The Role of Cognitive Bias in the Success of Scams and Other Cyberattacks: Part 2

In my last article, I talked about cognitive bias and its role in the success of scams and other cyberattacks. I defined cognitive bias as a predictable mental shortcut your brain uses to make quick judgments and/or decisions, especially when you’re busy, distracted, or overloaded with information. 

Knowing that scammers intentionally exploit our cognitive biases in crafting their attacks to push us into fast decision-making, I offer the mnemonic S²TOP (Stop, Switch, Talk, Own, Protect) to help you train your “scam reflex” and resist the temptation to respond.

So, let’s paint a scenario: It’s Friday and you’ve just arrived home from work after a long work week. You prepare a quick dinner and drop onto your couch with a sigh, balancing the dinner in one hand and your phone in the other. You’re looking forward to zoning out in front of the TV when your phone buzzes. It’s an email/text alert stating:

“Suspicious activity detected. Your account will be frozen in 10 minutes. Tap here to secure your account immediately: [link]”

Your first thought is, “Ten minutes?!? I can’t afford for my account to be frozen! I have bills I have to pay!” Your cognitive bias kicks in and the urge to tap the link is instant, but now your brain has been “rewired” to pause and S²TOP before clicking. You implement the steps below and are grateful to discover that this time you did not succumb to the perceived emergency.  Just thinking, “STOP!” broke the urge to act quickly without assessing the communication and engaging in the steps outlined below.

Stop: This is your first and most important move. When a message feels urgent, scary, or exciting, pause before you act. Move away from your computer, phone, or device. Take 30 or so seconds. Breathe. Most importantly, don’t click, don’t reply, don’t pay. See urgency words like “IMMEDIATELY,” “FINAL NOTICE,” “LAST CHANCE” as warning labels, not commands. Use a phrase like: “Stop. Is this trying to rush me?”

Switch: Now that you’ve stopped, switch channels to verify. Do NOT use links, phone numbers, or email addresses inside the suspicious message. Instead:

1. Type your bank or service’s web address yourself.
2. Call the number on the back of your card or from the official site.
3. Open the app you usually use (banking, delivery, payroll, etc.) If the issue is real, you’ll see it there. If you don’t, it’s likely a scam.

Talk: Don’t decide in a vacuum. Talk it out instead. Call your bank, HR, or the person supposedly making the request using a known-good number. If it’s about a friend or family member, contact them directly or another trusted person to confirm. Are you feeling unsure? Run it by a tech-savvy friend or family member and ask them if it looks legit. Talking breaks the emotional “tunnel vision” scammers depend on and redirects the alternate behavior away from reacting to stopping/switching to verify the communication or notice with another human.

Own: Take ownership of your codes, passwords, and PINs. They are yours with no exceptions. Never share them in situations you did not initiate. This includes one-time codes or passwords (text or app codes), PINs, full card numbers, or online banking login details. Remember that legitimate companies do not ask you to read security codes back to them. If someone pressures you, that’s your cue that you’re in scam territory.

Protect: “Back up” your brain by implementing tools and clear rules:

1. Turn on multi-factor authentication (MFA) for email, banking, social media, etc.
2. Use a password manager so every account has a unique, strong password.
3. Keep your devices and apps updated to close any security holes.
4. Turn on account and transaction alerts so you catch problems fast.
5. Make personal rules like:
   1. “I never move money based only on an email or text.”
   2. “I never pay surprise requests with gift cards or crypto.”
   3. “I never respond to email or text requests from friends/family without independently verifying with them its authenticity.”

Put together, S²TOP (Stop, Switch, Talk, Own, Protect) becomes your scam-defense playbook. Memorize it, and you give your brain a simple script to follow when a message feels off. This, hopefully, rewires your brain to “question and verify” rather than “click and regret.”