Phishing Susceptibility Among Healthcare Workers: The Impact of Awareness, Email Type, and Location

Abstract

While attempts by malicious actors to compromise computer systems continue to increase, there have been limited success in educating corporate learners. Most corporations must rely upon firewalls, email filtering, and other tools to prevent compromises since their employees vary in prevention reliability. Recent studies have shown limited success of anti-phishing awareness corporate learning campaigns; however, these studies have mostly utilized students or individuals aware of their participation in an experiment. The current research utilized healthcare workers. Over the course of 18 months and three experiments, we evaluated if different anti-phishing awareness learning campaigns, simulated phishing email content, or the employee’s work location (remote vs. on-site) factored into their susceptibility to phishing. We found that those participants who received anti-phishing awareness interacted with the simulated phishing email less than those who didn’t receive training. Overall, an average of four percent of the workers in each experiment submitted their credentials on the fraudulent website. Our results suggest any type of anti-phishing training may provide optimal results, at least regarding anti-phishing training.