carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Oct 3, 2019

Hook, line and sinker: Why phishing scams work


They are warned, trained, tested and retested, and yet employees across the world continue to take the bait on phishing scams.


There are myriad reasons, but pressure at work and the desire to please higher-ups seem to be driving factors. That’s according to results from a recent survey by Webroot in partnership with Wakefield Research.

Here are some key statistics the survey uncovered:

  • Employees receive an average of 52 emails at work every day
  • 60% of respondents said they are likely to prioritize an email from their boss when it comes to opening emails
  • 49% of respondents admitted to clicking on messages from unknown senders while at work
  • Of those messages, 74% were emails
  • 48% have had their personal or financial data compromised as part of a breach or hack

The report titled Hook, line and sinker: Why phishing attacks work, surveyed 4,000 office workers across the U.S., U.K., Australia, and Japan on their phishing knowledge and clicking habits. The report is punctuated with insights from Cleotilde Gonzalez, research professor in the Department of Social and Decision Sciences at Carnegie Mellon University, and anecdotes from Webroot’s MSP partners on what makes people click on phishing emails.

Why workers click on phishing emails

As work-life balance becomes a blur, employees often use personal email for work and vice-versa. A message from your boss in your personal inbox therefore might not raise a red flag. Work pressure also have employees working late nights (when they aren’t fully rested) or early mornings (when they aren’t fully awake) which make them more susceptible to clicking on phishing scams.

Cybercriminals also take advantage of employees’ eagerness to accommodate their supervisor’s requests, which leads to workers failing to verify requests for purchases or sensitive information from higher-ups.

Phishing scams are attempts by cybercriminals to trick you into divulging your personal information like login credentials, bank account numbers and credit card numbers. As these attacks become more sophisticated and continue to thrive as a major security nightmare for businesses of all sizes, here are some other factors that make people click:

  • Volume of emails received at work. Given the high volume of emails employees receive at work, coupled with the demand for efficiency, they often lack the time to scrutinize each one of them. This in turn makes them susceptible to phishing attacks.
  • Better spam filters. Because spam filters are getting better at sifting out phishing emails, it tricks employees into believing there’s a lower risk of being phished. A phishing email may therefore appear legitimate.
  • Overconfidence around phishing awareness. While 79% of respondents claimed that they can distinguish a phishing message from a genuine one, majority of respondents failed to identify app notifications as a possible phishing vector. Employees are more likely to recognize email as a phishing vector (81%) compared to app notifications (40%) and can be duped to fall for phishing attempts by clicking on push notifications disguised as legitimate messages.
  • The shame game. While less than 10% respondents surveyed admitted to opening messages claiming to contain nude photos, it is an effective lure to get people to click on phishing links. Some phishing emails also try to trick users into believing that their webcams were hacked.

Investing in effective endpoint security and security awareness training is imperative for businesses to protect against threats like phishing.


Mekhala Roy

Mekhala Roy is a writer on the Corporate Marketing team at Carbonite. A former journalist, she blogs about Carbonite happenings and cybersecurity.

Related content