Phishing is a serious threat to any organization allowing their employees to use messaging systems and computers connected to the internet. Consequently, researchers have undertaken a large number of studies to identify the variables that determine this threat, i.e. variables that influence users' susceptibility to phishing emails. This paper presents a meta-analysis of the findings in 48 papers describing field experiments. The mean susceptibility rate to phishing emails across all studies and measurements was 21 percent. A majority (116 of 140) of the association tests reported, concerned variables related to the recipient. Most of these reported insignificant results. Both relative risks and association tests showed that technical warning systems, email personalization, training, and the use of established deceptive tactics influence the susceptibility rate. The type of scam as such also appears to be important, with some types of scams being orders of magnitude more successful than other types. Many of the results had limitations in control and sampling, which may explain unexpected and contradictory results.