Every day, someone is falling victim to an online scam, a bogus email, or another method used by cybercriminals to steal our identity, data, and/or money. Verizon, in its 2025 Data Breach Investigations Report covering 11/1/2023 to 10/1/2024, noted that human involvement was indicated in 60% of all cybersecurity breaches. Even the most tech savvy of us have been fooled so our level of tech knowledge does not make us immune to attack. “Why is this so?” you might ask. Depending on the way you look at it, the answer can be seen as unsettling or empowering. When we unwittingly wire money to fake tech support, click links in phishing emails, or share passwords with convincing impostors, we may afterward wonder, “How could I have been so foolish?” Well, the answer isn’t related to stupidity; it’s related to how our brains naturally make decisions via a concept called cognitive bias.
What is cognitive bias?
A cognitive bias is a predictable mental shortcut your brain uses to make quick judgments and/or decisions. When we’re busy, distracted, or overloaded with information, our minds often rely on fast “rules of thumb,” instead of slow, careful analysis. These shortcuts help us function day to day. For example, if we see dark clouds, we grab an umbrella without checking the weather report. When someone in a uniform gives us directions, we follow them without demanding credentials. Most of the time, these shortcuts serve us well, helping us navigate a complex world efficiently, but they can also lead us to misunderstand situations, over-trust the wrong signals, or act too quickly. Think of them as your mind’s autopilot. Scammers have learned to use these mental patterns as a vector of attack against us. Their mindset is, why “hack” our computers if they can hack our attention! Cognitive bias is the reason a message can feel urgent, true, and personal even when it’s completely fake.
Scammers intentionally design messages to trigger our emotions and push us into making quick decisions. Here are some of the most common biases they exploit:
- Authority bias: We’re more likely to comply with people or organizations that seem official. A scammer might impersonate our bank, our boss, the IRS, a tech support agent, or even a church leader. The message looks professional and uses familiar language. When we receive such an email, e.g., claiming to be from our bank’s security department, our brain automatically defaults to compliance, and we follow the instructions without questioning them.
- Urgency and scarcity bias: “Act now” is a scammer’s favorite phrase, which can have the impact of shutting down careful thinking. A text might claim our account will be locked in 10 minutes or a package will be returned if we don’t click right away. The sense of urgency triggers panic and reduces verification. When we feel rushed or pressured, we trade accuracy for speed and will fail to verify the information.
- Loss aversion: We don’t like losing money, access, reputation, or safety; however, we enjoy gaining something. That’s why “fraud alerts,” “unauthorized charge” messages, and ransomware pop-ups are so effective. The threat of loss can override our logic.
- Emotion (“affect heuristic”): Strong feelings become “evidence.” Fear, excitement, shame, or even romance can short-circuit good judgment. Sextortion emails, romance scams, and investment hype (“guaranteed returns!”) work because emotion narrows our focus and makes the scam feel real.
- Social proof: If it looks like other people are doing something, we assume it’s safe. Fake reviews, copied social posts, and “everyone is joining this platform” messages are built to create herd confidence and reel us in.
- Reciprocity: When someone does something for us, even something we didn’t request, we feel compelled to return the favor. That’s why scammers offer “free virus scans” or “complimentary account reviews.” Once they’ve “helped” us, asking for remote access or payment information feels reasonable.
- Commitment and consistency: Scammers often start small: “Confirm your email,” “verify this code,” “fill out this form” are common tactics. Once we take the first step, we’re more likely to keep going, even if things start to feel off, because our brain wants to stay consistent.
The most sophisticated scams combine multiple biases in one communication. Imagine receiving an urgent text from your “bank” about suspicious activity, asking you to click a link to verify your identity. That message hits authority bias, urgency, and your existing fear of fraud. It creates a psychological “perfect storm” which may feel challenging to avoid.
While this may seem overwhelming and near impossible to address, there are steps we can take to limit our vulnerability to these scams. Stay tuned for Part 2, when we will reveal them!
Courtesy, Karen Clay