������ý

Picture this: You’re on a Zoom call, Slack is buzzing, three spreadsheets are open and your inbox pings. In that moment of divided attention, you miss the tiny red flag in an email. That’s how phishing sneaks through, and with 3.4 billion malicious emails sent daily, the stakes couldn’t be higher.

A new study involving ������ý’s School of Management (SOM) shows that multitasking makes phishing detection significantly worse: When people are overloaded with information, their ability to notice suspicious cues drops. But the study also points to a surprisingly simple solution: timely, lightweight nudges that can redirect attention when it matters most.

“When working with multiple screens, your attention will never be fully focused on one screen or one particular email, especially when handling urgent tasks. If you want to reply to that email quickly, ignoring those red flags in a phishing email is easy,” said SOM Associate Professor Jinglu Jiang, who co-authored the study. “We designed a plan for a very simple notification system to nudge people about the risk factors, so hopefully phishing messages don’t get lost in the shuffle and people can more efficiently detect them.”

The experiments, conducted with 977 participants, simulated common multitasking scenarios. Participants memorized work-related details or numbers (their “primary task”) while being asked to spot phishing messages (a “secondary task”).

Researchers found that phishing detection accuracy plummeted when working memory load was high. However, when researchers introduced brief reminders, participants’ detection performance improved even under heavy multitasking.

These reminders don’t require overhauling workflows. For example, while juggling multiple spreadsheets or messaging apps, an email client might display a colored warning banner at the top of a suspicious message.

During calendar notifications or task switching, a small system nudge such as “this message may be fraudulent — take a second look” could redirect attention. By using these cues at moments when workers are distracted or overloaded, organizations can help employees refocus on phishing detection precisely when they are most vulnerable.

The study also found that not all phishing messages are equal. “Goal activation” cues (like reminders) are especially helpful for gain-framed messages that promise rewards, such as “claim your gift card now.” In contrast, loss-framed messages (“Your account will be locked in 24 hours”) often trigger vigilance on their own, reducing the benefit of an extra reminder.

This insight suggests organizations should avoid blanket reminder strategies that risk overwhelming employees, according to the study. Instead, organizations can design content-aware notifications, like nudges that adapt to the type of phishing attempt.

As phishing grows more sophisticated, Jiang said, organizations that adapt with just-in-time, content-aware interventions will be far better positioned to protect their people and data.

“The techniques used by these phishers become more sophisticated every day; they’re using fake accounts and, in many instances, masking the sender’s identity,” Jiang said. “Our study shows that phishing detection can sometimes plummet under multitasking, and then those threat-based, loss-based messages are hardest to detect, no matter what you do. But those little reminders, nudging methods, can actually be very helpful.”

For employers, IT managers and security trainers, the study offers recommendations:

• Embed nudges into daily tools, from Outlook banners to Slack or Teams integrations.
• Customize by content: Deliver more reminders for tempting, reward-based scams.
• Train for reality: Most phishing training assumes undistracted users, but real-world employees always multitask, so training should reflect that.

The study, “Phishing detection in multitasking contexts: the impact of working memory load, goal activation, and message framing cue on detection performance,” was published in the European Journal of Information Systems. It was co-authored by Xuecong Lu from the University at Albany, and Milena Head and Junyi Yand from McMaster University in Canada.