A recent study conducted by Carnegie Mellon University and Ben-Gurion University indicates that mobile device users exhibit a greater tendency to avoid clicking on potentially malicious links compared to their PC counterparts. This research highlights the importance of tailored cybersecurity strategies for different devices.
The study’s findings are particularly relevant in light of the increasing prevalence of phishing attacks. Phishing was identified as the top cyber complaint reported to the FBI in 2024, according to the agency’s most recent IC3 report. The report documented 193,407 phishing complaints out of a total of 859,532 complaints, resulting in losses exceeding $70 million, specifically $70,013,036.
To investigate the differences in user behavior across devices, researchers analyzed anonymized URL requests collected from a cybersecurity network-protection startup. This dataset comprised just under 500,000 URL requests from mobile devices and PCs over a one-week period in 2020. The analysis revealed “a positive and significant relationship between mobile device and the safety level of the target URL,” suggesting mobile users were making safer choices.
The research extended beyond observational data through controlled experiments. Researchers recruited participants from the Amazon Mechanical Turk (AMT) platform. These AMT workers were tasked with performing an image-tagging activity while simultaneously being interrupted by a simulated phishing pop-up message. The experiment was designed to mimic real-world scenarios where users are faced with unexpected and potentially malicious links.
The results of the AMT experiment demonstrated a significant difference in behavior between mobile and PC users. Specifically, mobile users were found to be “2.67 times more likely than PC users to show risk-avoidant behavior.” This means that mobile users were significantly more inclined to avoid clicking on the malicious links presented in the pop-up messages. A secondary experiment reinforced these findings, revealing that mobile users were 4.43 times more likely than PC users to avoid phishing attempts.
The study suggests that mobile users aren’t necessarily making better decisions about which links to click, but rather are avoiding making a decision altogether. The report concludes, “Mobile users address the higher cost of risk assessment by avoiding the risk rather than by succumbing to it.” This implies that mobile users are more likely to err on the side of caution, even if it means missing out on legitimate content.
Researchers proposed several potential explanations for this difference in behavior. One hypothesis centers around the “mobile state of mind,” suggesting that individuals using mobile devices are often on-the-go and experiencing a higher “cognitive load.” Carnegie Mellon professor and research co-author Naama Ilany-Tzur explained, “When you’re loaded, or even overloaded, you will tend to avoid making decisions.”
The smaller screen size and more constrained environment of mobile devices may also contribute to the difficulty of risk assessment. Conversely, PC users “are interacting with a larger screen and are in an environment that is less cognitively constraining, culminating in a greater likelihood of accepting the risk,” according to the research.
Given these findings, Ilany-Tzur suggests that organizations consider adjusting their cybersecurity strategies to account for the different risk profiles of PC and mobile users. “I would say alerting people faster or more often, or lowering the threshold of the alert mechanisms would be a general strategy to start handling the situation,” she told IT Brew. She also recommended “enhancing protection mechanisms specifically for PC devices” in a follow-up email.
The study highlights the importance of understanding user behavior across different devices and tailoring cybersecurity measures accordingly. As Ilany-Tzur stated, “The danger lurks when we are at ease, not when we are on edge,” emphasizing the need for constant vigilance, especially among PC users who may be more susceptible to phishing attacks.
