Using administrative data on phishing attacks targeting almost 150,000 Italian- and German-speaking customers of an Italian bank in 2022–23, we investigate how individual characteristics are associated to the likelihood of victimization. We find that younger customers and Italian speakers are more likely to be victims of phishing, while we find no differences in terms of gender or size of the place of residence.

Time-inconsistent internet users neglect future privacy costs and release too much data to digital firms. We study how regulation that requires user consent for data processing affects firm profits, user surplus, and welfare, depending on the degree of time inconsistency and on firms' business models. If the firm appropriates sufficiently high profits from data, consent mechanisms increase welfare only if their design facilitates consent refusal and time inconsistency is neither too high nor too low. If firms can make it difficult to opt out, it may be better for society to let the former choose the disclosure level. However, consent policies increase user surplus when time inconsistency is high. Voluntary caps on usage can raise profits by making some users disclose more data.