Who Falls for Phish? A Demographic Analysis of Phishing

Article Source: ACM Conference on Human Factors in Computing Systems (CHI 2010), 2010
Publication Date:
Time to Read: 2 minute read
Written By:


Julie Downs


Mandy Holbrook


Ponnurangam Kumaraguru


Steve Sheng

Search for the full article on Bing



This paper presents research on how gender, age, and availability of educational materials affect responses to phishing.


Policy Relevance:

Educating users about the potential risk of phishing attacks is one way to lower the risk of users unintentionally disclosing private information on the internet.


Key Takeaways:
  • Phishing is a process in which scammers send emails and other messages to individuals in order to con them into providing their login credentials and personal information.
  • Research shows that people are vulnerable to phishing for several reasons:

    • People tend to judge a website’s legitimacy by its “look and feel,” which attackers can easily replicate.
    • Many users do not understand or trust the security indicators in web browsers.
    • Awareness of phishing does not reduce a consumer’s vulnerability.
    • The perceived consequences of phishing do not predict users’ behavior.
  • Here, subjects were recruited to take a test that analyzed their susceptibility to phishing before and after an educational training session.
  • The study suggested that some demographics are more vulnerable to phishing than others.

    • Women appear to be more susceptible than men to phishing.
    • People between the ages of 18 and 25 are more susceptible than other age groups.
  • Following phishing education there was a forty percent drop in susceptibility. However, some training material decreased users’ tendency to click on legitimate links as well as phishing links.
  • Proper phishing education is a necessary step in helping to protect users, but even educated users fell for twenty-eight percent of phishing messages, indicating that education alone is not enough. Furthermore, the type of educational materials must be carefully structured so as to not prevent users from clicking on legitimate links out of fear.



Lorrie Faith Cranor

About Lorrie Faith Cranor

Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She also directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the MSIT-Privacy Engineering masters program. She teaches courses on privacy, usable security, and computers and society.

See more with Lorrie Faith Cranor