Picture the scene: you are deep in a Zoom meeting, while Slack messages flash across your screen, three spreadsheets sit open demanding attention, and your inbox pings insistently. In that moment of fragmented focus, it becomes all too easy to overlook the subtle but crucial red flag buried in a seemingly routine email. That’s how phishing succeeds — not by outsmarting us, but by exploiting our divided attention. With an estimated 3.4 billion malicious emails sent every day, this small slip in awareness can carry catastrophic consequences for individuals and organisations alike. The modern workplace, saturated with overlapping digital demands, has become the perfect environment for such attacks to thrive, as multitasking erodes the mental bandwidth needed for critical scrutiny.
A groundbreaking new study from faculty at Binghamton University’s School of Management, part of the State University of New York, has shed light on this very problem. The research reveals that multitasking significantly impairs people’s ability to detect phishing attempts. When the human mind juggles multiple streams of information, its capacity to recognise subtle anomalies — such as misspellings, mismatched domains, or inconsistent tone — diminishes sharply. Yet, amidst this disquieting revelation lies an encouraging discovery: small, well-timed “nudges” can restore awareness at the exact moment it’s most needed. These gentle interventions, carefully designed to refocus attention, can help individuals pause before clicking impulsively and potentially avert security breaches.
Associate Professor Jinglu Jiang, one of the study’s co-authors, highlighted the core dilemma of modern multitasking. “When working with multiple screens, your attention will never be fully focused on one screen or one particular email, especially when handling urgent tasks,” she explained. “If you want to reply to that email quickly, ignoring those red flags in a phishing email is easy.” Jiang and her team sought to understand how to mitigate this problem without disrupting productivity. Their proposed solution is elegantly simple: a notification system that nudges users at critical moments, gently reminding them to look for phishing indicators. Rather than relying on rigid training modules or intrusive pop-ups, this system would blend seamlessly into the user’s existing workflow, providing subtle cues that prompt reassessment when attention begins to drift.
To test their hypothesis, the researchers conducted experiments with 977 participants, simulating everyday multitasking scenarios. Participants were asked to carry out a “primary task” — such as memorising work-related data or numbers — while simultaneously identifying phishing emails, the “secondary task.” The setup mirrored the conditions of a typical workplace, where employees constantly switch between tasks under time pressure. The results were striking: when participants’ working memory was heavily engaged, their ability to detect phishing plummeted. However, when brief reminders or prompts were introduced, accuracy improved even under the heaviest cognitive load. These findings suggest that even minimal interventions, when timed correctly, can have a disproportionately positive impact on security awareness.
Importantly, the study’s proposed interventions require no sweeping technological overhaul. A simple coloured warning banner within an email client or a short prompt appearing during task switches could suffice. Imagine receiving a notification saying, “This message may be fraudulent — take a moment to verify,” just as you shift from one spreadsheet to another or open a new tab. These small nudges, positioned strategically during moments of distraction, help reclaim the user’s attention before they act. The beauty of this approach lies in its subtlety; it doesn’t demand complete focus but gently coaxes the mind back to awareness. This design philosophy reflects a deep understanding of human behaviour — acknowledging that security isn’t just a technological challenge, but a cognitive one.
The study also distinguishes between two types of phishing messages: “gain-framed” and “loss-framed.” Gain-framed messages promise rewards — think “Claim your gift card now!” — and are particularly effective at catching people off-guard because they exploit curiosity and excitement. Loss-framed messages, on the other hand, threaten negative consequences like “Your account will be locked in 24 hours,” triggering a more cautious, defensive reaction. Jiang’s team found that reminders were most effective against the reward-based, gain-framed messages, as people are naturally more vigilant in the face of threats but less so when enticed by potential benefits. This insight suggests that a uniform approach to phishing prevention — flooding users with constant reminders — may be counterproductive. Instead, organisations should adopt context-sensitive alerts that adapt to the specific nature of the threat.
As phishing tactics grow increasingly sophisticated — with cybercriminals using realistic fake accounts, cloned websites, and even artificial intelligence to mimic trusted senders — the need for adaptive, human-centred defences becomes urgent. Jiang warned that “the techniques used by these phishers become more sophisticated every day; they’re using fake accounts and, in many instances, masking the sender’s identity.” The study underscores that multitasking doesn’t just reduce productivity; it creates a security blind spot that phishers are eager to exploit. However, just-in-time nudges, designed to refocus attention precisely when vulnerability peaks, can serve as an effective countermeasure. By shifting from rigid, one-size-fits-all training programmes to dynamic, context-aware reminders, organisations can build resilience into the very fabric of digital workflows.
Ultimately, the findings from Binghamton University reveal an essential truth about cybersecurity: the weakest link is not technology, but attention. Human cognition, stretched thin by digital multitasking, is both the battleground and the solution. By embedding awareness into everyday tools — from Outlook and Gmail to Slack and Teams — and by designing training that mirrors real-world distractions, employers can foster a culture of mindful engagement. Rather than overwhelming workers with endless alerts, they can empower them with smart, timely cues that cut through the noise. In doing so, organisations move beyond a reactive stance and towards a proactive, psychologically informed model of defence — one that protects people not by demanding their constant vigilance, but by guiding it when it matters most.
More information: Jinglu Jiang et al, Phishing detection in multitasking contexts: the impact of working memory load, goal activation, and message framing cue on detection performance, European Journal of Information Systems. DOI: 10.1080/0960085X.2025.2548543
Journal information: European Journal of Information Systems Provided by Binghamton University