Skip to Content

How phishing attacks trick our brains

Why you’re more of a sucker than you think.
google security Titan key
google security Titan key
google security Titan keyPhoto: Google

It’s simple and effective: getting someone to click a malicious link in an email and enter private information such as a password is the most important skill in many hackers’ toolkits. Phishing is the most common form of cyberattack and still growing.

And the reason it’s so effective, according to research being done at Google and the University of Florida, is that it takes advantage of how the human brain works—and, crucially, how people fail to detect deception, depending on factors like emotional intelligence, cognitive motivation, mood, hormones, and even the victim’s personality.

“We are all susceptible to phishing because phishing tricks the way our brain makes decisions,” Daniela Oliveira, an associate professor at the University of Florida, said on August 7 at the Black Hat cybersecurity conference in Las Vegas.

The problems begin with awareness: 45% of internet users don’t even know what phishing is, according to Oliveira and Google researcher Elie Bursztein.

Mood plays a role: people who are feeling happy and not stressed are less likely to detect deception in front of them. Cortisol, a stress hormone, increases vigilance and makes detecting a deception more likely. Serotonin and dopamine, hormones associated with positive feelings, can lead to risky and unpredictable behavior that make people more vulnerable.

Phishers can also be exceptionally good at crafting messages meant to persuade a person to click. Authority is among the most common and effective weapons—for instance, an email that claims to be from the company CEO, asking an employee to provide some information by clicking a link. Other tools include a gain/loss framing—for instance, a refund opportunity from Amazon.

Some of the most pointed phishing emails play on emotion. After the devastating and record-breaking California wildfires in 2018, Google saw an instant wave of emails asking for money to help victims. Emotional cues—for instance, promises to match donations for people left homeless—impaired the recipients’ ability to focus on the content and the clues that the email was a deception. By triggering this emotional response, the hackers got people to suspend their skepticism.

That doesn’t mean the only defense against phishing is to be a permanently stressed-out and cynical ball of anger. Healthier and more effective is to enable two-factor authentication for each of your important logins (email, online banking, social media, shopping sites, etc.). Here's a list of all the sites that support two-factor authentication.

When it’s enabled, the system asks you for something in addition to a password when you log in, such as a code sent to your phone via text message, a code from an authenticator app, or a physical security key on a USB stick (the most secure method of all, according to recent research). That way, if you’ve inadvertently given your password to a hacker in a phishing scam, they still won’t be able to log in to your account. Last year, Google said that fewer than 10% of its users had two-factor authentication enabled on their accounts.

Deep Dive


child outside a destroyed residential building in Kiev
child outside a destroyed residential building in Kiev

Russia hacked an American satellite company one hour before the Ukraine invasion

The attack on Viasat showcases cyber’s emerging role in modern warfare.

hacked telecom concept
hacked telecom concept

Chinese hackers exploited years-old software flaws to break into telecom giants

A multi-year hacking campaign shows how dangerous old flaws can linger for years.

stock image of robots in a car plant
stock image of robots in a car plant

Transforming the automotive supply chain for the 21st century

Cloud-based tech solutions are helping manufacturers manage a new ecosystem of suppliers with greater agility and resilience.

gitee censored
gitee censored

How censoring China’s open-source coders might backfire

Many suspect the Chinese state has forced Gitee, the Chinese competitor to GitHub, to censor open-source code in a move developers worry could obstruct innovation.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.