Why do we fall for phishing scams even when we know better? The answer ties into how our brains function under pressure.
“Phishing risk is not just about poor training. It is about how human cognition works under real-world pressure,” explains Milena Head, professor of Information Systems at the DeGroote School of Business.
In a recent study, Head and her research team explored how multitasking and cognitive overload impair our ability to detect phishing threats. People’s ability to spot suspicious messages dropped significantly when they were mentally stretched with tasks like data analysis or rapid app switching, they found.
The study also found that simple, well-timed cues, like pop-up reminders or subtle interface changes, can dramatically improve phishing detection.
Head explains more about the study, how our brains ignore red flags, and how to address it.
Why are people more vulnerable to phishing scams when multitasking, and what does your research reveal about how our brains process these threats?
When we multitask, our mental resources become stretched, making it harder to focus. For instance, if we are deeply engaged in tasks like analyzing data, writing a report, or browsing the web, and a phishing email arrives, our ability to detect it accurately can drop significantly.
The more mentally demanding the task we’re working on (referred to as high working memory load), the harder it is to shift our attention and properly evaluate the suspicious message.
Our study shows that high working memory load during multitasking impairs the brain’s ability to notice subtle warning signs that something might be off.
In these moments, we are more likely to miss red flags in phishing emails and click on malicious links without questioning their legitimacy.
Your study found that simple cues can improve phishing detection. What might these cues look like in real-world settings?
Goal activation cues are small, timely reminders that bring the “think before you click” mindset back to the forefront right before someone interacts with a suspicious message.
In everyday environments, this could include:
- Pop-up reminders: A brief message like “Be cautious! This email might be suspicious” that appears when opening emails.
- Nudges during multitasking: Systems that detect when users are multitasking (e.g., rapidly switching between apps) or working on complex tasks. In those circumstances, when users shift to checking email or responding to a pop-up message, a gentle prompt can remind them to stay alert.
- Visual cues: Subtle interface cues like a colour change, warning icon, or sound notification, can signal that a message might be suspicious.
Our research shows these cues are most effective when delivered just in time, especially during high workload moments when users are most distracted.
Rather than adding more information, these cues work by reactivating the mental goal of phishing detection, helping users refocus and make safer decisions.
How does the framing of phishing messages affect our ability to spot them?
Phishing messages often use gain framing (e.g., “Claim your reward!”) or loss framing (e.g., “Your account will be locked!”) to manipulate recipients.
Loss-framed messages tend to trigger stronger self-protection instincts and vigilance, making people more likely to recognize them as suspicious. In contrast, gain-framed messages are less likely to raise immediate concern, which makes them harder to detect, especially when people are multitasking and under high cognitive load.
Our research shows that goal activation cues are particularly effective for gain-framed phishing emails. Because these messages don’t naturally prompt suspicion, a timely reminder, like a security nudge or visual cue, can help users refocus and engage their phishing detection mindset before clicking.
What practical advice would you give to organizations trying to reduce phishing risks?
Organizations should design security interventions that reflect the realities of multitasking in the workplace. Based on our research, we recommend four key strategies:
Train in realistic conditions: Most security training assumes users are focused and free from distractions but in reality, employees often face interruptions and cognitive overload. Training should simulate phishing scenarios during busy moments, such as task switching or right after meetings, rather than in ideal, distraction-free settings.
Use lightweight, context-aware reminders: Implement small, timely goal activation cues (e.g., short prompts, icons, or alerts) that nudge users to refocus their attention at critical moment.
Tailor cues to message type: Gain-framed phishing messages (e.g., “Claim your reward!”) tend to lower users’ guard. These messages benefit most from extra reminders that prompt caution.
Encourage “distraction shielding”: Help employees build habits of pausing briefly before clicking links or responding to urgent emails, especially when multitasking.
Our study shows that phishing risk is not just about poor training. It is about how human cognition works under real-world pressure.
Effective security interventions should avoid overwhelming users with constant alerts and instead focus on precision: helping people refocus their attention at the exact moments when they are most likely to slip into autopilot.