Why Workers Who Recognize Phishing Still Click — And What Companies Should Do About It

Security and communications teams need to change how work happens, not just drill people harder on red flags.

Machine-produced scams are tricking staff who otherwise know what to watch for, and organizations are only just starting to treat the problem as an operational one. A recent survey of 500 U.S. office workers conducted by security firm Sagiss found that about seven of 10 respondents said scam messages are more believable now than they were a year ago because they’re written by automated tools. Roughly two-thirds said a message generated by such tools could impersonate a coworker successfully, and over one-half said the machine-crafted notes feel more polished — removing the awkward language that once tipped people off. In short, the blunders that used to give away fraudsters are vanishing, and the messages now sound like a manager or a familiar colleague asking for something urgent.

Still, the softening of language explains only part of the problem. Workers are clicking and replying first, then second-guessing themselves. Nearly two-thirds of survey participants admitted they’d clicked a work link in the past year and later thought they should have checked it; about two-fifths said that happened more than once. Roughly three-fifths had confirmed the legitimacy of a request only after they'd already acted on it. These are not people who didn’t learn the basics — fewer than one in 10 said they lacked the know-how to verify messages. The issue is the moment of decision: people are hurrying between meetings, juggling many browser tabs and responding to an overflowing chat thread while under time pressure.

Work habits play a big part. When asked what makes them most likely to err, a little more than half pointed to rushing between tasks and about half blamed juggling too many things at once. That pattern reframes the usual advice. Companies have long treated phishing as an education challenge — run training, send mock attacks, repeat the checklist. But when employees are operating in split-attention mode, another round of lessons won’t fix the underlying friction that pushes them to act without pausing. Leaders should stop assuming awareness alone will stop breaches and start examining how messages arrive and how quickly responses are expected.

The problem intensifies outside normal office hours. Around seven of 10 said they check work messages after hours at least sometimes, and more than half feel pressure to answer them. About one-third said they’d replied to an after-hours message and later felt they should have verified it first. Late-night or early-morning interactions strip away context — calendars aren’t open, the team is offline, and people want to clear a task quickly. That’s exactly the window in which a well-tailored, machine-written request that names a real project or person has the best chance of succeeding.

Fixes require coordination between security, corporate communications and line managers. “Security controls alone won’t stop this,” said Dr. Lena Morris, a cybersecurity strategist at Gray Harbor Consulting. “You need to change how work is scheduled and how quick-turn requests are handled.” Practical steps include setting clear after-hours response expectations, routing sensitive requests through verified channels, inserting deliberate verification steps for urgent financial or credentials-related asks, and using technology to flag unusual sender behavior. Simulations still help, but they should be paired with operational changes: reduce the number of high-pressure notification channels, require a short verification call for money-moving messages, and give employees safe ways to pause and confirm without looking slow. Companies that rethink workflow — not just training — will reduce the window where even savvy workers are likely to be fooled.