Multitasking raises risk of phishing, study finds

In the information age, multitasking is often worn as a badge of honor. But according to new research led by Xuecong Lu, assistant professor of information security and digital forensics in UAlbany’s Massry School of Business, multitasking may also blind us to hidden threats, thereby increasing our chances of falling victim to cybercrime.

Published in the European Journal of Information Systems, Lu’s study centers on phishing—fraudulent emails designed to steal login credentials, personal information or money.

“Much of the existing research assumes that people are sitting quietly and focused when a phishing email arrives,” said Lu. “In reality, we are constantly multitasking—switching between messages, meetings and documents. That divided attention makes us more vulnerable.”

According to Forbes, criminals send an estimated 3.4 billion phishing emails every day. IBM has found that phishing-related breaches now cost businesses nearly $5 million per incident.

Cognitive load and phishing

The study used two experiments with nearly 1,000 participants to test how memory load affects phishing detection. When participants had to juggle complex memory tasks, their accuracy plummeted.

According to the research:

• High memory load reduces detection: When people were asked to juggle challenging memory tasks, they were far more likely to miss the warning signs of phishing emails
• Divided attention weakens judgment: Participants who split focus between multiple tasks struggled to separate legitimate messages from scams
• Simpler tasks improve accuracy: When the mental load was lighter, participants caught phishing attempts more consistently

“This shows that cognitive load is a critical factor,” said Lu, who teaches in the Department of Information Security and Digital Forensics at UAlbany’s Massry School of Business. “When your brain is already busy, you are more likely to miss red flags in an email.”

Prompts and framing cues

The study also tested whether reminders could help people stay alert. A short warning, such as “Be cautious, some messages may be phishing attempts,” improved detection, especially for emails that promised rewards.

The authors found that:

• Reminders refocus attention: A simple prompt was enough to offset some of the negative effects of multitasking
• Reward-style scams need extra caution: Gain-framed emails offering prizes or perks were easier to fall for unless participants were reminded to be careful
• Threatening messages drew scrutiny naturally: Loss-framed emails warning of penalties or account lockouts triggered more vigilance even without prompts

“These findings suggest that training and warning systems need to be context-aware,” Lu said. “We need interventions that reach people in the moment, when they are distracted and least able to spot danger.”

Smarter defenses

The financial stakes underscore why the research matters. According to IBM, the average cost of a phishing-related data breach is $4.88 million—a reminder that even a single click in a moment of distraction can be enormously expensive.

To reduce that risk, the study points to several practical strategies:

• Train under real-world conditions: Cybersecurity training should include scenarios that mimic the distractions employees face in daily work
• Build in just-in-time alerts: Pop-up reminders or security nudges can help users pause and reconsider before clicking
• Recognize emotional manipulation: Teaching people how scammers exploit urgency or the promise of rewards makes them less likely to fall victim

“Our research underscores that people are the last line of defense,” Lu said. “Technology can filter out many threats, but attackers know that humans are the weak link. By understanding how attention and memory work, we can build smarter systems that protect users even when they are not fully focused.”