Psybersafe Blog

Read our short, informative blog posts to understand more about cyber security and how people’s behaviour is key to improving it.

Phishing is evolving

(5 min read)

The red flags aren't on your screen anymore

There was a time when phishing was easier to spot. The grammar was off. The greeting was vague. The tone felt wrong. You could usually sense something wasn't right.

That's changed.

Now the message sounds polished, relevant, and oddly familiar.  It might mention a real colleague, a live project, or a deadline you're already stressed about.  It may even arrive as a video or voice call, with a face and a voice that looks completely convincing.  That's what makes this shift so significant.  The attack no longer relies on obvious mistakes.  It relies on trust.

And more specifically, on how easily trust can be manufactured.

The death of the "obvious"

Mar2026 Blog deepfake zoom 700x300

Modern phishing is personal. Attackers spend time on LinkedIn or company "About Us" pages looking for a hook that feels familiar.  When a message references a project you're genuinely worried about, your brain stays in fast mode.  You don't stop to analyse, because it feels like it belongs in your inbox.

Then there's the "seeing is believing" problem.  We're wired to trust our eyes.  When a deepfake CEO looks at you through a webcam, your brain automatically assigns them an identity.  That biological shortcut is now being hijacked.

How they hack your habits

The technology has improved.  The psychology hasn't changed much at all.

Modern phishing still follows the same behavioural patterns Robert Cialdini identified in his principles of influence: people are more likely to comply when something feels urgent, familiar, socially approved, or tied to authority.  Attackers know this, and they build messages around it.

That's why phishing works so often.  Not because people are naïve, but because the request has been designed to feel reasonable in the moment.

They no longer just hack computers.  They hack human tendencies.

  • The Authority Trap.  When a director, CEO, or senior manager asks for a "quick favour," most of us have a deep-seated urge to just get it done.
  • Artificial Urgency.  "This needs to be in before the 4 PM audit."   Stress narrows focus. It literally suppresses the analytical part of your brain, so you act fast instead of thinking clearly.
  • The Foot-in-the-Door.  It starts with a small, harmless request.  Once you say yes to the small thing, you're far more likely to say yes to the dangerous thing.

Your body is the new firewall

Mar2026 Blog kung foo 700x300

The answer isn't just "check the link."  That still matters, but it's no longer enough.

The better question is: what is this message trying to make me feel?

If it creates pressure, deference, obligation, or the urge to act before thinking, stop there.  That emotional shift is often the most reliable signal you'll get.

If a message is pushing one of Cialdini's levers too hard, whether authority, urgency, familiarity, social proof, reciprocity, or consistency, that's your cue to slow down.

If you feel a sudden surge of anxiety, or a rush of I need to do this right now, that physical reaction is your brain being bypassed.

New habits worth building:

  • Notice the rush.  If you feel pressured, that feeling is the phishing alert.
  • Break the momentum.  If a request involves data or money, even a small one, hit the brakes. Follow up by phone or check with a colleague if you're unsure.
  • Use a different channel.  If a request comes in via Zoom or Teams, call them on their mobile.  If it's an email, ping them on your organisation's secure chat platform.  Never use the contact details inside the suspicious message.

For Leaders: this is also a culture issue

A "do what you're told" culture is a gift to attackers.  If your team is too intimidated to double-check a request from you, the attacker has already won.

Mar2026 Blog trust your instincts 700x300

Make it safe to be cautious.  If an employee flags a legitimate email as suspicious, thank them, don't roll your eyes.  Tell your team directly: "I will never be annoyed if you call to verify a request.  I actually expect it."

It sounds small.  It changes everything.  It turns verification into good judgement, not insubordination.

The strongest defence isn't a piece of code.  It's the three-second pause before you click.

The bottom line 

Modern phishing is more polished than it used to be.  But underneath the polish, it still works in a deeply human way, using pressure, familiarity, status, and timing to push people past their usual judgement.

That's why the solution can't live in software alone.

People need better behavioural cues. Better habits.  Better permission to pause.

Because the most important red flag now is rarely in the message itself.

It's the moment you feel yourself being pushed.

If you’d like to strengthen the human side of your cyber resilience, at work or beyond it, get in touch or sign up for our newsletter for straightforward insights that actually stick.

Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts.  If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.