Click O'Clock: Time, Device Type, and Phishing Vulnerability

‍

Time of Day: When Are We Most Vulnerable?

Higher Failure Rates After Work
According to our data, employees are 2X more likely to click on a phishing link (instead of reporting it) outside of normal business hours. When people check emails in their downtime, they’re often more relaxed or distracted, lowering their guard against suspicious messages. During weekends, that vulnerability appears to double as well. This effect is potentially tied to users being less “work-focused” and more casual in their email screening.

Business Hours: Absolute Click O' Clock
Paradoxically, despite the relative risk being higher after hours, organizations see up to 10X more phishing clicks during standard working hours in absolute terms. This is likely because more employees are actively working and engaged with email during the day, creating more total opportunities for a malicious link to be clicked. From an organizational perspective, phishing-based breaches are therefore significantly more likely to occur between 9 a.m. and 5 p.m.

"Humans are biologically wired to be good at problem solving tasks in the morning. We're bad at solving problems in the afternoon and evening... I looked at historical data from 30,000 phishing simulations I sent and plotted it on a time of day chart... and found that people are 8-10 times more likely to click on a phishing message in the afternoon than in the morning. This is that biological wiring that we have at work." -- George Finney, CISO of the University of Texas System | 10:40 - 11:07  

Morning vs. Afternoon Reporting
Our research also showed that 10% more phishing emails are reported in the morning than in the afternoon. Early in the workday, employees may feel fresher and more alert, catching suspicious emails before they get buried in the hustle and bustle of post-lunch work. A slight energy slump or heavier workload in the afternoon could make employees less vigilant about carefully examining each incoming message.

"It's likely that depleted mental energy reserves after work, as well as context switching, make us less vigilant," said Maxime Cartier, Head of Human Risk at Hoxhunt.

‍

Desktop vs. Mobile: iClick 4

Higher Risk on Phones
When employees read and engage with emails on their phones, they’re 4X more likely to click on a phishing link instead of reporting it. The smaller screen and streamlined interface on mobile devices can make it harder to spot subtle red flags like suspicious sender addresses or odd formatting. Additionally, the convenience of phone use often means people glance at emails in passing, rather than assessing them with a critical eye.

Successful Reporting Behavior
The likelihood of detecting and reporting phishing attacks is 24X higher on desktop than on mobile. This gap could stem from desktop workflows making it easier to access and use reporting tools integrated into email clients, or simply from better visibility and focus on a larger screen.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]"Based on these findings, additional training for heavy mobile users might be a good idea. However, it should also be a signal for Apple and Google to step up their game when it comes to email-and-link user interfaces. It's no wonder it's harder to identify a phish on our phones: the sender's email address is often not displayed on a phone screen, and many people do not know how to preview a link before clicking on it when using their phone."[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Maxime Cartier, Head of Human Risk at Hoxhunt[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

Insights and Recommendations

1. Tailored Awareness Sessions: Educate employees on the heightened risk outside of standard working hours, encouraging them to double-check the legitimacy of emails opened at night or on weekends.
2. Promote Desktop Review: Where feasible, nudge teams to review suspicious emails on desktop rather than mobile. Provide clear, easily accessible reporting tools across both device types.
3. Morning Peak Strategy: Capitalize on the higher morning reporting trend. Send “phishing tip” reminders around the start of the workday and empower early risers to continue good habits throughout the afternoon slump.
4. Automated Alerts: Consider setting up automated monitoring or AI-driven alerts that flag suspicious messages more aggressively after hours, when employees are more prone to errors.
5. Encourage Consistency: Gamify the reporting process, rewarding quick, accurate threat identification regardless of time or device. Behavioral science shows that positive reinforcement fosters habit formation.

The sophistication and sheer volume of phishing attacks has exponentially increased in the age of AI.

‍

By recognizing that people engage differently with email based on time of day and device type, organizations can adapt their training and response strategies accordingly. Combining targeted phishing training with user-friendly reporting workflows can raise vigilance when it’s needed most, ultimately reducing human cyber risk and building a healthier security culture.

‍