How does a phishing e-mail look through the lens of Protection Motivation Theory?
A typical phishing mail (e.g. a fake HR request to "validate your bank details in the new portal") is engineered to keep your threat appraisal LOW and your perceived coping ease HIGH — for the attacker's desired action.
* Anatomie einer Phishing-Mail: gefälschter Absender, fabrizierte Dringlichkeit und ein Köder-Link — das Threat-Appraisal soll niedrig, die Handlung billig wirken. — Isochrone/Belbury, CC BY 4.0, via Wikimedia Commons. *
The example: an "URGENT: update your contact data for payroll" mail, seemingly from the HR department, asks employees to validate their bank details in a new portal via a link, before a deadline.
The attacker plays PMT in reverse:
- Suppressing threat appraisal: familiar sender (HR), routine business context (payroll), professional layout — nothing feels dangerous
- Urgency raises the cost of NOT acting: "by 12:00 today, or your salary transfer is delayed" — now the secure behavior (pausing, verifying) carries perceived costs
- Making the unsafe action easy: one convenient link — minimal Handlungskosten for the click
The defender must flip the same dials: train people to feel the threat in exactly these routine-looking moments (deadline + bank data + link = stop), and give them a coping action cheaper than compliance — e.g. a report button or a known second channel to verify with HR.
Go deeper:
Social engineering (security) — Wikipedia — Phishing/Pretexting als psychologische Manipulation mit Dringlichkeit und vorgetäuschter Vertrauenswürdigkeit.