Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2019 Dec 18;14(12):e0224216.
doi: 10.1371/journal.pone.0224216. eCollection 2019.

Informing, simulating experience, or both: A field experiment on phishing risks

Aurélien Baillon  1 Jeroen de Bruin  1 Aysil Emirmahmutoglu  1 Evelien van de Veer  2 Bram van Dijk  2
Affiliations

Informing, simulating experience, or both: A field experiment on phishing risks

Aurélien Baillon et al. PLoS One. .

Abstract

Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact.

PubMed Disclaimer

Conflict of interest statement

The authors have declared that no competing interests exist.

Figures

Fig 1
Fig 1. Percentages of subjects falling for phishing email (whole sample).
Stars indicating significance levels for difference of each treatment group compared to the control group with * p < 0.10, ** p < 0.05, *** p < 0.01.
Fig 2
Fig 2. Percentages of subjects falling for phishing email (excluding division C).
Stars indicating significance levels for difference of each treatment group compared to the control group with * p < 0.10, ** p < 0.05, *** p < 0.01.
See this image and copyright information in PMC

References

    1. Vishwanath A, Herath T, Chen R, Wang J, Rao HR. Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems. 2011; 51(3): 576–586. 10.1016/j.dss.2011.03.002 - DOI
    1. Ramanathan V, Wechsler H. Phishing detection and impersonated entity discovery using Conditional Random Field and Latent Dirichlet Allocation. Computers & Security. 2013; 34: 123–139. 10.1016/j.cose.2012.12.002 - DOI
    1. Blythe M, Petrie H, Clark JA. F for fake: Four studies on how we fall for phish. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM; 2011. p. 3469–3478.
    1. Berghel H. Phishing mongers and posers. Communications of the ACM. 2006; 49(4): 21–25.
    1. Gupta Brij B and Arachchilage Nalin AG and Psannis Kostas E. Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommunication Systems. 2018; 67(2): 247–267. 10.1007/s11235-017-0334-z - DOI

Publication types

LinkOut - more resources