Multitasking makes employees more vulnerable to phishing, study finds

New research shows that cognitive overload in everyday work environments can massively weaken phishing detection.

What happened

A study by the University at Albany has found that multitasking, like switching between emails, meetings, and documents, reduces employee attention and could increase the risk of falling for phishing attacks. The research, published in the European Journal of Information Systems, linked high mental load with a sharp drop in phishing awareness.

Phishing remains a primary tactic used by cybercriminals to steal data or money. An estimated 3.4 billion phishing emails are sent daily, and IBM puts the average cost of a phishing breach at nearly $5 million. The study’s findings suggest that even small reductions in vigilance can have costly consequences.

Going deeper

Researchers tested around 1,000 participants by asking them to identify phishing emails while also managing different memory tasks. Participants under higher cognitive load performed worse at spotting phishing signs such as suspicious links or sender addresses, compared to those with fewer distractions.

Attention and memory were shown to be salient to detection accuracy. When mental demands increased, attention to detail dropped. Inboxes, often processed quickly and under pressure, became more vulnerable under these conditions.

What was said

The researchers also found that brief reminders, simple prompts warning of possible phishing, helped improve caution. Participants who received these reminders were more likely to catch suspicious messages, even under multitasking pressure.

Interestingly, reward-themed phishing messages (such as fake prize offers) were harder to resist than threat-based ones (like account warnings). Threats triggered more immediate caution, even without prompts.

The big picture

According to Digital Information World, the study challenges traditional security training models that assume a focused environment. In reality, employees are often dealing with interruptions and competing demands. Organizations may need to rethink how they deliver cybersecurity awareness, integrating real-world conditions into training.

By simulating distractions and using well-timed alerts, companies can help staff develop habits that endure during peak workloads. Human attention is limited, and when stretched, even experienced employees can miss red flags. Addressing this vulnerability means designing defenses that align with how people actually work.

FAQs

How is cognitive load measured in phishing studies?

Researchers typically use memory-based tasks alongside email evaluation exercises to simulate different levels of mental demand and assess performance under pressure.

Why are reward-based phishing emails more successful than threat-based ones?

Reward-themed messages often trigger excitement or curiosity, which can override caution. In contrast, threats activate a defensive response, leading to more skepticism.

What kind of email reminders were effective in the study?

Simple prompts such as “Be alert: phishing attempts may be present” before opening emails increased the likelihood of users spotting fraudulent messages.

Can existing email systems support these prompts?

Yes, organizations can integrate lightweight, non-intrusive alerts or banners within email platforms to periodically remind users to verify links and sender authenticity.

How can cybersecurity training be adapted to reflect real working conditions?

Training programs can incorporate multitasking simulations, ambient distractions, and time pressure to mirror typical work environments and reinforce habits that hold up under strain.