Do you know that feeling of dread when you realize you’ve clicked on a suspicious link? I know it perfectly.
It has happened to me several times in the last year!
The positive aspect of it is that it happened in a secluded environment, with periodically phishing training by our company’s internal cybersecurity experts. While negative aspect of it is the fact that it actually happened. Not once.
This article highlights brain fatigue as a significant vulnerability exploited by phishing.
Phishing
Phishing involves fraudulent communications disguised as legitimate ones from trusted sources.
According to Verizon’s 2024 Data Breach Investigations Report, phishing remains one of the top three initial attack vectors, with social engineering involved in nearly 70% of attacks.
68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. [source]
Another interesting fact is that the median time for users to fall for phishing emails is less than 60 seconds. Therefore, urgency is almost always presented in a phishing email. [source]
These are interesting facts, but raw statistics don’t tell the complete story. Let’s dig further into why our brain betrays us at the worst moments.
Your Brain on Cognitive Fatigue
Phishing exploits three states we all experience:
- Brain Drain: After 8 hours of knowledge work, our ability to spot deception drops significantly.
- Task-Switching Tax: Without proper break, every switch creates a moment of vulnerability.
- Decision Burnout: Knowledge workers make over 300 significant decisions daily. Each one chips away at our mental defenses. Sun Tzu’s ‘count your battles’ quote is now more relevant than ever.
Brain Autopilot and Cognitive Fatigue
Study: Investigating learning burnout and academic performance among management students: a longitudinal study in English courses. This study among many others point the fact that our decision-making quality drops significantly (by up to 50%) during these periods of cognitive exhaustion. This is alarming for drivers, medical workers, and we will highlight the impact when caught by phishing attacks.
If we find ourselves thinking ‘what have we done in the last few minutes, I cannot remember a thing’, that’s usually a sign. The topic is complex, and outside of my jurisdiction. What I understood anyway regarding the brain is that it always tries to achieve homeostasis.
The brain wants to conserve energy whenever it can, and autopilot mode is the default mode.
When you’re performing a task or something you have done many times before, the neural pathways involved become so common that they fire correctly without conscious effort, essentially turning on autopilot.
The brain gets out from its autopilot mode when the prediction does not happen. One example is if you are driving on the same road you have driven many times, the brain will automatically go in autopilot mode, constantly predicting the future and preparing the necessary actions. You drive on your lane, see a red light, and the brain outlines what to do: tap break, switch gear (if manual), and approach slowly the car in front. If an unpredictable event happens, let’s say the car in front slows down but then accelerates and crosses at red light, the brain will immediately turn off autopilot and you’ll enter the ‘consciousness’ state.
Our ability to focus functions like a muscle. Following hours of intense mental work, fatigue sets in. Your brain can only work so hard before it stops producing results. The capacity differs from one individual to another, taking into account factors like rest and accumulated stress over time.
We will continue with a gym analogy because I find it easier to understand. If I think only about neurons and synapses, I rather quickly lose the ability to grasp reality.
So, we can train our muscle to produce more and more results, we can train our brain muscle to be more resilient over time, but like any good gym program, we need to consider rest and breaks between sets.
We should also consider if using it at full capacity, like training every day for the olympics is even worth it. Because even in sports or weightlifting, other than the actual event day when you give 100% of what you got, in training day the less you do the better the results, keeping in mind the constant need to do something.
There is a lot of research on the subject. Understanding even a small bit about how the brain works will help us let’s say ‘collaborate better’, even if we and our brains are only one.
You don’t need to do a full psychoanalysis on own self, but there are several things that can help evaluate your state of fatigue and and some tips to care for:
- Brain goes on autopilot. Now that we explored the brain autopilot mode, we expect similar autopilot mode when we are mentally drained. Fatigue can cause “autopilot errors” where well-learned neural pathways misfire or cross-connect.
- Analyze the previous tasks. We might have done them in a rush. Ask a few questions that may become important later: Was the task challenging, intricate, yet resembling my previous work? Was it simple, but it took too much time? These exercises help to reflect and evaluate what to tackle next, and to avoid taking one complex task after another without managing internal resources.
- Step back and consider the bigger picture. How long have you been working on this, when did you take breaks, and what’s your plan to be better prepared in the future? It won’t help solve the burnout by itself, because taking days off after the brain experiences exhaustion is a lot of the times a little too late, if taken as last resort.
- We don’t really take breaks. Understand that even when taking a break, we still overstimulate our brains. For a break to be effective, we need frequent breaks during the workday, at least five minutes to an hour. Many EU contracts stipulate breaks of ten minutes to an hour, but who has that luxury? When we stop working to use our phones and check social media, it might feel like a break; however, we’re still overloading our brains with information, making them analyze and think, and essentially performing light work.
- Answer this question: how much cardio or any exercise did I do in the past days? Here it depends, but any light workout is better daily than high-intensity workouts 2 times per week. Don’t get me wrong, any workout is better than no workout, just to be sure. So start little, or increase, but we’ve seen it in the studies and tried on our own bodies: working out helps ease stress, helps the brain tremendously. As we get older and older, it’s even more important.
Now back to phishing.
Undestanding Why Phishing Is Effective
Modern phishing attacks exploit how our minds work, and scammers make use of various psychological tricks:
- The Authority Hook. When a message appears to come from power (your CEO, IT department, etc.), your brain’s natural respect for hierarchy kicks in.
- The Urgency Trap. Scammers create this artificial time pressure because they know it short-circuits our analytical thinking.
- The Familiarity Game. Modern attacks feel personal because they often are. Scammers mine social media and data breaches to craft messages that feel legitimate.
- The Context Tricks. Mentioning real projects, colleagues, or events creates a sense of legitimacy.
Having ticked all four of them, I realize now that it could’ve been easier to spot. But at the same time, I won’t underestimate them.
My Story
The trap: Near the end of a long, complex week, I decided to “take a break” by clearing my inbox.
Working on demanding tasks makes us feel we are delaying important upcoming tasks but also trivial ones, such as answering MS Teams messages or emails from colleagues.
The cybersecurity colleagues disguised the email as a planned company event. Despite years of security training and technical know-how, I clicked the phishing link.
Mistake #1: Don’t use emails as a break; it’s not an actual break.
A cognitive break should mean a short disconnect from the technology, meaning actually stop using the computer or phone, and instead of being stationary, just walk (if possible, walk outside).
This may sound like basic advice that even toddlers could give, but trust me, especially when working from home with deadlines, seemingly insignificant actions like taking a moment to drink water, look out the window, or walk for a few minutes can feel counter-intuitive and unproductive, even though studies indicate the opposite. Breaks or disconnects often increase productivity and problem solving, especially when you’re not immersed or glued to the computer trying to solve a task. Easier to preach than do.
Mistake #2: This usually spirals from the first mistake, but never underestimate how many mistakes you can do fatigued. Fatigue significantly reduces cognitive capacity, and you can’t fix this by drinking more coffee.
This happened during mental fatigue, either between intensive tasks or near the end of the workday, when my brain was seeking the simple satisfaction of ticking off “email cleanup” from my to-do list. I didn’t see it as a satisfaction, more than a ‘let’s solve as much as possible, so tomorrow we will have less work’. That always turns out right, doesn’t it?
Breaking Free: My Lessons Learned
After my close calls, I realized I couldn’t rely solely on staying alert. I needed systems to protect me from myself. Here’s what works for me:
- The Morning Rule: I try to read emails once daily, ideally in the morning when I’m fresh.
- The No-Action Promise: While I might read emails throughout the day, I never take urgent actions outside morning hours. This simple rule has saved me multiple times ever since.
Photo source: Christiaan Colen @ Flickr.