A recent study by Carnegie Mellon University and Ben-Gurion University reveals that mobile device users are less likely to fall prey to phishing attacks than PC users, exhibiting a “more risk-avoidant” behavior.
The study’s findings are significant given the prevalence of phishing attacks. According to the FBI’s 2024 IC3 report, phishing was the leading cyber complaint, with 193,407 out of 859,532 total complaints, resulting in losses exceeding $70 million for organizations.
To understand the differences in user behavior, researchers analyzed nearly 500,000 anonymized URL requests from mobile devices and PCs over one week in 2020. The initial analysis showed a “positive and significant relationship between mobile device and the safety level of the target URL,” indicating that mobile users tend to navigate to safer websites.
Further experiments using Amazon Mechanical Turk (AMT) workers were conducted, where participants performed an image-tagging task while being interrupted by a simulated phishing pop-up. The results showed that mobile users were 2.67 times more likely than PC users to avoid clicking on malicious links within the pop-up. A follow-up experiment reinforced this finding, indicating that mobile users were 4.43 times more likely to avoid phishing attempts altogether.
The study’s authors suggest that mobile users’ risk avoidance stems from a different approach to risk assessment, tending to avoid risk altogether rather than carefully evaluating potential dangers. This behavior is attributed to the “mobile state of mind,” characterized by being on-the-go and experiencing a higher cognitive load, leading to a more cautious approach to online interactions.
In contrast, PC users, who typically interact with larger screens in less cognitively demanding environments, may be more likely to accept risks. This difference in behavior highlights the need for tailored security strategies. Naama Ilany-Tzur, a research co-author and Carnegie Mellon professor, suggests that organizations should consider lowering alert thresholds for PC users and enhancing protection mechanisms specifically for PC devices.
By providing faster and more frequent alerts, organizations can better protect their PC-using employees from phishing attacks. Ilany-Tzur notes, “The danger lurks when we are at ease, not when we are on edge,” suggesting that a heightened state of awareness, even if driven by a busy mobile lifestyle, can inadvertently contribute to better security practices.
