Spear phishing in organisations explained

Research output: Contribution to journalArticleAcademicpeer-review

19 Citations (Scopus)
3 Downloads (Pure)


Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.

Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails.

Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account.

Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect.

Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables.

Original languageEnglish
Pages (from-to)593-613
Number of pages21
JournalInformation and Computer Security
Issue number5
Publication statusPublished - Jul 2017


  • Age
  • Culture
  • Gender
  • Spear phishing
  • Years of service


Dive into the research topics of 'Spear phishing in organisations explained'. Together they form a unique fingerprint.

Cite this