Recent studies show that multitasking greatly amplifies the chances of being ensnared by phishing emails. This study, published in the European Journal of Information Systems, highlights how divided attention during regular activities—like responding to calendar notifications or switching between tasks—can lead to missed warning signs of fraudulent messages. As the world gets more digitally connected, knowing how to identify phishing tactics and developing better detection methods will be key for organizations.
Every day, an estimated 3.4 billion emails containing malicious attacks are sent around the globe. These figures are a testament to the escalating danger represented by phishing attacks, which have adapted to be more sophisticated than ever. Xuecong Lu from the University at Albany joined forces with Milena Head and Junyi Yang from McMaster University. Collaboratively, they coordinated a series of experiments with 977 participants to explore the impact of multitasking on phishing detection.
The Impact of Divided Attention
These findings are painting a picture that shows people’s ability to distinguish phishing attempts decreases significantly when people are in a multitasking state. Jiang, one of the researchers who participated in the study, elaborates,
“When working with multiple screens, your attention will never be fully focused on one screen or one particular email, especially when handling urgent tasks. If you want to reply to that email quickly, ignoring those red flags in a phishing email is easy.”
This is a welcome observation and an equally important concern. Workers who are interrupted—particularly in high-pressure work settings—are more likely to succumb to phishing attacks.
Plus, receipt of loss-framed messages—e.g., threats that an account will be locked— tend to provoke increased vigilance as a response. Jiang points out that these alerts make detecting challenges more difficult in dual-task environments. He states:
“Our study shows that phishing detection can sometimes plummet under multitasking, and then those threat-based, loss-based messages are hardest to detect, no matter what you do.”
The study urges organizations to reassess how they’re administering phishing awareness and training programs.
Effective Interventions for Phishing Detection
This research illustrates how effective even the simplest nudges, like those embedded within the tools we all use to communicate every day, can be. For instance, a prompt stating “this message may be fraudulent—take a second look” could redirect attention toward potentially harmful emails. Jiang emphasizes the importance of integrating such nudges into platforms like Outlook or Slack:
“We designed a plan for a very simple notification system to nudge people about the [risk factors], so hopefully phishing messages don’t get lost in the shuffle and people can more efficiently detect them.”
These brief system prompts help improve user awareness. They empower Americans to critically examine their surroundings and think twice about what they hear before doing something.
Organizations that implement just-in-time, content-aware interventions will be more able to safeguard their employees and data from the intent of phishing attacks. This all-important advance security posture enhances security effectiveness and efficiency. It goes beyond that; it fosters a culture of vigilance, because as with all cyber threats, they’re constantly changing.
Recommendations for Organizations
This study provides important takeaways for employers and IT leadership. Perhaps most importantly, it arms security trainers with the knowledge and tools necessary to effectively boost their organizations’ phishing detection capabilities. The study recommends that organizations implement strategies that reduce multitasking and offer timely reminders about phishing risks during critical tasks.
With phishing techniques as advanced as ever, there’s no room for doubt that organizations need to be one step ahead of these threats. Taking these pragmatic, proven-off-the-battlefield interventions and keeping a sense of acute awareness throughout the organization will help businesses dramatically limit their exposure to attacks.