People are more likely to fall for phishing scams when their attention is split across several tasks. New research led by Milena Head at McMaster University shows that distraction, not ignorance, often causes these errors.
The study[1], published in the European Journal of Information Systems, looked at how mental workload affects people’s ability to judge whether an email is legitimate. Participants who had to remember longer sets of numbers were less accurate in spotting phishing attempts. Those under heavier mental load were also less confident in their decisions.
Researchers say phishing detection is a thinking task, not an automatic reaction. When the mind is busy, the mental reminder to “check this message carefully” often fades before a person can decide what to trust.
Mental Load Reduces Accuracy
The experiments involved more than 900 participants who reviewed both real and fraudulent emails. Each person performed a memory task before judging the messages. When the task was simple, detection accuracy was higher. When it was harder, accuracy dropped.
Data from the first experiment showed that high memory load had a measurable negative effect on detection accuracy (β = −.124, p = .049) and decision quality (β = −.066, p = .008). This pattern confirmed what many workplaces see in practice: multitasking reduces focus and leads to quick, sometimes wrong, decisions.
People who were confident in their cybersecurity skills did not necessarily perform better. Some overestimated their ability and became less cautious. Messages that looked familiar also reduced attention, especially when participants were juggling other tasks. The researchers observed that mental effort from one activity can spill into another, making it harder to focus. “When cognitive demands are high, users may never retrieve the goal of phishing detection at all,” the study explains.
Simple Cues Help Refocus the Mind
The second experiment tested whether a short reminder could offset this problem. After reading a short memo, half of the participants saw a quick message reminding them to watch for phishing before they checked their inbox.
That short prompt improved accuracy and decision quality (β = .230, p < .001). It acted as a mental cue, helping people recall their security goal at the right moment. The negative effect of memory load was weaker when reminders appeared, which suggests that a well-timed message can restore focus even under pressure.
These reminders worked best for emails framed around rewards or refunds, known as “gain-framed” messages. Such messages often escape suspicion because they appear positive. Loss-framed messages, like account warnings, already triggered more caution and showed smaller improvement.
Gender differences also appeared. Male participants showed a larger boost from reminders, though the researchers said this pattern needs more investigation.
What the Findings Mean for Training
The research challenges how most organizations train people to detect phishing. Many awareness sessions happen in quiet settings, far from the fast-paced reality of everyday work. The study suggests that detection exercises should include distractions to reflect real conditions.
Practical systems could also help. A context-aware tool might track when a user is switching tasks or typing rapidly, then deliver a subtle alert before they open new emails. Training programs could schedule phishing simulations during peak work hours to capture how attention works under stress.
The study’s data show that even small reminders can make a measurable difference. They don’t need to interrupt work or appear constantly. Timing is more important than volume.
With billions of phishing emails circulating every day, small improvements in detection can have a broad effect. As the researchers conclude, mental overload, not lack of awareness, is often the cause of these mistakes. Understanding how attention works under strain may help organizations protect employees at the moments they are most likely to slip.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next:
• The AI Boss Effect: How ChatGPT Is Quietly Replacing Workplace Guidance[2]
• People Struggle to Tell AI from Doctors, and Often Trust It More[3]
References
- ^ The study (www.tandfonline.com)
- ^ The AI Boss Effect: How ChatGPT Is Quietly Replacing Workplace Guidance (www.digitalinformationworld.com)
- ^ People Struggle to Tell AI from Doctors, and Often Trust It More (www.digitalinformationworld.com)