So, you’re always on your phone. That just means you’re tougher to phish.
A study from Carnegie Mellon University in Pittsburgh, and Ben-Gurion University of the Negev, Israel, suggests mobile device users are “more risk-avoidant than PC users” and tend to be less likely to open potentially risky messages.
The findings are a reminder for IT pros that they must keep their PC-using employees, in particular, on the edge of their computer chairs and in the know about possible threats.
“I would say alerting people faster or more often, or lowering the threshold of the alert mechanisms would be a general strategy to start handling the situation,” research co-author and Carnegie Mellon professor Naama Ilany-Tzur told IT Brew.
What’s the situation exactly? Phishing led all cyber-specific complaints in 2024, according to the FBI’s most recent IC3 report. The threat accounted for 193,407 out of 859,532 total complaints filed with the agency, and cost orgs a total of $70,013,036.
Testing, testing. With records attained from a cybersecurity network-protection startup, Ilany-Tzur and Ben-Gurion’s Lior Fink reviewed just under 500,000 anonymized URL requests made by mobile devices and PCs during one week in 2020. The team found “a positive and significant relationship between mobile device and the safety level of the target URL.”
Later, the researchers recruited workers from the Amazon Mechanical Turk (AMT) platform to perform an image-tagging task—while being interrupted with a pop-up phishing message. The test showed that mobile users were “2.67 times more likely than PC users to show risk-avoidant behavior,” or to avoid clicking the pop-up’s malicious links. A second experiment determined mobile users were 4.43 times more likely than PC users to go phish.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Better safe than scammed. It’s not that people on mobile devices are making good or bad click-related decisions. It’s that they’re making no decisions—and that’s actually a good thing when it comes to phishing. “Mobile users address the higher cost of risk assessment by avoiding the risk rather than by succumbing to it,” the report concludes.
A smaller device and constrained environment, the authors say, increases the difficulty of risk assessment.
Ilany-Tzur theorizes that phone users are in a “mobile state of mind,” or on-the-go and experiencing a higher “cognitive load,” which leads to a more on-edge mindset.
“When you’re loaded, or even overloaded, you will tend to avoid making decisions,” she said.
PC users, according to the research, are “interacting with a larger screen and are in an environment that is less cognitively constraining, culminating in a greater likelihood of accepting the risk.”
Given the findings, orgs may want to consider creating lower thresholds for alerting those more risk-accepting PC users, she said, and enhancing protection mechanisms specifically for PC devices,” she added in a follow-up email.
Perhaps an irrational doomscroll then has its security benefits.
“The danger lurks when we are at ease, not when we are on edge,” said Ilany-Tzur.