Think about the last time you were about to fall for a suspicious email. You probably knew, in the abstract, that fake emails exist. You had read about phishing, maybe you had even done a training. And yet, for an instant, your finger moved toward the link. How do we explain that gap between what we know and what we do?
The answer is uncomfortable for the intuition behind many security programs, which assume that informing is enough to protect. But phishing is not, at its root, a knowledge problem. It is a problem of how we decide. And understanding that difference completely changes the way we think about awareness.
Why is knowing not the same as being safe?
People don’t make most of our decisions deliberately. Behavioral science describes two modes of processing: a fast, automatic and intuitive one that operates almost effortlessly, and a slow, analytical and conscious one that demands attention and energy. We spend much of the day running on the first, because thinking everything through in detail would be exhausting and unworkable.
That automatic mode is efficient and, almost always, adaptive. It lets us reply to dozens of emails, recognize a familiar logo or follow an “urgent” instruction without stopping at every step. The problem is that phishing is designed precisely to operate there: in the fast lane, where there is no analysis. A competent attacker doesn’t try to fool your reasoning. They try to make sure you never activate it.
That’s why knowledge, on its own, offers less protection than we think. Knowing that phishing exists lives in the reflective mode, but the moment of the click happens in the automatic mode. Between the two there is a gap, and that gap is where the incident happens.
What conditions make us decide on autopilot?
If the risk appears when we are not reflecting, the useful question is: what pushes us into automatic mode? The answer has little to do with intelligence or willpower, and a lot to do with context.
- Cognitive load. When we attend to several things at once, the analytical capacity available drops. An email that arrives in the middle of a meeting, among fifty other tasks, barely has a chance of being examined.
- Time pressure. Urgency is social engineering’s favorite ingredient precisely because it switches off reflection. Phrases like “you have two hours to respond” work exactly because they push us to act before thinking.
- Familiarity. Recognizing a logo, a name or a usual format triggers a sense of safety that the attacker exploits. The familiar is processed fast, and what is fast goes unquestioned.
- Routine. We do the same thing so many times that we stop looking at it. The two-hundredth email of the day doesn’t get the same attention as the first.
It is no coincidence that the Verizon DBIR 2026 records higher click rates in attacks aimed at mobile: the phone is where we operate most on the move, with attention divided and little room for the reflective mode.
None of these conditions is a defect of the person. They are normal traits of how human attention works. The mistake is to design security programs that ignore this and then act surprised that people “don’t learn.”
Why is blaming the user the wrong diagnosis?
When someone falls for a simulation or a real attack, the frequent reaction is to read it as carelessness or poor judgment. But if the mechanism that failed is automatic processing (the same one that lets us function the rest of the day), blaming the person is like reproaching someone for breathing.
That view, moreover, is counterproductive. Fear of punishment doesn’t improve attention; what it does is push the person to hide the mistake. And a hidden mistake is far more dangerous than one reported in time. I developed this from the organizational angle in human risk in cybersecurity, but here what matters is the psychological consequence: a punitive culture trains concealment, not prudence.
How do you train a behavior that happens on autopilot?
If the problem is not one of knowledge, the solution can’t be just more information either. Explaining better what phishing is isn’t enough. We have to intervene in the moment and in the way the decision is made.
Cyberpsychology suggests a different path: instead of asking people to stay alert all the time (something no brain can sustain), it is better to design small nudges that reintroduce an instant of reflection right where the automatic lane is about to act. This is the logic of nudges in cybersecurity: they don’t aim to teach a fact, but to create a micro-pause that hands control back, for a second, to the conscious mode.
That second is everything. The difference between falling and reporting is usually not about how much the person knows, but about whether something made them stop before acting. That’s why the most effective learning doesn’t arrive in a training scheduled weeks later, but in the exact moment of the mistake, when attention is high and the experience is vivid.
How does SMARTFENSE approach this?
At SMARTFENSE we work on this premise: awareness content is not designed to fill people with information, but to activate reflection at the instant it matters most. The simulations reproduce the real conditions in which we decide on autopilot, and the educational moment that follows intervenes when learning can take hold, without a punitive tone and with a focus on the reflex of stopping and reporting. It’s not about people knowing more, but about having, in front of the next email, that second of pause that changes the decision.
Phishing will keep aiming at the fast lane, because that’s where we are predictable. Awareness, properly understood, works with the nature of human attention instead of fighting it. Knowing doesn’t make us invulnerable. Stopping in time does.
Leave a Reply