The psychological impact of phishing attacks on your employees


As we observe Stress Awareness Month, it’s important to recognize the toll that phishing attacks can take on individuals and organizations. These attacks have become increasingly sophisticated and widespread, with a staggering 92% of organizations falling victim to successful phishing attacks in the last 12 months. As cybercriminals continue to exploit human vulnerabilities through social engineering, the impact on employee stress levels is a growing concern that cannot be ignored.

The constant vigilance required to identify and avoid these attacks, along with the potential consequences of falling victim, can contribute to increased anxiety and decreased productivity in the workplace. Addressing this issue is of paramount importance, to protect both the wellbeing of employees and the security of sensitive information.

The role of fear in phishing attacks and cybersecurity culture

When it comes to phishing, attackers will deliberately use scare tactics or urgent messages to trick individuals into divulging sensitive information or taking a particular action. In doing so, they utilize psychological triggers to induce Type 1 thinking, which prompts people to act quickly, instinctively, and emotionally, often leading to errors. For example, an attacker may send an email claiming that the user’s account has been compromised and that they need to click on a link to change their password immediately or the account will be deactivated. In much darker scenarios, such as sextortion attacks, the cybercriminal will claim to have both compromised the victim’s email account and obtained explicit material of them, often alluding to this footage being of an embarrassing, illegal, or otherwise compromising nature, and threaten to send it to all email contacts. Even when they know this is an empty threat, employees have voiced concerns about the content of these emails.

And it’s not just cybercriminals who are causing anxiety among workers. Sometimes in the quest to ensure employees adhere to security protocols, organizations will instil a sense of fear. However, there is a line to be tread between security awareness and emphasising risk. Although it’s crucial for employees to grasp the significance of cybersecurity and the threats they face, it’s counterproductive to scare them, which may result in click paralysis.

While security awareness and training are important, organizations should avoid a blame-orientated culture when it comes to phishing. Severe, disproportionate punishments for not adhering to security protocols can often backfire, creating a culture of paranoia that can negatively impact both morale and productivity. In a study by Egress, 23% of phishing victims ended up changing jobs or being fired, perpetuating this culture.

This can lead to employees refraining from reporting attacks altogether, fearing repercussions or being seen as incompetent. This can leave the organization vulnerable to further attacks, as employees are too afraid to speak up, making it harder to prevent future incidents.

How phishing attacks impact job satisfaction

When individuals fall victim to a phishing attack, they may start to doubt their abilities and judgment, leading to a decrease in confidence and job satisfaction. The aftermath of a successful phishing attack can be emotionally draining, leaving people feeling embarrassed and ashamed. The fear of accidentally clicking a phishing email can affect a person’s performance and productivity at work. Even simulated phishing attacks can cause stress when employees are lured with fake promises of bonuses or freebies.

Furthermore, when phishing emails repeatedly get through security measures and are not neutralized, employees may view these as safe and click on them. This could ultimately lead to employees losing faith in their employer’s ability to protect them. Additionally, if employees are continually burnt out, they are up to 2.6x more likely to leave an organization in search of a less stressful work environment.

The toll of phishing attacks on workplace wellbeing

Cybercriminals are always evolving their email impersonation and business email compromise (BEC) attacks to get through Microsoft 365’s native security functionality and secure email gateways (SEGs). Without addition security controls, this leaves it down to individual employees to determine which emails are legitimate and which are phishing, with a single mistake exposing organizations to credential theft, data exfiltration, and fraudulent payments. Dealing with this constant stream of phishing attacks will take a toll on employee wellbeing.

Burnt-out employees are more likely to make mistakes, not pay attention, and overlook suspicious emails. Without proper training or support, employees may feel overwhelmed by the sheer volume of emails and messages. This could lead to increased stress and fatigue, which cause employees to lose focus and become less engaged in their work.

All these factors can make organizations more vulnerable to attacks. In the last year, 86% of organizations were negatively impacted by phishing incidents, with 54% suffering from financial losses because of subsequent customer churn, while 47% experienced reputational damage. It is no surprise that then that 99% of cybersecurity leaders reported being stressed about email security.

The need for a layered approach to email security

While it’s important for employees to be alert to threats, it’s essential that they are equipped with the right tools and knowledge to feel confident doing this rather than stressed. We recognize that even the most vigilant employees can make mistakes when they’re under pressure or feeling fatigued.

Organizations owe it to their employees to be proactive. To ensure employees are protected, they should implement advanced technology that uses Artificial Intelligence and Machine Learning models, such as Natural Language Processing (NLP) and Natural Language Understanding. These tools can detect even the most advanced phishing attempts and will serve as a safety net.

Additionally, organizations should see phishing incidents as a learning opportunity for employees. In the 2023 Gartner Market Guide for Email Security, the recommendation is to “reinforce training with context-aware banners and in-line prompts to help educate users.” By augmenting Microsoft 365 with real-time warnings that explain the risk to employees, safely showing employees what a phishing email looks like and improving employees’ cybersecurity knowledge in the moment.

Finally, it’s also important to take a supportive approach towards employees who fall victim to phishing attacks, fostering an open and trustworthy environment instead of a punitive one. When something goes wrong, the employees’ first instinct should be to call the security team, without fearing repercussions or thinking of hiding the incident. By doing so, organizations can not only improve their cybersecurity culture but also protect their employees’ mental wellbeing and job satisfaction.