Multitasking Workers More Likely To Fall For Phishing Emails, Study Suggests

When inboxes, notifications, and multiple screens all compete for attention, the risk of missing a phishing scam rises dramatically, according to new research.

A study of faculty at Binghamton University, State University of New Yorks School of Management, shows that multitasking significantly undermines peoples ability to spot fraudulent emails — but a simple, well-timed reminder could make all the difference.

The study, published in the European Journal of Information Systems, tested 977 faculty participants in simulated multitasking conditions. Participants were asked to memorize work-related details or numbers, their “primary task,” while identifying phishing messages, a “secondary task.” When working memory was overloaded, phishing detection accuracy dropped significantly. But when participants received small, timely reminders — brief notifications that flagged risk cues — their accuracy improved even while multitasking.

“When working with multiple screens, your attention will never be fully focused on one screen or one particular email, especially when handling urgent tasks. If you want to reply to that email quickly, ignoring those red flags in a phishing email is easy,” said study co-author Jinglu Jiang, an associate professor in Binghamtons School of Management. “We designed a plan for a very simple notification system to nudge people about the risk factors, so hopefully phishing messages dont get lost in the shuffle and people can more efficiently detect them.”

The findings offer a practical way for organizations to help employees avoid costly mistakes without disrupting workflow. Rather than retraining workers or introducing heavy-handed procedures, researchers recommend lightweight nudges — such as a colored warning banner above an email or a quick reminder like “this message may be fraudulent — take a second look.” These cues, when delivered during moments of distraction or task-switching, can help refocus attention right when vigilance tends to lapse.

The research also found that not all phishing messages are equally deceptive. “Goal activation” cues were particularly effective for scams framed as potential gains — messages offering rewards like “claim your gift card now.” But fear-based “loss” messages, warning users their account might be locked, already triggered a higher degree of caution and were less affected by additional reminders.

This nuance, the study suggests, should shape how organizations approach cybersecurity training. Instead of blanket warnings, adaptive systems could vary reminder frequency depending on message type, avoiding unnecessary alerts that lead to fatigue.

The study comes as authorities and industry watchers warn of surging phishing attempts — both business and personal — since AI tools have become widely available, making them both more numerous and more sophisticated.

“The techniques used by these phishers become more sophisticated every day; theyre using fake accounts and, in many instances, masking the senders identity,” Jiang said. “Our study shows that phishing detection can sometimes plummet under multitasking, and then those threat-based, loss-based messages are hardest to detect, no matter what you do. But those little reminders, nudging methods, can actually be very helpful.”

The researchers recommend that employers and IT teams integrate nudges directly into daily-use tools — from Outlook or Gmail banners to Slack or Teams pop-ups — and design phishing training around realistic multitasking conditions. In a world of constant digital noise, the right reminder at the right moment may be the simplest way to stop scams in their tracks.