The well-designed “school of phish” experiment compares to what extent three groups, of about 170 participants each, fall for phishing scams. The control group received no training, one group was trained once, and the third group received two training sessions. The results indicate that training the participants reduces the likelihood that they will fall for phishing scams.

However, even after training, the number of participants who fall for phishing scams remains large--about 20 percent. The research demonstrates that participants are equally likely to fall for the scam, regardless of their demographics. Given that all of the participants in the experiment are either staff or students at Carnegie Mellon University, one fears that individuals randomly selected from the population at large would be even more likely to fall for phishing scams.

Case studies like the one presented here are unfortunately rare in the computer science literature. The paper represents an important first step (in the sense that it assesses the likelihood of victimization) toward a scientific study of evidence-based crime prevention. One might hope that the authors will take the next step, which would be to evaluate in randomized controlled trials how effective the “school of phish” actually is in reducing crime.

This study indicates that in spite of the significant attention received from the research community to date, phishing is still a serious problem that training alone will not solve. The paper is relevant to a wide audience interested in preventing cybercrime, which includes computer scientists, criminologists, policy makers, and members of law enforcement.