Tips, Tricks, and Training: Supporting Anti-Phishing Awareness among Mid-Career Office Workers Based on Employees' Current Practices

Preventing workplace phishing depends on the actions of every employee, regardless of cybersecurity expertise. Based on 24 semi-structured interviews with mid-career office workers (70.8% women, averaging 44 years old) at two U.S. universities, we found that less than 21% of our participants had any formal anti-phishing training. Much of what our participants know about phishing comes from informal sources that emphasize "tips" and "tricks" like those found in conversations with friends, news stories, newsletters, social media, and podcasts. These informal channels provide opportunities for IT professionals wishing to enhance employees' anti-phishing awareness by better aligning the delivery of expert advice with employees' current practices and desires. We provide four recommendations designed to embrace "guerrilla learning" by distributing anti-phishing educational resources across the workplace and workday in part to encourage the delivery of more accurate information in more informal and incidental ways, and greater dialogue between anti-phishing training instructors and learners.