Digital natives more likely to fall for phishing attacks at work than their Gen X and Boomer colleagues

SailPoint survey finds that younger workers also are more likely to use company email addresses for online shopping and subscriptions.

Email / envelope with black document and skull icon. Virus, malware, email fraud, e-mail spam, phishing scam, hacker attack concept. Vector illustration

Image: Vladimir Obradovic, Getty Images/iStockphoto

A new Trust Issues survey found that Gen Z and Millennials should follow the example set by their elders to develop better cyber hygiene habits at work. This SailPoint survey asked 500 U.S. workers about how they use email and deal with phishing attacks.

The survey asked how respondents reacted to a suspicious looking email with a link or an attachment. Forty-six percent of Gen Z respondents said they would open the link or attachment, compared to just 1% of Boomers, 4% of Gen X and 29% of Millennials who also would take the bait.

Sailpoint CISO Heather Gantt-Evans said digital native generations have a different comfort level with what they engage with and post online, compared to people who can remember the days of dial-up or even no internet access at all. 

"Spending the majority of their time watching, tapping and swiping, digital natives are likely to have more identities or accounts — social media, emails, streaming accounts, etc. — and each of those identities likely has hundreds if not thousands of followers, making those types of accounts a bad actor's dream," Gantt-Evans said. 

The survey found that a majority of Gen Z (77%) and Millennials (55%) respondents use corporate email addresses for their social media logins, compared to just 15% of Gen X and 7% of Boomers. Almost 30% of all workers said they use their company email for online shopping. 

SEE: 10 ways ransomware attackers pressure you to pay the ransom

Gantt-Evans said using corporate email for personal business can create entry points for bad actors into corporate infrastructure. 

"If credentials are compromised and a corporate account is taken over, the fallout from that point could be catastrophic," she said. "Once threat actors are able to open a doorway, they can quickly establish footholds, harvest data and deploy malware."

Using a work email for social media or streaming accounts can be a bad choice for the employee too, Gantt-Evans said.

"If you change jobs, and you have attached your work email to personal accounts, if those accounts become compromised, account recovery will be much harder, if not impossible, as those email addresses likely no longer exist," she said. 

Gantt-Evans said that the best way to strengthen cybersecurity is to follow basic cyber hygiene practices while also planning for falling victim. 

Gantt-Events recommends implementing the following tactics to mitigate the risk of phishing and other common attacks: 

  • Limit Remote Desktop Protocol use and ensure it is behind VPN with MFA
  • Establish email hygiene, browser isolation and endpoint detection and response capabilities 
  • Conduct regular phishing awareness training with regular phishing tests
  • Use "external" markers in the subject line for emails from outside the organization
  • Add a phish report button to email clients
  • Patch all software in a timely manner and ensure software centers and golden images have up-to-date versions

The market research company Dynata conducted this survey of 500 U.S. workers employed by companies with 2,500+ employees on behalf of SailPoint.

Also see

By Veronica Combs

Veronica Combs is a senior writer at TechRepublic. For more than 10 years, she has covered technology, healthcare, and business strategy. In addition to her writing and editing expertise, she has managed small and large teams at startups and establis...