Harvard Business Review

How to avoid falling victim to phishing attacks, according to two hackers

Harvard Business Review
5 minute Read

Ryan Wright and Matthew Jensen have phished thousands of people over the past decade, and they’re not planning to let up anytime soon.

The two aren’t hackers angling for valuable data or funds; they’re researchers working with companies, governments, and universities around the world to understand why we so often fall for phishing attacks and what organisations can do to mitigate the threat. Corporate security departments go to some lengths to educate people about phishing, which accounts for 90% of all data breaches — but an estimated 30% of fraudulent emails are opened nonetheless. With the cost of a successful attack averaging $3.8 million, that’s an uncomfortably high share. And it could grow as cybercriminals exploit the disruption caused by the pandemic and the steep rise in employees working from home, where increased distractions may cause them to lower their guard.

Drawing on their research, Wright (the C. Coleman McGehee Professor of commerce at the University of Virginia) and Jensen (the Presidential Associate Professor of management information systems at the University of Oklahoma) have identified several ways to bolster the effectiveness of security training.

How to improve your cybersecurity training


Add a mindfulness component

Many organisations require employees to complete off-the-shelf training modules on a regular basis — often annually or biannually. That’s useful, the researchers say, for alerting people to common threats and giving them basic guidelines for evaluating incoming messages. But sheer repetition of rules-based training doesn’t necessarily increase resistance to attacks, they caution. In fact, after a point it can be counterproductive, desensitizing people to the training and giving them a false sense of mastery over the lessons — which they then ignore.

Subscribe to keep reading

Get your first 30 days FREE
Learn more
Already a Plus member?


SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.