The Busy You is the Most at Risk: The "Dangerous One Click" Caused by Multitasking - Surprising Reasons for Falling for Phishing Emails

Introduction: Beyond the Endless Notifications

Zoom, Slack, spreadsheets, and unread emails. Spending most of our work hours in "simultaneous operation," we tend to overlook small discrepancies in emails. Recent research has shown that this "oversight" is not just a feeling but a phenomenon that can be reproduced in experiments. Distributed attention—i.e., multitasking—significantly worsens phishing detection. Instead of "heavy training," light nudges that work "in the moment" are effective against this weakness. This was a key point reported by Phys.org on October 11, 2025.Phys.org

Research Summary: What a Behavioral Experiment Involving About 1,000 People Revealed

The research was conducted by a team centered at Binghamton University and the University at Albany. Participants (about 977 people) engaged in a task to distinguish the authenticity of emails while under "working memory load." The results showed that the higher the load, the lower the phishing detection accuracy. Meanwhile, just inserting small reminders like colored warning banners at the top of the screen or short phrases like "This message might be a scam" improved detection even under multitasking conditions.Phys.org

Furthermore, the effectiveness of nudges varies depending on the "framing" of the message. Emails with "gain framing" that dangle rewards (e.g., "Receive a gift card now") are particularly susceptible, and nudges are effective. On the other hand, in cases of "loss framing" that include threats like "Account suspension within 24 hours," recipients are already more cautious, and additional nudges have limited effect.techxplore.com

This research is published in the European Journal of Information Systems (DOI: 10.1080/0960085X.2025.2548543).Phys.org techxplore.com

Why Multitasking Makes Us Vulnerable: The Limited "Seats" of Working Memory

Unnatural email senders, awkward wording, domain links—picking up these "red flags" requires available seats in working memory. However, when juggling multiple tasks simultaneously, those seats quickly fill up. The experiment quantitatively demonstrated that this "full seat state" directly leads to rough judgments, i.e., overlooking phishing. The nudges proposed by the research team are designed to "free up just one seat of attention for a moment," based on this full-seat premise. Lightweight UI reminders like banners or short sentences are sufficiently effective, providing practical insights.techxplore.com

From Heavy Annual Training to "In-the-Moment" Interventions

In response to the question, "Can employee education prevent this?" another large-scale study throws cold water on the idea. A team from UC San Diego tested 19,500 people in healthcare institutions over eight months and ten simulated phishing attempts, finding that annual training and "embedded learning right after being hooked" were both extremely ineffective, reducing click rates by only 2%. The conclusion was that "the current form of training has little practical value."techxplore.com

In this context, the "lightweight and context-adaptive nudges" and "embedding into everyday tools" advocated by the multitasking study appear as more cost-effective and practical measures than heavy classroom learning. As summarized by Phys.org and TechXplore, inserting "in-the-moment interventions" into existing workflows, such as Outlook warning banners, Slack/Teams integration, and prompts linked to schedule notifications, is key.Phys.org

Reactions on Social Media: "It's Real" and "Banner Fatigue?" Pros and Cons from the Field

Since the research was published, it has been spreading on X (formerly Twitter), initiated by university PR and researchers' posts. The official account of the University at Albany posted about the research, and Binghamton's PR also shared the gist, "Multitasking reduces detection, simple nudges work."X (formerly Twitter)

Meanwhile, in the practitioner community, discussions are active, intertwined with reports from related studies skeptical about the effectiveness of heavy training. In Reddit's cybersecurity threads, there are many voices skeptical of annual training, with prominent opinions calling for "mechanisms to change behavior 'in the moment'" and "resource allocation to technical measures."Reddit

Alongside positive reactions, concerns from a UI/human ergonomics perspective are also shared, such as "design to avoid banner fatigue (getting tired of warnings)" and "nudge overuse might be counterproductive since threat-based (loss framing) is already easily cautioned against." This aligns with the research's finding that "nudges are effective for gain framing."techxplore.com

Implementation Roadmap for the Field (Immediate Effectiveness × Low Cost)

1. Email client warning banners tailored to the "type of suspicion" (stronger intervention for gain types).Phys.org

2. Chat/calendar integration "reconfirmation prompts"—displaying "Is the URL you're about to open genuine?" right before and after meetings or during task switches.Phys.org

3. Lightweight URL inspection tasks (highlighting domain names or re-entry) to intentionally slow down "one-click momentum."arXiv

4. Enhancement of technical measures (enforcement of FIDO2/2FA, domain-linked password managers).techxplore.com

5. Simulated training adjusted to be "context-synchronized"—increasing distribution during busy slots and changing behavior "in the moment" with bundled nudges.techxplore.com

6. Educational materials specialized in reward-based phishing (gain framing), always available as short videos or interactions.techxplore.com

7. Human-centered KPIs (such as seconds taken for "open→read→decision") to avoid overuse of nudges.

8. Assuming the rise of phishing in the AI era, adopt natural language generation for warnings and dynamic UIs (to counteract template-induced fatigue).strongestlayer.com

Conclusion: "Visualizing Attention" to Save People from Being the Last Line of Defense

We cannot eliminate multitasking. Therefore, we need to redesign the management of "attention," a finite resource. What this research has shown is the effectiveness of mechanisms that reclaim a second of human attention only at that moment, rather than piling on heavy education. By inserting minimal friction into the UI of everyday tools, we can prompt a "wait a minute" just before a dangerous click. Organizations are at a point where they should invest in such "lightness."