Most defences against phishing assume the target can be taught to spot it. Awareness training, simulated-phishing programmes, and “think before you click” campaigns all rest on the same premise: with enough exposure, people learn to recognise the attack and stop falling for it. A field experiment run by researchers at the University of Florida tested that premise directly, and the results set a limit on how far recognition alone can carry an organisation.
Who clicks, and who learns to stop
The study, published in ACM Transactions on Computer-Human Interaction in 2019, sent simulated phishing emails to 158 internet users — 100 younger adults and 58 older adults — once a day for 21 days. The participants did not know the emails were part of a study. A browser plug-in recorded whether they clicked the link in each one. This was behaviour in the wild, not a survey asking people whether they would click.
Across the 21 days, 43.3% clicked at least one link, and 11.9% clicked more than one. Email by email the rates were lower, but the cumulative figure is the one that matters to a defender: give a realistic stream of phishing enough time, and close to half of a normal population engages with it at least once.
Two findings cut deeper than the headline rate. The first is who clicked. There was no simple age effect; the pattern ran along age and gender together, with older women the most susceptible group, ahead of younger men, younger women, and older men. The second is who learned. Younger users grew less susceptible as the 21 days went on — repeated exposure alone made them warier. Older users did not improve at all. Their susceptibility held steady from the first week to the third.
Which phishing lures actually work
The researchers built each email around one of seven persuasion techniques — the “weapons of influence” drawn from Cialdini and Hadnagy — and one of six life domains. Because the content varied systematically, the study could rank what actually worked rather than what people assumed worked.
Scarcity was the most effective technique by a wide margin, at a 5.3% click rate per email, followed by authority at 4.4%. Social proof was the least effective at 1.3%. The ranking also split by age. Younger users were most exposed to scarcity and authority. Older users were the reverse: far more susceptible to reciprocation and liking, the lures built on obligation and warmth. The same email does not work equally on everyone, which is precisely why attackers profile before they write.
Topic mattered as much as technique. Emails framed around legal matters — a notice of being sued, a parking appeal, a court reference — drew a 6.7% click rate, higher than any other subject and more than six times the rate of financial emails at 1.1%. The lure that feels most obviously like a scam in the abstract, the money offer, was the one people resisted best. The one that triggers anxiety and a sense of obligation did the most damage.
The phishing awareness gap
After each email, participants also rated how likely they thought they were to click a link like it. That self-rating is a measure of awareness, and it tells the most uncomfortable part of the story.
Awareness was low across the board — every category averaged between roughly 1.5 and 2.1 on a five-point scale — and it was significantly lower in older users than younger ones. The people most likely to click were the least likely to believe they would. Behaviour and self-perception came apart, and they came apart most in the group already most at risk. An organisation that measures its phishing exposure by asking employees how careful they are is measuring the wrong thing, and the error is largest exactly where the danger is.
Why targeted phishing beats trained employees
The Florida emails came from unfamiliar senders — a local farmers' market, a parking authority. Other studies have measured what happens when the sender looks familiar, and the numbers climb steeply. The same paper cites earlier work in which 72% of users clicked when an email appeared to come from a known acquaintance, and 62% of employees clicked when they believed the message came from their own IT manager.
That gradient is the whole game. Susceptibility is not a fixed trait of the employee; it rises with how well the message fits the target. A generic phishing email meets a trained, sceptical reader. An email that names the right colleague, references a real project, and arrives from a spoofed but plausible address meets someone with little reason to doubt it. The difference between those two emails is reconnaissance — the information the attacker gathered before writing. Training hardens the reader. It does nothing about the quality of the attacker's material.
Does security awareness training work?
None of this means awareness training is wasted. The younger users in the study grew more resistant on their own, and well-run programmes do lower click rates. Training is necessary. The data simply marks its ceiling.
Recognition fails in three ways that no curriculum fully closes. A large segment — older and less technical users among them — does not improve much with exposure. The people most at risk systematically underestimate their own risk, which blunts the self-vigilance training depends on. And specific, well-chosen content defeats careful people regardless of how often they have sat through the annual module; a convincing legal threat or a scarcity-framed deadline works on a target's reflexes, not their knowledge. A programme that puts training first and stops there — common in regulated sectors where the training record is the box an auditor checks — mistakes a partial control for a complete one. We have written about that training-first gap in the advisory sector specifically.
Reducing exposure: the defence that scales
If susceptibility rises with how well an attack is tailored, the most reliable way to lower it is to make tailoring harder. That means reducing what an attacker can learn before the first message is sent — the exposed personal data, the harvested corporate relationships, the breach-sourced credentials that turn a generic lure into a precise one.
This control has a property training lacks: it does not depend on every employee catching every attempt. It degrades the input to every attempt at once. A reduced footprint cannot stop a determined adversary, but it forces them back toward the generic emails that trained, sceptical people already handle, and away from the tailored ones that beat them. It is the half of the problem that sits outside the perimeter, in data brokers and leak corpora and public profiles, and it is the opening phase of the wider social-engineering process — the reconnaissance stage every later step is built from.
Awareness training raises the floor; it does not close the gap the data exposes. A Corporate Audit measures what an attacker can learn about your people and reduces it, lowering the precision of every phishing attempt before it is sent.
Talk to an AnalystSources
- Lin, T., Capecci, D.E., Ellis, D.M., Rocha, H.A., Dommaraju, S., Oliveira, D.S., Ebner, N.C. “Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content.” ACM Transactions on Computer-Human Interaction, 26(5), 2019. DOI 10.1145/3336141.
- Comparison figures cited within Lin et al. 2019: Jagatic et al. 2007 (familiar-sender click rate); Halevi et al. 2015 (IT-manager impersonation); Benenson et al. 2017.
- Verizon, 2025 Data Breach Investigations Report — human element present in 60% of breaches.