Cyber Psychology

JK

Jul 08, 2026By Julie Kempthorne

Every time a successful phishing attack makes the headlines, the response is remarkably predictable. "Employees need more awareness training." The assumption is simple: if people knew more about phishing, they would stop clicking malicious links.

Yet despite years of awareness campaigns, phishing remains the most common entry point for cyberattacks. The problem isn't that people haven't been told what phishing looks like. Most employees can already identify the obvious warning signs.

So why do intelligent, experienced people continue to click?

The answer lies less in cybersecurity and more in behavioural science. The most successful phishing emails rarely rely on sophisticated technology. They rely on sophisticated psychology.  Phishing isn't exploiting ignorance. It's exploiting how humans make decisions.

Behavioural scientists describe two broad ways people process information. Systematic processing involves slowing down, critically evaluating information and checking whether something is genuine. It requires time, motivation, confidence and mental effort. Heuristic processing is the opposite. Instead, our brains rely on mental shortcuts to make thousands of decisions quickly and efficiently. Most of the time these shortcuts work remarkably well. They allow us to respond to emails quickly and stay productive.  

The modern workplace creates the perfect conditions for heuristic thinking: back-to-back meetings, overflowing inboxes. constant notifications, competing priorities. When we're busy, distracted, or overloaded, we rely on simple rules of thumb instead. Modern phishing attacks are designed specifically to trigger these shortcuts while preventing careful, deliberate thinking. Attackers leverage familiarity using logos, branding and trusted language. These techniques aren't random. They're carefully engineered to trigger automatic behaviour.

Trust and emotion are becoming the primary attack vectors.  Research consistently shows that phishing messages triggering strong emotions achieve significantly higher success rates. Consider familiar examples: "Your account will be suspended.", 'Urgent payroll issue', 'A colleague needs immediate help' , 'You've won a prize'. Fear, Urgency, Curiosity, Excitement, Empathy,  These messages aren't simply providing information. They're deliberately provoking emotion. The stronger the emotion, the less likely we are to slow down and verify. Behavioural scientists refer to this as the affect heuristic—people substitute an emotional reaction for careful analysis.

Cybercriminals understand human behaviour and persuasion better than many organisations do! Today's phishing attacks increasingly impersonate: senior leaders, IT departments, suppliers, recruiters, charities, business partners, AI companies, colleagues whose accounts have been compromised. Rather than hacking systems, they're hacking relationships.

Perhaps the biggest mistake organisations make is assuming that every phishing victim clicked for the same reason. The same observable behaviour can result from entirely different psychological mechanisms. Imagine six employees all clicking the same phishing email.

  • One clicks because they're curious.
  • One because they're rushing between meetings.
  • One trusts their manager.
  • One fears their account will be suspended.
  • One is simply acting out of habit.
  • Another complies because the message appears to come from an authority figure.

The behaviour is identical. The reasons are completely different. This is a crucial distinction. If we only measure clicks, we miss the behaviour driving them.

Historically, organisations have approached phishing as though everyone shares the same problem: "People clicked because they didn't know better." Behavioural science increasingly suggests that's the wrong diagnosis.

Instead of viewing phishing vulnerability as a knowledge deficit, we should understand it as a collection of different behavioural phenotypes. Some employees are primarily vulnerable to authority, others to curiosity, others to cognitive overload, others to optimism bias or low risk perception, others because they are naturally cooperative and want to help.

Rather than recording only whether someone clicked, organisations should be asking why. Interventions become far more effective once researchers stop asking: "What information do people lack?" and started asking: "What behavioural mechanisms are driving this behaviour?"

Simple post-click interviews or surveys can reveal the behavioural driver behind the action. For example:

  • "It came from my manager, so I just got on with it." → Authority bias
  • "I was rushing through my inbox." → Cognitive overload
  • "I thought my account would be locked." → Loss aversion and fear
  • "I wanted to see what it was." → Curiosity
  • "I thought I was helping someone." → Reciprocity
  • "It didn't seem risky." → Low perceived risk

These insights allow organisations to move beyond generic awareness campaigns and towards targeted behavioural interventions to tackle differing behavioural phenotypes.

The future of phishing defence won't be built solely through better detection software or more awareness training. It will come from understanding human behaviour with the same sophistication that attackers already do.

Cybersecurity professionals have become experts at diagnosing technical vulnerabilities; however, behavioural science offers the opportunity to diagnose human vulnerabilities with equal precision.

Cybersecurity is beginning to undergo the same transition - every click deserves a behavioural diagnosis.