The Psychology of Phishing: Why Do We Still Click?

Daniel is the CISO of a top financial technology firm in Abuja, Nigeria. Lately, his organisation has been working tirelessly to expedite the launch of a new product solution for their customers.?

In line with this, Daniel has been eagerly awaiting a "Launch Approval" document from the CEO, acknowledging that all necessary security and compliance checks have been completed and that risks associated with the new product launch have been assessed and accepted.

As he casually reviews some logs on his system, his eyes widen in excitement as he notices an email from the CEO—the long-expected email.?

“Finally, I can tell the Product team to proceed with the launch,” he thinks.?

With a sense of relief, he clicks on the attachment. But instead of the official document, his screen displays an ominous message:

Those words sent a shiver down Daniel’s spine. He, a top CISO, has fallen victim to a ransomware attack triggered by a phishing email.?

How Daniel will navigate this crisis is a story for another day, but for now, let’s delve into the psychology of phishing.?

What makes a phishing email so believable and hard to detect??

Why do individuals around the world still fall for such cleverly crafted traps?

What is the psychology behind it?

The Art of Manipulation

Phishing attacks are not just about technical tricks—they play on our emotions, desires, and psychological blind spots.?

At their core, they rely on social engineering to exploit human behavior, creating urgency, trust, or fear to prompt action. The key to their success lies in their ability to imitate authority, credibility, and legitimate communication.

In Daniel’s case, the email appeared to be from the CEO, someone whose authority he trusts and whose messages he wouldn't question.

By creating a scenario that was aligned with his expectations—waiting for the product launch approval—the attacker capitalized on his eagerness and routine workflow. The subtle manipulation of context made the email appear harmless, even helpful.

Why We Click

Urgency and Fear

One of the most effective strategies in phishing is the use of urgency.?

Messages that claim you’ve missed a payment, your account has been compromised, or you need to act fast to avoid negative consequences trigger our instinctive response to act quickly rather than carefully.?

In Daniel’s situation, the urgency to launch the product made him lower his guard, and once the ransomware message appeared, fear took over.

Authority Bias

We’re conditioned to respect authority, whether it’s a boss, a trusted colleague, or even a brand we recognise.?

Cybercriminals often impersonate high-ranking individuals within an organisation or well-known institutions because we are less likely to question the legitimacy of these communications. This is known as Whaling.?

The attackers in Daniel's story used the CEO's identity to slip past his defences with ease.

Trust in Familiarity

'Phishers' know that humans are creatures of habit.?

By mimicking familiar formats—such as company emails, invoices, or even casual internal memos—they exploit our trust in what we recognise.?

In this case, the email came at just the right time, mirroring the format of previous legitimate communications Daniel had received, making it hard to distinguish from the real thing.

The Science of Persuasion

Cybercriminals often craft phishing emails with elements of persuasion based on psychological principles. Two of the most common are reciprocity and scarcity:

Reciprocity: We are more likely to respond to requests if we feel like we’ve been given something first. A common example is phishing emails disguised as reward offers, free gifts, or exclusive deals. These create a sense of obligation that prompts recipients to click.

Scarcity: Phishing messages often create a false sense of limited time or resources, pressuring recipients to act quickly. This tactic plays on the fear of missing out (FOMO), pushing individuals to make hasty decisions.

Conclusion – The Human Factor

The reality is that no matter how advanced cybersecurity tools become, the human factor will always remain a critical vulnerability. Phishing relies on the natural tendencies of humans to trust, act quickly, and respond emotionally.?

The best defense against phishing isn't just technology—it's fostering a culture of skepticism, vigilance, and awareness. Regular phishing simulations and training programs can help employees and individuals recognise red flags and question unexpected requests—even those from trusted sources.

And as for Daniel? The battle to undo the damage of that click has only just begun.