Nothing New Here (Score 1)

This result was already pretty well known.

Jagatic and others saw this in 2007 in their work on social phishing at Indiana University.

We saw the same in our PhishGuru work at Carnegie Mellon, on training people not to fall for phishing scams in 2009.

As an aside, I know many slashdotters don't believe you can train people to protect themselves from phishing. That is the standard conventional wisdom in computer security. However, we've actually demonstrated that you can, if you make it fun, timely, and relevant. We're commercializing some micro games for security training and a service for simulated phishing attacks based on research we did at Carnegie Mellon.