New research demonstrates that the common practice of multitasking significantly impairs a person’s ability to identify and reject phishing emails. A series of experiments found that as cognitive load increases from juggling multiple tasks, the accuracy of detecting fraudulent messages drops sharply, leaving individuals and organizations more susceptible to cyberattacks that exploit this divided attention.
The study, published in the European Journal of Information Systems, challenges a common assumption in cybersecurity research and training: that employees are focused and attentive when they encounter a phishing attempt. By simulating a more realistic work environment where users constantly switch between different tasks, the findings highlight a critical vulnerability in human-centered security and suggest that effective defenses must account for the mental strain of the modern workplace.
The Cognitive Strain of Modern Work
Researchers from the University at Albany and Binghamton University initiated the study to understand how the realities of multitasking affect cybersecurity. “Much of the existing research assumes that people are sitting quietly and focused when a phishing email arrives,” stated Xuecong Lu, an assistant professor at UAlbany’s Massry School of Business and lead author of the study. “In reality, we are constantly multitasking—switching between messages, meetings and documents. That divided attention makes us more vulnerable.” The core of the problem is cognitive load; when a person’s working memory is occupied with multiple activities, fewer mental resources are available to scrutinize incoming emails for the subtle red flags that signal a phishing attempt.
Simulating a Distracted Workplace
To quantify the effects of this mental strain, the research team designed experiments involving nearly 1,000 participants, creating conditions that mimic typical multitasking scenarios in a professional setting.
Experimental Setup
Participants in the study were asked to perform two jobs at once. Their primary task involved email review, where they had to distinguish between legitimate and phishing messages. Simultaneously, they were given memory tasks of varying difficulty, such as remembering a sequence of numbers, to simulate the cognitive load of a busy work environment. This dual-task setup was designed to measure how performance in phishing detection changes as mental demands increase.
Key Findings on Performance
The results showed a direct correlation between cognitive load and vulnerability. When participants had to juggle complex and demanding memory tasks, their ability to correctly identify phishing emails plummeted. Conversely, when the concurrent memory tasks were simpler and the mental load was lighter, their detection accuracy improved significantly. The findings empirically demonstrate that as attention becomes more fragmented, the brain’s capacity for critical judgment and detailed inspection weakens, making it easier for deceptive emails to slip past a person’s defenses.
Anatomy of a Phishing Lure
The study also examined how the framing of a phishing message interacts with a person’s cognitive state. Attackers often craft messages to elicit strong emotional responses, a tactic that becomes more effective when the recipient is distracted. The researchers tested different types of lures and found that “gain-framed” messages—those promising a reward, prize, or other positive outcome—were the most difficult for multitasking participants to resist. People were more likely to fall for these scams unless they were explicitly prompted to be cautious. In contrast, “loss-framed” messages, such as warnings about account suspension or security threats, appeared to trigger more natural caution even without an external prompt.
Simple Nudges as a Line of Defense
While it is impractical to expect employees to stop multitasking, the researchers identified simple, low-cost interventions that can significantly mitigate the risk. They tested the effect of providing brief, timely reminders to participants. A simple prompt, such as a banner reading, “Be cautious, some messages may be phishing attempts,” was enough to refocus attention and improve detection rates, particularly for the tempting reward-based emails. According to the researchers, these “nudge-based” strategies work by momentarily interrupting the multitasking workflow and reminding the user to apply scrutiny at the critical moment of decision. Similar solutions, like colored warning banners automatically applied to suspicious emails, were also suggested as effective tools.
Rethinking Cybersecurity Training
These findings carry important implications for how organizations approach cybersecurity awareness. Many traditional training programs are conducted in focused settings, which does not prepare employees for recognizing threats in their typical, distraction-filled workday. The study suggests that training must evolve to be effective under conditions of divided attention. Incorporating realistic phishing simulations into an employee’s daily workflow can help build vigilance even while they are busy. The research underscores the need for security strategies that are adaptive and account for human cognitive limitations, rather than assuming an ideal, fully focused user.
The Scale of the Phishing Threat
The urgency of addressing this vulnerability is underscored by the sheer volume and cost of phishing attacks. According to industry data, cybercriminals send approximately 3.4 billion phishing emails every single day. This constant barrage targets employees at their busiest moments. For businesses, the financial stakes are enormous. Data from IBM indicates that the average cost of a data breach caused by a phishing attack is now close to $5 million per incident, making the development of effective, multitasking-aware defense strategies a critical priority for organizations of all sizes.