The assumption that younger people are more digitally-savvy and therefore better able to recognise phishing scams might seem obvious – but Digital Natives aged between 18-39 are actually the most vulnerable age group for phishing scams, according to data from SoSafe.
Based on exclusive response data from SoSafe, the results demonstrate that cybersecurity awareness remains worryingly low, with around 31% of participants clicking on at least one simulated phishing email – meaning that 1 in 3 attacks would have been successful. **
The study also revealed that email subject lines most likely to generate a click were usually based on emotional manipulation, inducing pressure, anxiety or curiosity, and appealing to authority as well as financial desires.
According to the study, younger users are more likely to click on a phishing email than any other age group, with an average click rate of 29%, while older users (aged 50+) are significantly more careful about opening emails, with an average click rate of just 19%.
Men tend to click on phishing links more often than women; nearly one in four male participants (23%) clicked on one of the phishing mails, compared to 20% of women.
Public Sector organisations (including critical infrastructure organisations such as hospitals) appear to be the most vulnerable to phishing attacks with a click rate of 36%. In contrast, the average click rate in the Manufacturing sector is only 19%. 99% of respondents say that strengthening their organisations’ security culture will be important in the coming year.
Dr Niklas Hellemann, CEO at SoSafe, explains: “Today’s sophisticated cybercriminals deploy a broad set of psychological tactics that exploit human emotions like stress, fear or respect for authority – and our data highlights why awareness of the threat landscape plays an absolutely crucial role in cybersecurity culture. Even – or especially – the ones with the highest digital literacy are vulnerable to digital threats. Investing in technological barriers is of course vital, but companies also need to act now to empower their teams to spot threats and react accordingly – otherwise tech alone is powerless to protect.”