article featured image


Researchers from ETH Zurich conducted a study to investigate who is more prone to fall victim to phishing cyberattacks in a corporate context. The study involved 14,733 participants and was extended to a period of 15 months. The experts collaborated with a certain enterprise whose name was not revealed and the participants were not informed that a simulated phishing program was taking place.

How Did the Phishing Study Unfold?

Participants received phishing e-mails sent to their work e-mail addresses. The experts also deployed an email client button. The “Report Phishing” button had the role to let participants report dubious e-mails.

According to the study, six or fewer suspicious e-mails were reported by 90% of the employees, detecting a so-called “reporting fatigue” tendency. They also analyzed the reaction time and the flagging accuracy resulting in 68% accurate reports for phishing emails.

We can observe that the reaction time of the employee base as a whole is fast: on average around 10% of the reports arrived within 5 minutes; 20% within 15; and 30% to 40% within 30 minutes. (..) To apply these numbers to a hypothetical company of 1,000 employees where 100 of them are targeted by a phishing campaign, we would have between 8 and 25 reports of the email by employees—of which one within 5 minutes with high probability, and a larger number within 30 minutes.


Which Were the Goals of the Study?

The study under discussion focused on 4 aspects: which employees are prone to fall victims to phishing, how the vulnerability develops over time, what effects have trainings and warnings over participants, and whether there’s a way employees can be involved in the phishing detection process.

Who Falls Victim to Phishing Attacks: the Study Results

Many findings of this study contradict other studies: for instance, phishing susceptibility does not have a relation with gender. Instead, the study reveals that age might be an important factor in this case, as the experts found that younger and older people are more likely to click on phishing emails.

Additionally, there’s a difference between those who don’t need a computer for work on a daily basis and those who need specialized software to do tasks that are repetitive, as the second category is more prone to be tricked by phishing attempts.

Another thing to mention is that 32,1 % of the participants clicked on at least a malicious link or a dubious attachment, showing that employees who are ceaselessly targeted by phishing will in the end fall victims to it.

A new finding of the study also stressed the effectiveness of warnings related to e-mails considered suspicious and the fact that the detailed character of the warning message did not have any effect on its efficacity’s growth.

Interestingly, contradicting prior research results and a common industry practice, we found that the combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing.


How Can Heimdal™ Help?

One of the conclusions of this phishing study is without a doubt that effective email security and anti-phishing filters are essential for a company to fight against phishing attempts. In this sense, Heimdal™ has two products that will successfully cover these needs: one is the Heimdal™ Email Security Solution and the other is the Heimdal™ Email Fraud Prevention Product.

The Email Security solution offers cloud and on-premises protection keeping mail-delivered threats and supply chain cyberattacks away through its efficient proprietary e-mail threat prevention. Being more than a common spam filter, this product brings together human expertise and Threat intelligence that work on scanning every email for impersonation, data leaks, and more.

Email Fraud Prevention focuses on Business Email Compromise (BEC) and CEO Fraud through its 125 analysis vectors, so your email accounts and business assets are well safeguarded.

If you liked this article and you crave more cybersec knowledge, then don’t forget to follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo