Psybersafe Blog

Read our short, informative blog posts to understand more about cyber security and how people’s behaviour is key to improving it.

Hacker's don't break in, they log in

(5 min read)

(Un)ethical persuasion: What cybercriminals know about influence and what we must learn.  At Psybersafe, we often say that hackers don’t break in – they log in.

Not by out-coding your firewalls, but by outsmarting your psychology, slipping quietly through the human cracks.

In a recent keynote speech in Spain I talked about what makes people say ‘yes and how those same drivers are used both to protect and to exploit.

The key insight? Cybercriminals aren’t just tech-savvy; they’re masters of influence. And they’re using the same principles trusted by behavioural scientists and ethical marketers – just in reverse.

June25 blog master of influence 700x300

Here’s what they know: most of our decisions – up to 90% by some estimates – are made automatically, without deep thought. Nobel Prize-winning psychologist Daniel Kahneman described this in his book Thinking, Fast and Slow as System 1 at work.  System 1 is fast, intuitive, and loves a shortcut. Crucially, it’s the system we rely on most in today’s fast-paced digital world, where we’re busy, distracted or under pressure.  System 2 on the other hand is our slow, complex, careful evaluative way of thinking.  The issue is that our brains have evolved for survival and efficiency and, therefore, speed, not accuracy.  So if it can, it prefers shortcuts and automatic over effortful, ponderous thinking.  Which means if we can move system 1 type thinking, we won’t think carefully about what’s being presented.

In essence, the very same techniques used by professional persuaders – grounded in solid behavioural science – are also exploited by cybercriminals. The difference? One applies them ethically to inform and help; the other, manipulatively to deceive and harm.

How does it work?

June25 blog break decision making 700x300

Take the classic phishing email. It mimics authority: Your IT administrator requires action, triggers urgency: Account suspended unless verified in 24 hours, and creates scarcity: ‘Only one chance to reset. These are known influence principles – authority, scarcity, and urgency – used unethically.

Now imagine you’re busy. You’ve got 34 tabs open. A meeting in five minutes. Do you stop and assess that email using careful, slow, evaluating, System 2 thinking? Or do you click, trusting the mental shortcuts that usually serve you well?

This is the cybercriminal’s dream scenario. They're not breaking passwords. They’re breaking decision-making patterns.

What does ethical influence look like? June25 Kahnemen Sys1 Sys2 image V2

This use by cybercriminals of persuasive psychology is why effective cybersecurity training can’t be just about rules and policies. It must also teach people how their own psychology is being played. That means not just saying: ‘don’t click that link’ – but showing them why they want to make the decision not to click.

At Psybersafe, we train people using interactive stories that engage System 1 while encouraging System 2 – our slower, more reflective brain – to catch up. It's persuasion for protection, not manipulation.

This isn't just theory. Research shows how small tweaks – like being introduced by an expert or simply stating how many others have already acted in the same way – can significantly increase compliance. In a cybersecurity context, this means we can design prompts that make secure behaviour easier and more natural. It also means we can help people to guard against attempts by bad actors to use this type of psychology.

So, the next time you feel pressured to act quickly online – pause. Ask yourself: is this System 1 reacting? Or does this deserve a little System 2 scrutiny? Your personal security, or the security of the company you work for might depend on the answer.

The takeaway? Influence isn’t good or bad – but the way it's used can result in good or bad outcomes. The same psychological science that helps us teach safer behaviours can also be weaponised by attackers.

June25 blog pursuasion hypnotherapy 700x300

That’s why your cybersecurity training shouldn’t just teach what to click or avoid. It should teach how decisions are made in the first place.

Persuasion is a powerful business skill – and an even more powerful line of defence. At Psybersafe, we’re working with companies of all sizes across the UK and Europe to give their people the knowledge they need to make better cybersecurity decisions every day. Learn more at psybersafe.com/blog

At Psybersafe, we make it easy: short, fun monthly episodes that help your team build stronger habits without even breaking a sweat. If you want to come back from holiday to good news (and not a cyber mess), drop us a line at This email address is being protected from spambots. You need JavaScript enabled to view it..

We love behavioural science. We’ve studied it and we know it works.  If you want to know more about the science of persuasion and influence and behavioural science in general have a look at our sister site https://influenceinaction.co.uk/

Sign up  to get our monthly newsletter, packed with hints and tips on how to stay cyber safe. 

Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts.  If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.