Arrow back

The psychology of phishing

30 March, 2023

Even if you think you know nothing about cybersecurity, you’ll certainly have encountered phishing before.

It’s the most common type of attack, with more than 3.4 billion phishing emails sent daily globally. That’s around 1% of all emails.

The reason why is simple: they can be devastatingly effective. Typically posing as a legitimate source, they trick unsuspecting users into giving away their private information like passwords, bank details and credentials.

While the technical aspects of phishing attacks are important, the psychological tactics that make them successful are arguably the most important of all.

In this blog, we’ll pull back the curtain on the psychology of phishing and reveal why it's so effective.

What psychological tactics do phishing attacks use?


First and foremost, it's essential to understand that phishing attacks exploit our human nature. We are wired to trust and seek connections with others, which is precisely what cybercriminals take advantage of.

They prey on our innate desires to be helpful, cooperative, and friendly.

They may create an urgent situation that requires immediate action, such as threatening to lock us out of our accounts or promising a fantastic reward.

They may even impersonate someone we know, like a colleague or a friend, to create a false sense of familiarity and trust.


Another psychological tactic that cybercriminals use is the principle of reciprocity. We tend to feel obligated to return a favour when someone has done something for us.

For example, your email domain company notices suspicious activity and warning you, your local gym or children’s sports club, saying you haven’t updated your emergency contacts for a while. It might seem like someone doing something for you, but in reality, it’s to convince you to do something for them.

Need & greed

We’ve all received emails and messages offering great discounts and special offers. Cybercriminals know this and mask many of their attacks behind such offers. In many cases, this could be a gift or a prize; we are so thrilled by the offer we don’t think to stop and check if it’s legitimate.

An offer may seem too good to be true, but it's often hard to resist the temptation of getting something for nothing.


The principle of authority is also an effective tool for cybercriminals. We are conditioned to follow and obey authority figures, such as our bosses or government officials.

Cybercriminals may impersonate a person of authority, like a bank executive or an IT administrator, to create a sense of urgency and pressure us into giving up our information.


Cybercriminals also use the principle of social proof to make their attacks more convincing. Social proof refers to the tendency to follow the crowd and do what others do.

Cybercriminals may use social proof by sending out fake messages that appear to be from a reputable source, such as a well-known company or a government agency.

By using the brand recognition of a trusted name, cybercriminals can create a false sense of security and convince us to take action.

Protect your organisation with truly effective training

Join the thousands who've discovered how Bob's Business' security and compliance awareness training reduces risk, demonstrates improvement and builds cultures.

Scarcity & urgency

Scarcity refers to the idea that people tend to place a higher value on rare things or in limited supply.

Cybercriminals may use scarcity by creating a sense of urgency, such as claiming that a limited-time offer is about to expire or that only a few items are left in stock. Cybercriminals can pressure us into taking action without thinking things through by making us feel like we may miss out on something valuable.


In addition to these psychological tactics, cybercriminals also rely on human error. They know that people are busy and often distracted, so they send out messages that are designed to look like legitimate emails or websites.

They may use subtle variations in domain names or logos that are slightly different from the real ones. Cybercriminals can trick even the most diligent person into falling for their scams using these tactics.

So, what can we do to protect ourselves from phishing attacks?

The first step is to be aware of cybercriminals' tactics, such as those mentioned above.

By understanding the psychological principles behind these attacks, we can be more vigilant and less likely to fall for them:

  • Be wary of messages that ask for personal information, especially if they come from an unknown source.
  • Double-check the sender's email address or contact the company to verify the message is legitimate.
  • Keep software up to date and use strong passwords. Cybercriminals may exploit vulnerabilities in your software to gain access to our systems or try to guess your passwords. By keeping software updated and using unique and complex passwords, you can reduce the risk of these attacks being successful.
  • Use two-factor authentication (2FA). 2FA adds an extra layer of security by requiring a second form of authentication, such as a code sent to our phone, alongside your password. This makes it much more difficult for cybercriminals to access accounts, even if they do manage to obtain passwords.
  • Always be cautious when clicking on links or downloading attachments, especially if they are unexpected or come from an unknown source. Cybercriminals often use these tactics to deliver malware or gain access to your systems. By hovering over links to see where they lead or scanning attachments with antivirus software, you can reduce the risk of falling for these traps.

The psychology of phishing can be complex, but by understanding the tactics that cybercriminals use, we can better protect ourselves and our businesses from these attacks.

By being aware of our innate desire to trust and connect with others as well as principles like reciprocity, authority, social proof, and scarcity, we can be more vigilant and less likely to fall for these scams.

How Bob’s Business can help protect your organisation

Protecting ourselves from phishing attacks is crucial in today's digital world, and that's where Bob's Business comes in.

At Bob's Business, we understand the importance of cybersecurity and offer unique, engaging online training to empower everyone in your team to identify and respond to phishing attacks, protecting your business from the 90% of breaches that occur due to human error.

Our innovative and award-winning simulated phishing training is the best way to reduce your risk of a team member falling victim to a phishing attack. How? By sending specially tailored phishing emails that utilise the methods laid out above, and directing those that click towards our engaging and effective training.

Take action now to protect your business and your customers from cyber threats. Click here to learn more about Bob's Phishing and start reducing your risk today with Bob's Business.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance