In today’s digital world, multitasking is often praised as a valuable skill, but new research suggests it comes with hidden dangers. According to a study published in the European Journal of Information Systems, multitasking can significantly increase the risk of falling victim to phishing scams. Led by Xuecong Lu, assistant professor of information security and digital forensics at UAlbany’s Massry School of Business, the research shows how divided attention weakens our ability to detect fraudulent messages.
Phishing, the practice of sending fraudulent emails designed to steal sensitive data or money, remains one of the most common and costly forms of cybercrime. Criminals send an estimated 3.4 billion phishing emails daily, and IBM has found that phishing-related breaches now cost businesses an average of $4.88 million per incident. While most people imagine a phishing attack arriving when they are fully focused, the truth is different—we are often juggling multiple tasks, switching between emails, meetings, and documents. That distraction makes us an easier target.
The study, which involved nearly 1,000 participants, tested how cognitive load impacts phishing detection. Results were striking:
- High memory load reduces detection: When participants had to handle complex memory tasks, they were far more likely to miss phishing red flags.
- Divided attention weakens judgment: Multitasking participants struggled to distinguish legitimate emails from fraudulent ones.
- Simpler tasks improve accuracy: When the mental workload was lighter, participants spotted phishing attempts more effectively.
“This shows that cognitive load is a critical factor in phishing detection,” explained Lu. “When your brain is already busy, you are much more likely to overlook the subtle cues that signal danger.”
The research also explored whether reminders and prompts could help users stay alert. A short warning such as “Be cautious, some messages may be phishing attempts” significantly boosted detection rates. Interestingly, emails that promised rewards were the most effective at tricking distracted participants—unless they received a reminder prompt. On the other hand, threatening emails (like warnings about account lockouts) naturally triggered more scrutiny, even without prompts.
The financial and security implications of these findings are enormous. Since phishing remains a top entry point for data breaches, the study highlights the need for smarter defenses and context-aware training. Experts recommend:
- Training under real-world conditions, where distractions are simulated to mirror workplace reality
- Implementing just-in-time security nudges, like pop-up alerts before users click links
- Educating employees on emotional manipulation tactics that attackers often exploit
Conclusion: This research underscores that humans are the last line of defense against phishing. Technology can filter many threats, but attackers count on human error. By designing training programs and security systems that account for cognitive load and distraction, organizations can drastically reduce their risk. In a world where one careless click can cost millions, focusing on human behavior may be the smartest cybersecurity investment.
