The 3 Reasons Employees Fall for Phishing Emails

91% of successful data breaches rely on phishing and social engineering

Despite mandatory security awareness training in many companies today due to PCI and SOX security guidelines for companies that store and process payment information, why does social engineering, particularly phishing emails, continue to be a significant security risk for companies? Furthermore, as email authorization methods such as SPF and DMARC increase in adoption to aid in combatting phishing emails, large data breaches in recents years show phishing remains a major threat. To try to answer that question we turned to research to shed some light on the topic; needless to say, there were lots of statistics attributing phishing attacks to some of the biggest data breaches of the last several years, but such a high level summary doesn’t provide us with root cause analysis or actionable insight, does it?

Research Findings

To get to the heart of the matter, we conducted our own studies and scoured through research papers on phishing from universities such as Harvard and UC Berkeley and came up with three key findings. Now putting aside any discussions on email security or anti-phishing technology, here are the three reasons employees fall for phishing emails:

  • The emails create curiosity and make an emotional connection with the reader
  • Employees don’t spend enough time to look for the cues indicative of phishing
  • Your employees are not aware of the cues indicative of phishing

Consequently, these three reasons strongly suggest that users need more training on how to identify phishing emails and be taught alternative ways to safely confirm emails they receive. On the other hand, there are proponents that debate the effectiveness of anti-phishing training and argue on the detrimental effects of putting employees on a constant state of “high-alert”. Unfortunately, until machine learning one day helps us to solve this problem of phishing once and for all, trade-offs are necessary as is the necessity for security training.


Benenson, Zinaida. “Exploiting Curiosity and Context.” Blackhat, July 2016. Web. Aug. 2016.

Dhamija, Rachna, J.D. Tygar, and Marti Hearst. Why Phishing Works. Conference on Human Factors in Computing Systems, Apr. 2006. Web. Sept. 2016.

Ollmann, Gunter. The Phishing Guide. IBM, Apr. 2010. Web. Sept. 2016.

Tally, Greg, Roshan Thomas, and Tom Van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers. McAfee. McAfee, Sept. 2004. Web. Sept. 2016.

The first and only cost-effective SELF-PHISHING ASSESSMENT software for businesses.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: