This website uses cookies to ensure you get the best experience on our website. More info. Accept Reject

Phishing: What Makes Us Click?

PR0PH3CY (their username) is a professional hacker. Growing up PR0PH3CY enjoyed taking part in minor hacking activities for fun and over time the life of an illegal hacker became more appealing. Focused on phishing they send messages to victims posing as trusted entities. With this, they hope to gain personal data to profit financially. It's easy money with PR0PH3CY’s talent for exploiting human cognitive biases. This helps to convince victims to open the malicious links in messages. Along with the risk factor, it's a real buzz when someone takes the bait.

Human error is the biggest risk factor in a business being targeted by cybercrime. 91% of successful data breaches stem from a single phishing attack1. Even the more tech-savvy of us can be tricked by these convincing scams. This is due to the psychology, such as cognitive bias, used behind them.

How We Get Hooked, Hook, Line and Sinker 

Hackers like to tap into human cognitive biases. This is our unconscious tendency ‘for the human brain to perceive information through a filter of personal experience and preferences’2. Using fear, authority and familiarity tactics cyber criminals will lure victims into clicking on malicious links or attachments to gain access to critical data and networks. These strategies are more effective if we have a hectic schedule. In these situations, we may naturally respond to an email or text without stopping to think.

Below are the top 9 cognitive biases that hackers use when instigating a phishing campaign3:


Hyperbolic Discounting

authority bias

Halo Effect

Hyperbolic Discounting

“Here’s a free coupon”

Authority Bias

“Hey, it’s your CEO”

Halo Effect

“Message from Apple”



phishing cognitive bias loss aversions


“Here is your daily delivery report”


“A 30% pay rise”

Loss Aversions

“Act now to save your credit score”

phishing cognitive bias recency


cognitive bias ostrich


“Avoid coronavirus”


“Here is your secret offer – click here”


“You have 800 viruses”


Understanding the use of cognitive bias within phishing attacks plays a key part in reducing the risk of human error compromising data security. Unlike IT systems, we can’t apply cybersecurity measures to the human brain to reduce our vulnerability to phishing attacks. However, we can train people to spot the tactics used by cybercriminals to help prevent users from being hooked. Hopefully, this could help avert a potentially devastating information security incident.

Put Up a Good Phish Fight by Creating a Cyber Secure Culture in Your Organisation

To mitigate the threat posed by the recent increase in cybercrime, employees need to understand their role in making positive security decisions and complying with cybersecurity policies. IT security awareness training equips staff with the essential knowledge to help identify cyber threats, reducing the risk of a data breach. 

In a recent trial, 38% of untrained end-users failed a simulated phishing test. After 90 days of regular training, this dropped to 14% of users. After a year of continued regular coaching, this declined to 5% of users4. 


simulated phishing test results 38%

simulated phishing test results 14%

simulated phishing test results 5%

First simulated phishing test 38% of users failed

Second simulated phishing test 14% of users failed

Third simulated phishing test 5% of users failed


There are numerous benefits in deploying an IT security awareness program in an organisation:

  • Develops a proactive security-focused culture and prevents bad habits
  • Encourages staff to take responsibility for IT security
  • Reduces the risk of data and networks being affected by cyber threats, preventing downtime
  • Allows for a greater understanding of the cyber threats your employees face. This can then inform the implementation of a broader IT security strategy
  • Identifies high-risk users and educates staff on how to respond to threats
  • Ensures your business meets required regulations

To implement IT security awareness training in your organisation, NCI Technologies can help. We partner with a leading web-based training provider who offers relevant, modern and engaging training. This educates participants to make smarter security decisions to help protect your data and networks. Training is delivered in short and relevant bite-sized chunks to ensure knowledge retention and good cyber habits.

To find out more about our IT Security Awareness Training read our blog How to Make Your Staff the Last Line in Defence Against Phishing’. Or call us on 01326 379 497 or contact us here.


The initial paragraph of this blog is a work of fiction. Names, characters, business, events, and incidents are the products of the author’s imagination. Any resemblance to actual persons, living or dead, or actual events is purely coincidental.




3 Security Advisor – A CISCO’s Guide: Mitigating the Human Risk Factor – Understanding What Makes Us Tick





Leave a comment below

Call Me Back

I would like to discuss NCI Services & Support