A recent study conducted by Carnegie Mellon University and Ben-Gurion University suggests that mobile device users are less susceptible to phishing attacks compared to their PC counterparts. The research indicates that mobile users exhibit a “more risk-avoidant” behavior, making them less likely to click on potentially malicious links.

The findings are particularly relevant considering the prevalence of phishing attacks. According to the FBI’s 2024 IC3 report, phishing was the leading cyber complaint, accounting for 193,407 out of 859,532 total complaints. These attacks resulted in losses exceeding $70 million for organizations.

To investigate the differences in user behavior, researchers analyzed nearly 500,000 anonymized URL requests from mobile devices and PCs over one week in 2020. This initial analysis revealed a “positive and significant relationship between mobile device and the safety level of the target URL,” suggesting that mobile users tend to navigate to safer websites.

Further experiments were conducted using Amazon Mechanical Turk (AMT) workers. Participants were asked to perform an image-tagging task while being interrupted by a simulated phishing pop-up. The results showed that mobile users were 2.67 times more likely than PC users to avoid clicking on malicious links within the pop-up. A follow-up experiment reinforced this finding, indicating that mobile users were 4.43 times more likely to avoid phishing attempts altogether.

The study’s authors propose that mobile users’ risk avoidance stems from a different approach to risk assessment. Rather than carefully evaluating the potential dangers, they tend to avoid risk altogether. The researchers attribute this behavior to the “mobile state of mind,” characterized by being on-the-go and experiencing a higher cognitive load. This heightened state of alertness may lead to a more cautious approach to online interactions.

In contrast, PC users, who typically interact with larger screens in less cognitively demanding environments, may be more likely to accept risks. This difference in behavior highlights the need for tailored security strategies.

Naama Ilany-Tzur, a research co-author and Carnegie Mellon professor, suggests that organizations should consider lowering alert thresholds for PC users and enhancing protection mechanisms specifically for PC devices. By providing faster and more frequent alerts, organizations can better protect their PC-using employees from phishing attacks. The study underscores the importance of understanding the psychological factors that influence online behavior and adapting security measures accordingly.

Ilany-Tzur notes, “The danger lurks when we are at ease, not when we are on edge,” suggesting that a heightened state of awareness, even if driven by a busy mobile lifestyle, can inadvertently contribute to better security practices.