Phishing susceptibility across industries: The differential impact of influence techniques

Organizations face an increasing risk of phishing attacks, leading to potential financial losses, privacy breaches, and damage to reputation. While past research has focused on individual and organizational factors in phishing susceptibility, there is a lack of understanding related to industry differences and their impact on the phenomenon. Drawing on existing literature on persuasion and phishing, we propose that shared industry practices, values, and assumptions influence the effectiveness of phishing techniques. To test our hypotheses, we conducted two studies: a lab experiment (n = 259) and a field quasi-experiment (n = 10,967) using a secondary dataset comprising mock phishing attacks on 30 finance and 15 non-finance organizations. The results revealed varying susceptibility to phishing techniques based on industry. Consistent with our expectations, liking-based techniques were more effective among non-finance organizations, while social proof, reciprocity, and authority techniques were more effective in finance organizations. These findings contribute to resolving past inconsistencies in empirical phishing research and provide insights into the role of industry characteristics in shaping phishing susceptibility.