In the face of online fishing, what kind of person or situation is easier to trick? A survey study may not be the same as everyone thinks.

This study was conducted by the researchers of the Zurich Federal Institute of Technology and a unknown company. The company did not inform the participants on the simulation of phishing projects. In the end, this research experiment lasted for 15 months ago, a total of 14,733 participants.

In order to test, the researchers sent a false network fishing email to the participants’ regular work email, and set an email client button to easily report suspicious emails.

The main purpose of this study is to clarify: Who is easy to fall into network fishing, how the probability of tricks can evolve over time, the effectiveness of embedded training and warnings, and whether people can help network fishing detection.

Network fishing and gender

The results show that the probability of gender differences and network fishing is not obvious, which contradicts some existing research. Instead, the study found that young people and elderly are more likely to be trick, so age is a key factor.

In addition, those who need to use computer to complete their daily work more likely to fall into the fishing trap than those who do not need to use their computer.


Repeatedly becoming individuals of network fishing email victims known as “repeated clickers”. Studies have shown that 30.62% of people open more than one network fishing email, 23.91% of people don’t only have more dangerous operations, such as submit personal-related vouchers.

An interesting discovery is that people who continue to receive online fishing mail will eventually be broken, 32.1% Click at least one dangerous link or attachment.

Safety training is estimated

The study found that the warning response to suspicious emails is effective, but as the warning message becomes more detailed and lengthy, the protective effect does not increase.

WARNING: in phishing response

In the test, the researchers have been discovered with common security practices: embedded safety training during the simulation of phishing is proven to be invalid, not only does not improve the toughness of fishing emails, but they are more likely to be Influence of phishing.

Bags have feasibility

Testing people have a “report network fishing” button on their email client to report suspicious information. The study found that 90% of people reported no more than 6 suspected mail, but some people were still very active throughout the experiment. Therefore, the researchers conclude that there is no “report fatigue” in the experiment, which indicates that the burner anti-phishing data is feasible.

Accumulated email reports with time, Source:

In such a validity of such a system, analysts studied the accuracy of feedback time and markers. User reports are 68% of the accuracy of the phishing website. If spam is also calculated, the accuracy is 79%, and the most accurate rate of the most reporters reached more than 80%. These reports were submitted after receiving, 10% was 5 minutes, 35% for half an hour.

Reports the time required for suspicious email, Source:

Suppose these numbers are applied to a company with 1,000 employees, 100 employees become the goal of online phishing activities, will receive an email of 8 -25 employee reports, with a high-accuracy report within 5 minutes, There will be more valuable reports within 30 minutes.

These findings indicate that the use of large-scale network fishing testing services can greatly reduce the threat of network fishing attacks. This will not therefore produce a larger operational work, so companies that implement public bags of fishing protection will not have too much extra burden.

Of course, online fishing is a complex topic, involving many key factors, exceeding the scope of this study, so these findings are not very suitable for rules.

However, considering that online fishing continues to play a core role throughout the modern network attack, we should further experiments on these findings to develop more effective anti-fish measures.

Reference Source: