Summary Phishing is a common ingredient in contemporary computer network attacks. It is, among other things, used by attackers to make the initial compromise and get inside organisations' firewalls. This report summarises the results from 48 peerreviewed publications describing field experiments where computer users have been subject to phishing. The results show that - personality is not very important, - the recipients' knowledge matters, - it matters how the scam is presented - what the phisher asks for matters - technical warning measures probably make a big difference