Young and old people found to be most prone to falling victim to phishing

December 21, 2021

A large-scale phishing study by ETH Zurich has found that the youngest and oldest people are most likely to click on phishing links.

The study involved 14,733 participants and was conducted over a 15-month period. In order to conduct the test, researchers sent pretend phishing emails to participants’ regular work email and used an email client button that enabled them to report suspicious emails easily.

According to Bleeping Computer, the four goals of the study were to determine which employees fall for phishing, how vulnerability evolves over time, how effective embedded training and warnings are and whether employees can do anything to help in phishing detection.

The study found that gender was irrelevant when it came to understand who was most susceptible to phishing and was more to do with age. In addition, those who use specialised software for repetitive tasks are more likely to fall victim to phishing traps compared to those who do not require computers in their day-to-day work.

It was also discovered that 30.62% of those who opened a simulated phishing email also clicked on further emails, while 23.91% of those undertaking a dangerous action did it more than once.

A key finding of the study was also that employees who were continuously exposed to phishing eventually fall for it – with 32.1% of the study participants clicking on at least one dangerous attachment or link – underlying the benefit of having effective email security and anti-phishing filters in place.

While suspicious email warnings were found to have benefit, this effectiveness didn’t develop as warning messages got more detailed. Researchers also found that voluntary embedded training in simulated phishing exercises was not effective.

The research paper underlined, “Interestingly, contradicting prior research results and a common industry practice, we found that the combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing.”

The study found that 90% of the employees involved reported six or fewer suspicious emails, however, they remained very active throughout the experiment.