Interesting news item from Carnegie Mellon's Cylab. Each year, tens of millions of phishing emails make it to employees' inbox, not caught by spam filters. Of the ones that make it through, millions slide past your user's judgment and are clicked and opened. A recent study revealed just how likely users are to take the bait.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” says Casey Canfield, a CyLab researcher from Carnegie Mellon’s Department of Engineering and Public Policy.

In the study, on average participants were only able to correctly identify just over half of the phishing emails presented to them. Fortunately, participants displayed a little more caution when it came to their behavior: roughly three-quarters of the phishing links were left un-clicked.

Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use, Canfield explains, is sending out fake phishing emails and teaching a user about phishing emails if they open the email. 

“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.”