraudulent message are counterproductive.
- Collaborative tools can be a solution to reacting to phishing campaigns quickly.