Working from home

Most Americans will hang up after waiting on hold for 10 minutes with a healthcare provider. (© olly - stock.adobe.com)

Study show that when attention is stretched, particulary from multitasking, even security-savvy people slip.

In A Nutshell

  • Distraction fuels mistakes: People were far less accurate at spotting phishing emails when their working memory was already busy with another task.
  • Memory-for-Goals theory explains why: When attention shifts, the mental goal of “check this carefully” fades and must be recalled before deciding what’s safe.
  • Reminders restore focus: Brief on-screen cues telling users to watch for phishing improved accuracy, especially for “reward”-style messages like prize or refund offers.
  • Real-world takeaway: Security training should mimic busy work conditions, and smart tools could time alerts to moments when users are most distracted.

Bottom line: Mental overload, not ignorance, often drives phishing mistakes. A simple reminder at the right moment can make all the difference.

HAMILTON, Ontario — Workers juggling multiple tasks are far more likely to fall for phishing emails, according to new research that questions how organizations train employees to spot digital threats.

A study published in the European Journal of Information Systems. found that people asked to remember information while evaluating emails showed measurably worse judgment about which messages were legitimate. When participants held eight digits in memory compared to just two, their ability to identify phishing attempts dropped noticeably.

Results point to a troubling reality: Most people encounter suspicious emails not during quiet, focused moments but while mentally occupied with other work demands.

“Phishing detection is not merely a reactive response to external cues; users must mentally represent the detection goal, sustain it amid competing demands, and retrieve it at the moment of decision,” the researchers wrote.

Busy worker multitasking, burnout concept
We’re more vulnerable to being scammed when we’re juggling multiple things at once.(© Nadezhda Buravleva – stock.adobe.com)

The Multitasking Problem

Scholars from McMaster University, Binghamton University, and the University at Albany recruited more than 900 participants across two online experiments. Participants completed memory tasks of varying difficulty, then evaluated a mix of legitimate and phishing emails designed to mimic real-world threats.

Those handling the more demanding memory task showed reduced accuracy in flagging suspicious messages. Researchers measured not just whether people made correct choices but also their confidence in those decisions, creating a composite score of detection quality.

The experiments recreated everyday multitasking, like pausing work to check an email. Email checking works the same way for most office workers: not as a standalone activity but as a secondary task that breaks into other work.

Why Current Training Falls Short

This research raises questions about current security training approaches. Most programs assume people evaluate emails during distraction-free conditions, yet cognitive load from ongoing work proved to be a barrier to threat detection.

Researchers drew on Memory-for-Goals theory, a psychology model explaining how people retrieve and act on goals when switching between tasks. Under this theory, the mental goal of scrutinizing emails for threats must be actively brought back to mind and can easily be displaced when working memory is already taxed by other demands.

Prior research has focused heavily on individual traits like age or personality, or on message characteristics like urgent language or authority cues. The current study shifts attention to the cognitive state users are in when they encounter threats.

When Simple Reminders Make a Difference

Researchers also tested a potential solution: brief reminders that appeared between tasks, explicitly telling participants to focus on detecting phishing attempts. These goal activation prompts improved detection accuracy, especially when people were under higher cognitive load.

Reminders proved most effective for emails framed around potential gains, such as prize notifications or refund offers. Warning-style emails triggered more caution on their own, reducing the added benefit of external reminders.

Male participants showed stronger benefits from the reminder intervention compared to female participants. Researchers note this may reflect gender differences in baseline security vigilance, with women maintaining more consistent caution regardless of whether they received prompts, though they caution against drawing firm conclusions from this pattern.

Warning on computer over email phishing scam
Companies should consider better cybersecurity measures to keep workers from mistakenly clicking a malicious email. (© patcharin.inn – stock.adobe.com)

What This Means for Workplace Security

Findings point toward context-aware security systems that could recognize when someone’s attention is stretched and deliver targeted alerts at those vulnerable moments. Such systems might monitor signals like typing patterns, task-switching frequency, or time since the last break to infer mental load, though the study did not test real-time monitoring tools.

Rather than treating all phishing threats uniformly, security tools could prioritize reminders for gain-framed messages while allowing loss-framed warnings to rely on their inherent ability to trigger suspicion.

Results also show training should incorporate realistic conditions. Simulated phishing exercises might be more effective if conducted during busy periods rather than in dedicated training sessions, better preparing employees for the actual circumstances under which they’ll need to make security judgments.

With an estimated 3.4 billion malicious emails sent daily, even modest improvements in detection rates could prevent substantial harm. The study demonstrates that relatively simple interventions, delivered at the right moment, may offer practical protection without requiring extensive behavioral change or expensive technology overhauls.

What Is Phishing and How Can You Spot It?

Phishing is a type of online scam where criminals send emails, text messages, or other communications pretending to be from legitimate organizations. The goal is to trick people into revealing sensitive information like passwords, credit card numbers, or Social Security numbers, or to click on malicious links that install harmful software.

The term “phishing” comes from “fishing” because scammers cast out bait hoping someone will bite.

How Phishing Works

Attackers typically send messages that appear to come from trusted sources like banks, online retailers, government agencies, or even colleagues. These messages create a sense of urgency or offer something attractive to prompt quick action without careful thought.

Common tactics include:

  • Urgent warnings about account problems requiring immediate action
  • Prize notifications claiming you’ve won something or are due a refund
  • Security alerts saying your account has been compromised
  • Requests for verification of personal information
  • Invoice notifications for purchases you didn’t make

The Dangers

Falling for a phishing scam can lead to:

  • Identity theft where criminals open accounts or take out loans in your name
  • Financial loss from unauthorized charges or drained bank accounts
  • Data breaches if you use a work email, potentially compromising your employer’s systems
  • Malware infection that steals information or locks your files for ransom
  • Account takeovers where criminals gain access to your email, social media, or other accounts

How to Spot Phishing Attempts

Check the sender carefully. Hover over the sender’s email address (don’t click) to see the actual address. Scammers often use addresses that look similar to legitimate ones but have subtle differences like extra letters or different domains.

Look for generic greetings. Legitimate companies usually address you by name. Messages starting with “Dear Customer” or “Dear User” are red flags.

Watch for poor grammar and spelling. Many phishing emails contain obvious errors, though some are professionally written.

Examine links before clicking. Hover over any links to see the actual web address. Legitimate sites use secure connections starting with “https://” and match the company’s real domain.

Be suspicious of urgent requests. Pressure to act immediately is a classic phishing tactic. Legitimate organizations rarely demand instant action via email.

Question unexpected attachments. Don’t open attachments from unknown senders or unexpected attachments from known senders.

Verify requests independently. If an email claims to be from your bank or another service, don’t use contact information from the email. Instead, go directly to the company’s official website or call a number you know is legitimate.

What to Do If You Suspect Phishing

  • Don’t click any links or download attachments
  • Don’t reply to the message
  • Report it to your IT department if it’s a work email
  • Forward it to the Anti-Phishing Working Group at reportphishing@apwg.org
  • Delete the message
  • If you clicked a link or provided information, immediately change your passwords and contact your bank or credit card company

Remember: When in doubt, it’s always safer to verify through a separate channel than to risk responding to a scam.

Paper Summary

Methodology

Researchers conducted two controlled online experiments using Amazon Mechanical Turk participants. Study 1 included 405 participants who completed a digit memorization task (either 2 or 8 digits) before evaluating eight emails, four of which were phishing attempts. Study 2 included 572 participants and added a goal activation intervention, where some participants received an explicit reminder to focus on phishing detection. Study 2 also used a more realistic primary task involving memorizing information from a workplace memo. Both studies measured detection accuracy and a quality score that incorporated participant confidence. Emails were standardized using a Gmail template and included both gain-framed messages (emphasizing rewards) and loss-framed messages (emphasizing threats). Participants also answered questions about demographics, internet experience, prior victimization, and other individual characteristics that served as control variables.

Results

Higher working memory load from the primary task reduced phishing detection accuracy and quality scores across both studies. Goal activation reminders improved detection performance and lessened the negative impact of cognitive load. The effectiveness of these reminders was stronger for gain-framed phishing emails compared to loss-framed emails. Male participants showed greater dependence on goal activation cues than female participants. Additional analysis revealed that detection performance was more variable within individuals when evaluating gain-framed messages compared to loss-framed messages, indicating less consistent processing strategies for reward-oriented threats.

Limitations

The study used controlled experimental conditions that may not fully capture real-world complexity. Participants viewed emails in a research context where they knew detection was being evaluated, potentially increasing vigilance compared to normal email checking. The working memory load manipulation, while effective, represented a simplified version of workplace cognitive demands. The research focused only on text-based reminders and did not test other intervention formats like visual or auditory cues. The study examined only short-term goal activation effects and did not assess whether repeated reminders maintain effectiveness over time or whether they might lead to habituation. The participant pool, while diverse, consisted of online workers who may differ from typical office employees in technology experience or security awareness.

Funding and Disclosures

This work was supported by a Social Sciences and Humanities Research Council of Canada grant, award number 435-2022-0444. The authors reported no relevant financial or non-financial competing interests.

Publication Details

Lu, X., Jiang, J., Head, M., & Yang, J. (2025). Phishing detection in multitasking contexts: the impact of working memory load, goal activation, and message framing cue on detection performance. European Journal of Information Systems. DOI: 10.1080/0960085X.2025.2548543

About StudyFinds Analysis

Called "brilliant," "fantastic," and "spot on" by scientists and researchers, our acclaimed StudyFinds Analysis articles are created using an exclusive AI-based model with complete human oversight by the StudyFinds Editorial Team. For these articles, we use an unparalleled LLM process across multiple systems to analyze entire journal papers, extract data, and create accurate, accessible content. Our writing and editing team proofreads and polishes each and every article before publishing. With recent studies showing that artificial intelligence can interpret scientific research as well as (or even better) than field experts and specialists, StudyFinds was among the earliest to adopt and test this technology before approving its widespread use on our site. We stand by our practice and continuously update our processes to ensure the very highest level of accuracy. Read our AI Policy (link below) for more information.

Read More About StudyFinds

Our Editorial Process

StudyFinds publishes digestible, agenda-free, transparent research summaries that are intended to inform the reader as well as stir civil, educated debate. We do not agree nor disagree with any of the studies we post, rather, we encourage our readers to debate the veracity of the findings themselves. All articles published on StudyFinds are vetted by our editors prior to publication and include links back to the source or corresponding journal article, if possible.

Read More →

Our Editorial Team

Steve Fink

Editor-in-Chief

John Anderer

Associate Editor

Leave a Reply