What are common psychological tricks in phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Phishing doesn't work by tricking your technology. It works by tricking your brain. And your brain, under pressure, is predictably bad at spotting manipulation.

Here are the psychological levers attackers pull most often, and why each one is so effective.

Urgency and fear of loss. "Your account will be suspended in 24 hours. Act now." That line isn't accidental. Urgency forces a mental shortcut where your instinct is to fix the problem first and ask questions later. The tighter the deadline, the less time you spend checking whether the email is real. Fear of losing access, money, or status overrides careful thinking almost every time.

Authority impersonation. When an email appears to come from your CEO, IT department, or a government body, most people comply without questioning it. "I need this wire processed today" lands very differently in your inbox than the same request from a stranger. Attackers know that hierarchy creates automatic deference. They're not exploiting your stupidity. They're exploiting how organizations actually work.

Social proof. "All other employees have already completed this security update" does two things at once. It normalizes the action and implies you're the only holdout. Nobody wants to be the person who ignored a company-wide request. That social discomfort pushes people to click without verifying.

Reciprocity and obligation. "We've already extended your trial for free. We just need you to confirm your billing details to keep it active." This is the gift-before-ask move. Once someone feels they've received something, they feel obligated to give something back. In phishing, that "something back" is usually credentials or payment info.

Curiosity and flattery. "Someone shared a document with you" or "You've been mentioned in a report" are irresistible. Our brains are wired to close open loops. Attackers create that loop deliberately. Flattery works the same way. "You've been selected for early access" makes people feel special enough to lower their guard.

The honest truth is that most phishing training focuses on spelling errors and suspicious links. Those matter, but they miss the real vulnerability. The question your team should be asking isn't "does this look weird?" but "am I being rushed, flattered, or pressured right now?" Those feelings are the actual warning sign.

So if you're putting together team training, start with social engineering as the foundation. Then walk through urgency bias specifically, because it's the trigger underneath almost every other tactic. When people understand the emotional mechanics, they stop looking only at surface-level signals and start noticing when their own reaction feels off.

If your organization is working through an email security review or you're not sure where the gaps are, our SOS hotline is free and we're genuinely happy to talk it through.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Generate phishing training examples for my team

I want to train my team to recognize phishing psychology, not just bad grammar or suspicious links. Based on the tactics above (urgency, authority, social proof, reciprocity, flattery), can you give me: 1) a realistic example phishing email line for each tactic, 2) the psychological reason it's effective, and 3) a one-sentence question employees can ask themselves to break the spell in the moment?

Edit the yellow boxes, then send to the AI of your choice.