A real world study on employees' susceptibility to phishing attacks

Abstract

Phishing email attacks have been around for fifteen years but they are still among the top security risks faced by organisations. The most common approach to mitigate these attacks is employees' education and awareness. Employees' awareness on phishing attacks is achieved by embedded training that educate employees when they fall for the attack. However, the effectiveness of embedded training in workplace settings is uncertain given the large number of employees that remain vulnerable to phishing email attacks. Similarly, the role of persuasion techniques in making employees vulnerable to phishing attacks is yet to be investigated in the workplace settings. Therefore, in this paper we investigate which persuasion technique between authority and urgency is more effective in making employees susceptible to phishing, the relation between employees' susceptibility and their demographic data, and the effectiveness of embedded training in reducing employees' susceptibility to phishing attacks. To this end, we conducted a real phishing study with 191 employees of an Italian company. We found that employees were more vulnerable to phishing attacks when urgency principle was exploited. The study also showed no significant effect of employees' demographic data on susceptibility to phishing. Embedded training was perceived as effective by employees but it did not reduce their susceptibility to phishing.