Cognitive biases are mental shortcuts that our brains use to make decision-making more efficient, but they can also lead to errors in judgment. These biases often arise because our brains are trying to process large amounts of information quickly, using patterns and assumptions to simplify complex situations. While these mental shortcuts can be helpful in everyday life, they can also make us more vulnerable to manipulation, especially in phishing attacks and other social engineering tactics.

Cognitive biases exist because our brains are wired to conserve cognitive energy and make quick decisions. However, this speed sometimes comes at the cost of accuracy. In stressful or high-pressure situations, like receiving an alarming email or phone call, these biases can make us more likely to fall for scams because we rely on instinct rather than careful analysis.

Cognitive biases can be grouped into four main categories:

1. Too Much Information
   Our brains are constantly bombarded with information, so we filter out what seems unnecessary and focus on the most noticeable or relevant details. This can lead to overemphasizing certain data while ignoring the bigger picture.
2. Not Enough Meaning
   In uncertain or ambiguous situations, we tend to fill in gaps with assumptions and patterns that may not exist. This can cause us to draw incorrect conclusions based on incomplete information.
3. The Need to Act Quickly
   When faced with urgent situations, we often make fast decisions to resolve problems quickly. However, this need for speed can lead to impulsive actions that aren’t fully thought through.
4. What We Should Remember
   Our memories aren’t perfect, and we tend to focus on information that seems important or emotionally relevant. This can result in us remembering things inaccurately, especially under stress.

Here are 10 common cognitive biases that phishing attackers exploit:

1. Availability Heuristic
   People are more likely to react to information that comes easily to mind, especially after hearing about recent events, such as cyberattacks.
2. Anchoring Bias
   People tend to rely too heavily on the first piece of information they receive, such as an initial alarming message about a supposed account breach.
3. Negativity Bias
   Negative information, like warnings of account suspension or threats of data loss, tends to weigh more heavily on decisions than positive information.
4. Framing Effect
   The way information is presented—whether positive or negative—can influence decisions, such as presenting an action as “protecting your account.”
5. Confirmation Bias
   People tend to favor information that confirms their preexisting beliefs. Phishers exploit this by sending messages that align with the target’s concerns, like fake security alerts.
6. Authority Bias
   Requests from perceived authority figures, like executives or IT departments, are more likely to be followed without question.
7. Scarcity Bias
   Limited-time offers or threats of expiring access play on people’s fear of missing out, prompting impulsive actions like clicking malicious links.
8. Social Proof
   Messages that imply “everyone else is doing this” can manipulate individuals into complying with fake instructions, such as updating security settings.
9. Omission Bias
   Phishers suggest that inaction will lead to worse consequences than taking an action, making individuals feel pressured to respond.
10. Empathy Gap
    When in a heightened emotional state, like fear or stress, people may not predict how they will act, which attackers use to create urgency or panic.

See our Cognitive Bias Index for more complete information on cognitive biases.

Cognitive biases are integral to how we process information and make decisions, often allowing us to act quickly and efficiently. However, while these mental shortcuts can sometimes lead to poor judgment or manipulation, they can also be harnessed for good. In fact, “social engineering for good” uses the same cognitive biases that attackers exploit to help individuals and organizations make better decisions, especially in high-stakes environments like cybersecurity.

For example, the availability heuristic causes people to focus on recent or easily recalled events. Cybersecurity training programs can use this to their advantage by frequently reminding employees about the dangers of phishing attacks, keeping the threat top of mind and making individuals more vigilant when suspicious emails appear.

Similarly, confirmation bias, which leads people to favor information that supports their beliefs, can be leveraged to reinforce positive behaviors. Regularly exposing employees to stories and examples of strong security practices can make them more likely to seek out and believe in the importance of safe online habits.

Anchoring bias can also be used defensively. By initially framing cybersecurity policies or instructions as critical, businesses can ensure that employees view these guidelines as non-negotiable. This establishes a solid foundation where security is a priority, and any deviation from it feels like a significant departure.

Negativity bias, which makes us focus more on negative outcomes, can be harnessed to drive better behavior as well. For example, cybersecurity training that emphasizes the severe consequences of a data breach—loss of sensitive information, financial penalties, reputational damage—can motivate individuals to be more cautious with their online actions, knowing what’s at stake.

In some cases, social proof, a bias where people look to others for behavioral cues, can also be an ally. Creating a culture of security, where employees see their peers adopting good practices like using strong passwords or reporting phishing emails, can encourage widespread adoption of secure behaviors. If everyone around you is practicing good security hygiene, you’re more likely to follow suit.

By understanding these biases and deliberately designing security programs that align with how people naturally think, organizations can build a stronger defense against cyber threats. Cognitive biases, often seen as vulnerabilities, can become powerful tools for fostering good decision-making and preventing attacks.

In a way, social engineering for good takes the tactics of attackers and turns them around to protect individuals. Rather than manipulating people to fall for scams, these tactics are used to empower them to stay safe online, reinforcing positive behaviors and making the right security decisions second nature.

How Emotions Are Weaponized Against You

Cybercriminals know that emotions are a powerful tool for manipulation, and they weaponize them to exploit vulnerabilities in their targets. Phishing attacks, scams, and social engineering tactics often rely on triggering emotional responses—fear, urgency, curiosity, or even empathy—to bypass rational thinking and provoke impulsive decisions.

For example, fear is commonly used to drive action. A phishing email might claim that your account has been compromised or that you’re at risk of losing access unless you act immediately. By inducing panic, attackers can lower your defenses and make you more likely to click on a malicious link or provide personal information without verifying the source.

Urgency is another emotion frequently exploited. Messages designed to create a sense of limited time—such as warnings about missed payments or expiring benefits—push you into making snap decisions. When feeling pressured, it’s easy to overlook potential red flags or forget to double-check the authenticity of the message.

Attackers also play on empathy and trust. Business Email Compromise (BEC) scams, for instance, often involve impersonating someone the target knows and trusts, like a colleague or executive, and requesting urgent help. The natural desire to assist someone in need can override skepticism, leading to dangerous actions like transferring money or sharing sensitive information.

In many cases, attackers combine several emotional triggers to create a potent mix of fear, urgency, and trust. This emotional manipulation bypasses logical decision-making, making victims act before they’ve had time to fully consider the consequences.

By understanding how emotions can be weaponized against you, it becomes easier to recognize and resist these tactics, making you less vulnerable to manipulation and better equipped to protect yourself from phishing and other cyber threats.

Case Studies: Phishing and Psychological Manipulation

Phishing scams often trick people by playing with their emotions and instincts. These scams can be very clever, making it hard to see through them. This chapter looks at real-life examples to show how phishing works and what we can learn from these attacks.

Case Study 1: The Ubiquiti Networks AttackBackground: In 2015, Ubiquiti Networks, a tech company, was tricked by a phishing attack.
Incident: Criminals sent fake emails pretending to be from the company’s top bosses. These emails were very believable and asked the finance team to send a lot of money to foreign bank accounts for urgent and secret reasons. The finance team followed the instructions and sent about $46.7 million before realizing it was a scam.
Psychological Tricks:

• Trust in Authority: The emails looked like they came from top bosses, so employees didn’t question them.
• Urgency: The emails said it was urgent, making employees act quickly without thinking.
• Secrecy: Mentioning that it was confidential made employees less likely to check with others.

Outcome and Lessons: Ubiquiti got back about $8.1 million, but the incident taught them to have better email security and to double-check important requests.

Case Study 2: The FACC CEO FraudBackground: In 2016, FACC, an Austrian aerospace company, was hit by a phishing scam targeting their financial team.
Incident: Scammers pretended to be the CEO and asked an employee to transfer €50 million to a foreign bank account. The email was convincing, so the employee didn’t check with the actual CEO and sent the money.
Psychological Tricks:

• Pressure: The email made it seem like the transfer had to happen quickly.
• Believability: The scammers knew how the company worked and made the email look real.
• Trust in Authority: Employees tend to trust and follow instructions from higher-ups.

Outcome and Lessons: Only about €10 million was recovered, and both the CEO and CFO were fired. The company learned the importance of having checks in place for large money transfers.

Case Study 3: The Target Data BreachBackground: In 2013, Target’s customer data was stolen starting with a phishing email to one of its vendors.
Incident: Scammers sent an email to employees at Fazio Mechanical, a company that worked with Target. The email had a bad attachment that, when opened, installed malware. This malware spread to Target’s network and allowed thieves to steal credit card information from millions of customers.
Psychological Tricks:

• Trust: The email came from a known contact, so employees were less cautious.
• Curiosity: People often open attachments that look interesting or important.
• Lack of Verification: The employees didn’t double-check the email’s origin before opening the attachment.

Outcome and Lessons: Target faced huge costs over $200 million. This incident highlighted the need for strong security measures with third-party vendors and being careful with email attachments.

Case Study 4: The Sony Pictures HackBackground: In 2014, Sony Pictures was hacked due to a phishing email sent to a high-level employee.
Incident: Hackers, believed to be from North Korea, sent an email with a bad link to a Sony executive. When the link was clicked, malware was installed, which stole a lot of sensitive data like unreleased movies and private employee information.
Psychological Tricks:

• Curiosity: The email made the executive interested enough to click the link.
• Trust in Familiar Email: The email looked like it was from a trusted source.
• Confusion and Distraction: The hacker’s message may have seemed urgent or important enough to cloud judgment.

Outcome and Lessons: The hack caused severe damage to Sony, affecting its reputation and finances. This case showed the importance of educating employees about phishing and being careful with any unexpected emails or links.

Conclusion: These cases show how phishing relies on fooling people through trust, urgency, and other psychological tricks. Understanding these tactics can help individuals and organizations spot and stop phishing attempts. Training, awareness, and careful checking are key to staying safe from phishing.