The psychology of the phish: urgency, authority, curiosity

Logos change, tactics don’t. Scammers lean on human psychology to rush decisions and bypass common sense. If your team can spot the script, they’ll ignore the costume. Use the six patterns below in a short lunch-and-learn. Read the example aloud, then rehearse the better response line until it’s natural.

---

Urgency: “act now or lose access”

Example: Final reminder: your store account will be suspended in 12 hours. Verify now to prevent order failures.

Why it works: urgency narrows focus; people trade accuracy for speed.

Better response line: “If it’s real, I’ll see the notice after I sign in the normal way.” Then open the site yourself — no email links.

---

Authority: “IT/security/accounting says…”

Example: From: Security Team. Subject: Mandatory verification for payment gateway. Complete the form today.

Why it works: people obey official-sounding instructions, especially under time pressure.

Better response line: “I’ll confirm through our usual channel.” Then ping the real team in your chat tool or open the official portal.

---

Curiosity: “you missed a delivery / invoice / voicemail”

Example: New invoice attached for your last order. Please review.

Why it works: a small mystery demands resolution, especially for customer-facing staff.

Better response line: “We don’t open unknown attachments. I’ll look up the order in our system instead.”

---

Scarcity: “limited slots / final window”

Example: Payment provider upgrade — last window to keep reduced fees.

Why it works: fear of missing out pushes quick clicks.

Better response line: “Discounts don’t expire by email link. I’ll check our provider account for any offers.”

---

Reciprocity: “we did something for you, now click to confirm”

Example: We’ve extended your storage at no cost. Click to accept.

Why it works: a gift primes compliance; people feel obliged to reciprocate.

Better response line: “Free upgrades appear in the account, not just email. I’ll log in directly to confirm.”

---

Social proof: “everyone’s doing it”

Example: All staff have completed the new security check. Only your account remains.

Why it works: people follow the herd to avoid standing out.

Better response line: “If this is a real rollout, it will be announced in our usual channel. I’ll ignore the link and check there.”

How to run the 20-minute lunch-and-learn

Set the scene in one minute: phishing is persuasion, not technology.

Read each example out as if it landed in your inbox. Ask, “what button is it pressing?”

Have the team say the better response line together. The aim is a reflex, not a lecture.

Finish with one rule everyone can remember: stop, check, choose. Stop before clicking. Check the sender and the real link. Choose a safer route by opening the site yourself.

Make it stick in everyday work

Keep links out of your processes where you can. Staff should reach critical services by bookmarks, not emails.

Give finance and fulfilment teams pre-approved scripts for suppliers and customers: how to confirm bank-detail changes, how to refuse attachments, and how to ask for an order number before opening anything.

Turn on the Report phishing button in your mail app and celebrate the first person to spot a phish each month. Tiny rewards build a reporting culture.

If someone clicked

No blame, just action. Change the password for that account and any account that reused it, enable multi-factor authentication, scan the device, and check mail-forwarding rules. Tell finance to watch for payment-diversion attempts. If bank details were changed or money moved, call the bank immediately to start a recall.

Call to action

Run our 20-minute lunch-and-learn. Use the examples, the scripts, and our printable one-pager so your team remembers the lines that keep your store safe.