The Future of Phishing Is Likely to Become Even More Emotionally Manipulative—But Not Exclusively Fear-Based

Many companies conduct phishing simulations to test their teams, but there’s a fine line between a realistic test and a breach of trust. When your tests use fear tactics, they can create anxiety and damage your security culture. This is a problem because real attackers are getting smarter. In fact, according to this training, the future of phishing is likely to become even more emotionally manipulative, but not exclusively fear-based. As a cybersecurity company, Living Security knows effective phishing training shouldn't rely on fear. Your program should build defenses, not break trust.

But sometimes the phishing campaign is met with strong resistance internally, especially if employers approach tender topics that make employees feel unfairly deceived. And when your cybersecurity awareness training program pushes fear or shame, these campaigns are often not successful.

Phishing campaigns should be an opportunity for Security Awareness Program Owners to build a culture of education and support, not one in which users resent employers for sending emails that hit too close to home.

Here are a few questions to ask yourself before launching a campaign to see if you’re taking your phishing simulation too far:

Understanding Phishing: The Art of Deception

To build an effective defense, you first need to understand the offense. Phishing is more than just a technical nuisance; it is a sophisticated form of psychological manipulation. Attackers do not just exploit software vulnerabilities; they exploit human nature. This is why a purely technical approach to security will always fall short. True resilience comes from understanding the human element of risk and managing it proactively. Human Risk Management (HRM), as defined by Living Security, starts by making this risk visible and measurable. This allows you to move from a reactive posture to a predictive one, stopping threats before they lead to an incident.

What is Phishing?

At its core, phishing is a cyber attack where an adversary pretends to be a trusted entity. According to security researchers at Trellix, the goal is to trick you into giving away private information, like passwords or financial details, or to install malicious software on your device. These attacks are the initial entry point for many of the most damaging data breaches. Understanding the mechanics of phishing is fundamental, but understanding the *why*—why people click—is what allows security teams to build a truly effective defense that goes beyond basic awareness and changes behavior at scale.

A Brief History of Phishing

Phishing is not a new threat, but it is a constantly changing one. It has evolved significantly since its inception, adapting to new technologies and user behaviors. Early phishing attempts were often crude, riddled with typos, and easy to spot. Today, attackers leverage sophisticated tools and social engineering tactics to create highly convincing and personalized attacks. This evolution from simple email scams to multi-channel, AI-driven campaigns highlights the need for security strategies that can adapt just as quickly. Static, one-size-fits-all training is no longer enough to counter a threat that is so dynamic.

Common Types of Phishing Attacks

The term "phishing" covers a wide range of attack vectors. As security controls for email have improved, attackers have diversified their methods to reach employees where they are most vulnerable. These attacks vary in their delivery method and level of personalization, but they all share the same goal: deception. From highly targeted messages aimed at executives to broad campaigns sent via text message, understanding the different forms of phishing is the first step in building a comprehensive defense strategy. Recognizing these attack types helps you tailor your security interventions and focus on the specific risks facing your organization.

Spear Phishing

Unlike broad, generic phishing campaigns, spear phishing is highly targeted. Attackers target specific individuals or organizations, using personal information gathered from social media or previous data breaches to make the message more convincing. An email might reference a recent project, a colleague's name, or a conference the target attended. This personalization makes the message appear legitimate, significantly increasing the likelihood that the recipient will click a malicious link or open a weaponized attachment. This is where correlating data across behavior, identity, and threat intelligence becomes critical for early detection.

Whaling

Whaling is a form of spear phishing that specifically targets high-profile individuals within an organization, such as C-suite executives or finance leaders. Because these individuals have access to sensitive data and financial resources, they are high-value targets. A whaling attack might impersonate a legal summons, a confidential company memo, or an urgent request from another executive. The stakes are much higher with whaling, as a single successful attack can lead to significant financial loss or a major data breach, making it a top concern for GRC and SOC teams.

Smishing and Vishing

As people have become more wary of email-based threats, attackers have moved to other communication channels. Smishing involves phishing via SMS text messages, while vishing uses voice calls to deceive victims. These attacks often create a sense of urgency, for example, by sending a text about a compromised bank account or a voice message impersonating a support technician. Because mobile devices are often perceived as more secure and personal than email, users may be less guarded, making these attack vectors particularly effective for bypassing traditional security filters.

Quishing (QR Code Phishing)

Quishing is a newer and increasingly common attack that uses QR codes to direct victims to malicious websites. An attacker might place a sticker with a malicious QR code over a legitimate one on a poster or in an email, promising a discount or access to a menu. When a user scans the code, they are taken to a fake login page designed to steal their credentials. The simplicity of scanning a QR code bypasses the user's typical scrutiny of a URL, making it a stealthy way to initiate an attack.

The Psychology Behind Phishing Success

Phishing works because it targets people, not just systems. Attackers are experts in human psychology, exploiting cognitive biases and emotional triggers that are hardwired into all of us. As Trellix notes, phishing succeeds by taking advantage of human weaknesses, which are far less predictable and harder to patch than software vulnerabilities. This is why traditional security awareness training that focuses only on spotting technical red flags often fails. To truly reduce human risk, you need to understand the psychological principles that make these attacks so effective and build a program that addresses the root cause: human behavior.

Exploiting Human Nature: Authority and Curiosity

Two of the most powerful psychological levers attackers use are authority and curiosity. People are conditioned to comply with requests from figures of authority, such as a CEO or a government agency. A phishing email that appears to come from a superior creates a sense of obligation that can override caution. Similarly, curiosity is a powerful motivator. An email with a subject line like "Updated Salary Information" or "Your Recent Order Details" tempts the recipient to click without thinking. These tactics prey on fundamental aspects of human nature, making them consistently effective.

Leveraging Cognitive Biases

Our brains rely on mental shortcuts, or cognitive biases, to make quick decisions. While these shortcuts are useful in everyday life, attackers exploit them to their advantage. The confirmation bias, for example, might lead someone to accept an email that confirms what they already believe, like an expected package delivery. The scarcity bias creates a sense of urgency, compelling action before a "limited-time offer" disappears. By understanding and leveraging these biases, attackers can craft messages that bypass our rational thought processes and trigger an impulsive, emotional response.

The Role of Context and Timing

The context in which a phishing message is received plays a huge role in its success. An employee who is stressed, distracted, or multitasking is far more likely to fall for an attack. As researchers point out, when people are stressed, they are less likely to think clearly and can be tricked more easily. Attackers often time their campaigns to coincide with busy periods, such as the end of a quarter or during major company events, knowing that employees will be less vigilant. This highlights the need for continuous, adaptive interventions, not just annual training sessions.

The Evolution of Phishing: From Greed to Generative AI

The phishing landscape is undergoing a dramatic transformation, driven by attacker innovation and the rise of artificial intelligence. Old-school tactics based on obvious greed or urgency are giving way to more subtle and sophisticated methods. At the same time, generative AI is arming attackers with tools to create flawless, highly personalized lures at an unprecedented scale. This new era of phishing requires a new approach to defense. Security teams can no longer rely on reactive detection. They need a proactive strategy, like the one enabled by the leading Human Risk Management Platform from Living Security, to predict and prevent these advanced threats.

Shifting Attacker Tactics: Beyond Fear and Urgency

As users have become better at spotting classic phishing red flags, attackers have adapted. Recent research shows that attackers are moving away from obvious fear or urgency tactics and are instead using more subtle psychological triggers. For example, they might appeal to an employee's desire to be helpful by sending a fake request for assistance from a colleague. These "helpful-hacker" emails are harder to detect because they do not rely on negative emotions. This shift means that security awareness programs must also evolve to educate users on these newer, more nuanced social engineering techniques.

The Rise of AI in Phishing Attacks

Artificial intelligence is a game-changer for cyber attackers. It allows them to automate and scale their campaigns in ways that were previously impossible. From crafting perfect email copy to creating realistic deepfakes, AI is making phishing attacks more convincing, harder to detect, and more dangerous than ever before. For security leaders, this means the nature of the threat has fundamentally changed. Defending against AI-driven attacks requires an AI-native defense that can analyze vast amounts of data to predict threats before they materialize.

Generative AI and Convincing Lures

Generative AI tools can produce text, images, and code that are indistinguishable from human-created content. For phishers, this is a massive force multiplier. AI can make fake emails and messages much more realistic, eliminating the spelling and grammatical errors that were once tell-tale signs of a scam. It can also be used to generate highly personalized content for spear phishing attacks at scale, tailoring messages to thousands of individuals simultaneously. This capability dramatically lowers the barrier to entry for sophisticated attacks.

Deepfakes: The New Frontier of Impersonation

Perhaps the most alarming development is the use of deepfake technology in phishing. AI can now be used to create fake audio and video that realistically impersonates a specific person. Imagine a vishing attack where the voice on the phone is a perfect clone of your CEO's, or a video call where an attacker uses a deepfake to impersonate a key vendor. This technology makes it incredibly difficult to verify identities and adds a frightening new dimension to social engineering, reinforcing the need for a security model that does not rely on human judgment alone.

1. Is Your Phishing Simulation Betraying Employee Trust?

Generally speaking, employees trust their organization to protect their personal information, maintain their current workplace benefits, and operate according to a certain standard of ethics. So when an employer breaks that trust by sending a purposely manipulative phishing email leading employees to believe their personal safety within the workplace is at risk, it can leave a lasting impression on your team.

You may think, “Social engineers use manipulative tactics to trick people; therefore, a realistic phishing simulation should do the same,” but there is often a fine line between realistic and harmful. Phishing campaigns that capitalize on the emotional well-being of their recipients often reflect poorly on your organization and leave employees irritated and upset.  

Here are a few examples of phishing messages related to employees’ work security that could unfairly toy with your team’s trust:

• Bonus payouts. “Thanks for your hard work—here’s your annual bonus!”
  

• Losing work benefits. “This has been the third consecutive month we did not receive your healthcare insurance payment. Effective tomorrow, we’re revoking your coverage.”
  

• Termination notices. “Notice of Termination: Effective Immediately.”
• Personal possessions within the workplace disruption. “In last night’s burglary, contents on your desk were stolen.”
• Personal company-protected data leaked. “Our company was the victim of a data breach that could have potentially exposed personal information, such as your home address, phone number, etc., to cybercriminals.”

In these situations, the phish affects more than just your workplace environment: it directly targets the employee. Notice how the typical phishing schemes about missed package delivery notices or unpaid invoice requests often deal exclusively with business operations, while threatening an employee’s psychology or financial safety is directly aimed at the individual.

“Using highly emotive bait such as bonuses and healthcare—especially in the context of COVID-19—plays games with the emotional well-being of recipients, which in turn can harm psychological safety, trust, and culture within the workplace,” says Dr. Jessica Barker, co-CEO and co-founder at Cygenta, and we have to agree. 

People don’t like to be deceived and often don’t like the people who deceive them. Don’t leave a sour taste in your employee’s mouths by personally scaring or angering them in poorly positioned phishing simulations. 

The Data Doesn't Lie: The Scope of the Phishing Problem

Phishing remains a persistent threat because it’s designed to exploit people, not just technology. Attackers understand that human behavior can be less predictable than a software vulnerability. As research from Trellix notes, phishing attacks succeed by taking advantage of human weaknesses. Cybercriminals craft messages intended to provoke a quick, emotional reaction, playing on feelings of urgency, curiosity, or fear to bypass rational thinking. This psychological manipulation is what makes these campaigns so effective. The more sophisticated the deception, the higher the chance of success. In fact, one study found that phishing emails using a combination of tactics were about 15% more successful than those without, proving that attackers are constantly refining their methods.

Betraying Employee Trust with Deceptive Tests

While it’s tempting to replicate these advanced, manipulative tactics in your own phishing simulations, doing so can backfire spectacularly. When a test uses what CSO Online calls "highly emotive bait" like fake bonuses or threats to healthcare benefits, it crosses a line. Instead of a learning moment, the simulation becomes a breach of trust between the employee and the organization. This approach erodes psychological safety and can damage the very security culture you’re trying to build. Research confirms that campaigns capitalizing on emotional well-being often leave employees feeling irritated and upset, which ultimately reflects poorly on the company. An effective Human Risk Management program should build a partnership with employees, guiding them toward safer behaviors rather than trying to trick them into failure.

2. Are You Crossing a Line by Targeting Personal Security?

Just as personally-targeted work-related messages attack an individual’s emotional well-being, dragging an employee’s home life into your phishing campaign is often a big no-no. Any phishing message that relates to an employee’s safety outside of the workplace has no place in a corporate phishing campaign. 

For example, a work email phish stating an employee’s personal banking account was breached or that their home security system detected a break-in is not an ethical practice. While it’s true that highly specific, fear-based phishing emails are often the ones people fall for, your employee is likely to feel resentful of this personally invasive trick and will not appreciate you bringing their home life into the workplace setting. Stay far, far away from dragging your staff’s personal property into a professional phishing setting. 

Check out our webinar, “Metrics, Training, Culture - Why Your Phishing Program Isn’t Working,” where our co-founder, Drew Rose, talks about the ethics of phish testing employees and poses the question, “When are we taking it too far?”

3. What Is the Mental Health Toll of Your Phishing Test?

In the two questions above, you’ll notice the focus remains on your employee’s mental health. By inciting anxiety and panic in a way that threatens their psychological safety, you are causing your employees unnecessary stress and eroding their very trust in your organization.

Before hitting send on a phishing campaign, review the message again and ask yourself how the tone could be perceived by employees. Is this campaign empathetic of their personal boundaries and respectful of their well-being? Seek help from an occupational health advisor on how it might affect the team and your cultural perspective, if unsure.

4. Is Your Goal to Train or Just to Trick?

It’s important to pulse-check your motivation for sending a phishing message before launching the campaign. What’s your goal for sending the phish? Is it to positively promote learning and nurture employees on best practices for avoiding cyber threats? Or is it to earn lots of clicks so you can show management how you turned those phishing click rates around after a year or two of simulation training? 

The point of a phishing campaign is not to fool employees and make it look as though you’re effecting cultural change. It’s to actually train employees so that they don’t fall for phishing attacks. It’s to educate and empower your team to recognize and report suspicious messages with the goal of benefitting your employees and organization’s security at large. 

If you find yourself trying to fool employees to prove how great you are at crafting clever phishing emails, we urge you to reassess your motive and the impact you hope to leave long after the campaign comes to an end.

5. Does Your Phish Lead to a Teachable Moment?

You spend so much time developing and orchestrating your phishing campaign, but after all the results are in, how are you sharing them with your team? If you are making employees go through your phishing training, the least you can do is share how they did as a whole at the end. If scalable, you could even share individual feedback with employees who failed and provide resources for them to improve their awareness for next time. Remember, this is an opportunity for you to support and empower your users, not make them feel ashamed for their mistakes.

Consider sending out a mass email to participants and giving a few shoutouts to people who caught the phish for the ruse it was, while still being kind to those who failed and providing valuable feedback that all employees could learn from.

The Power of Immediate Feedback

A phishing simulation that doesn't lead to learning is a missed opportunity. The most impactful teachable moments happen immediately after a mistake. When an employee clicks a simulated phish, that's the perfect time for a "just-in-time" intervention. Instead of a simple failure notice, providing immediate, contextual feedback turns the error into a memorable lesson. This is a core principle of Human Risk Management (HRM), which uses behavioral signals to guide individuals with personalized actions. By delivering targeted security awareness training at the moment of need, you move beyond simple testing. You actively build a more resilient workforce by transforming a moment of risk into an opportunity for growth and reinforcement.

Crafting an Ethical and Effective Phishing Simulation

It can be difficult to ensure a phishing simulation is ethically sound. But when your employees’ psychological well-being and your organization’s culture are at stake, it’s crucial to get it right.

Never worry about the ethics of your phishing simulation again with help from Living Security’s phishing simulation training. We provide pre-written phishing content screened and tested for its ethical integrity: content that considers all the questions in this article and more. Best of all, our team can offer guidance about your own unique campaign. Contact us to learn more today.

Frequently Asked Questions

Why can't our phishing simulations just mimic real-world attacks, even the manipulative ones? While it's true that real attackers use manipulative tactics, your goal as a security leader is different. An attacker wants to cause harm; you want to build resilience. Using overly emotional or fear-based lures, like fake termination notices or threats to benefits, can break the trust between employees and the organization. This erodes the very security culture you're trying to build, making employees resentful instead of receptive to learning. An effective program focuses on education, not just trickery.

What's the difference between a "bad" phishing simulation and a challenging one? A challenging simulation tests an employee's critical thinking without causing personal distress. For example, a test might use a sophisticated, well-designed email that impersonates a known vendor. A "bad" simulation crosses an ethical line by targeting an employee's personal security or emotional well-being, such as faking a bonus payout or a home security breach. The goal is to train, not to cause anxiety or panic.

How is AI changing phishing, and how does that affect our training? AI allows attackers to create highly convincing and personalized phishing emails at a massive scale, eliminating common red flags like typos. They can even create deepfake audio and video for impersonations. This means your defense can no longer rely on just teaching people to spot simple mistakes. You need a proactive approach, like the one offered by Living Security's leading Human Risk Management Platform, which uses AI to analyze risk signals and predict threats before they happen, moving beyond simple employee awareness.

My employees clicked on the simulation. What should I do next? A click is a perfect teachable moment. Instead of simply marking it as a failure, use it as an opportunity for immediate, targeted education. This is a core principle of Human Risk Management (HRM). By providing instant feedback and a short, relevant micro-training at the moment of error, you reinforce the lesson when it's most impactful. The goal is to guide and support employees, turning a mistake into a valuable learning experience.

How do we measure the success of our phishing program if not by click rates? While click rates are one data point, a truly successful program looks at broader behavioral changes and risk reduction. Are employees reporting more suspicious emails? Are they improving their performance on simulations over time? An advanced Human Risk Management (HRM) platform helps you see the bigger picture by correlating data from behavior, identity systems, and threat intelligence. This allows you to measure a real reduction in your organization's overall human risk, not just whether someone clicked a link.

Key Takeaways

• Build Trust, Don't Break It: An effective phishing simulation educates employees without resorting to manipulative tactics. Avoid using overly personal or fear-inducing topics, such as fake termination notices or threats to benefits, as these can erode employee trust and harm your security culture.
• Adapt to Modern Phishing Tactics: Attackers are now using sophisticated psychological triggers and generative AI to create highly convincing, personalized attacks. Your security program must evolve beyond reactive detection and adopt a proactive strategy to counter these advanced threats.
• Turn Simulations into Teachable Moments: The primary goal of a phishing test is to build resilience, not just to track failure rates. Use each simulation as an opportunity for immediate, positive reinforcement and learning, guiding employees toward safer behaviors without causing shame.

Related Articles

• 5 Questions to Decide if Your Phishing Simulation Training Is Ethically Sound
• Phishing Simulation 101: The Ultimate Guide
• How to Run a Phishing Corporate Test That Works
• Phishing Campaigns: How to Create Effective Employee Simulations | Living Security
• Most Common Phishing Email Examples to Watch Out for in 2024