The Five Stages of Being Phished

Cybercriminals rely on savvy fraudulent techniques to convince phishing victims to respond to emails, voicemails, text messages, and social media requests. These scams work because they use emotion to trick phishing victims.

In fact, emotion is central to how phishing happens and the aftermath of the phish. This is why companies must understand the deep impacts of phishing and put real efforts into building a cyber aware culture.

One of the best ways to create a cyber aware culture is with consistent messaging, training, simulations, and communication about phishing.  No one, regardless of their position, years of experience, or level of Internet savviness is immune to a phishing attack.

The Power of Emotion in Phishing

Cybercriminals use emotion and the human nature to trust one another to get people to act quickly with giving little thought to the request or source of the request.

  • Fear: strong and threatening language is used to convince victims that if they don’t act quickly, there will be negative ramifications for them or someone they know. For example, an arrest will be made, or a bank account will be seized.
  • Respect: the victim feels compelled to respond because the email appears to come from a company employee who has authority over them. They do not question sending a wire transfer to a new partner or providing the senior HR manager with confidential employee details.
  • Greed: everyone wants something for nothing. By preying on our natural instinct for greed, cybercriminals trick phishing victims into acting with the promise of receiving money, a prize, or the chance to benefit from a great new business.
  • Helpfulness: people want to trust and help one another. This is how people are fooled by social media messages from distant relatives or by emails that use language such as “please help” or “I’m in trouble and only you can help me”.

The impacts of phishing attacks run deep. The 2019 Cost of a Data Breach Report reveals how damaging a data breach such as one caused by phishing is for organizations:

  • It takes 206 days to identify that a data breach has occurred.
  • The average lifecycle of a data breach caused by a malicious attack is 314 days.
  • When a data breach exceeds 200 days, the average cost is $4.56 million.

These numbers underscore why it is so important for companies to put serious emphasis on building a cyber aware culture.  Register for the free on-demand webcast, The Five Stages of Being Phished, to learn how phishing awareness helps your employees become cyber aware.

What Are the Five Stages of Being Phished?

Stage #1: Denial

“I didn’t know”, “I didn’t do it”, or “Are you sure?”

These are common responses from phishing victims who learn that they were tricked by a cybercriminal. Because it can take up to 200 days for the impacts of clicking a link or downloading an attachment to be realized, it’s common for victims to maintain that it wasn’t them.


To help people move beyond this first stage of being phished, show them how the cyber attack happened. Explain how the email address was for example faked or why the attachment was suspicious. Take the time to show your employee how they can access phishing simulations and make it easy for them to build their cyber awareness.

Stage #2: Anger

 “This is not my fault!”, “The IT department should have protected me”, or “How do you know it was me?”

These common reactions of anger mask the panic the phishing victim experiences when they realize what has happened. Some employees place blame on others or react by not trusting emails, attachments, or standard work-related requests.


Many people at this stage want to be left alone and don’t want to discuss phishing awareness or what to do to prevent this from happening again. This is a great opportunity to ask your internal cyber heroes to reach out to this person, explaining how common phishing is and that they are not the first or last person to make this mistake.

Companies can help by using communication tools such as posters and email newsletters to raise awareness. Give the employee easy access to phishing simulations, emphasizing how simulations are a safe learning environment. It’s important that the phishing victim is not used as an example – be discreet and focus on building a cyber aware company culture.

Stage #3: Bargaining

 “It looks real”, “How was I supposed to know?”, or “I can’t believe I did this.”

Phishing victims feel guilty about what they have done and start to explain why they clicked the link or transferred the money. They try to show you why the email looked real, how they were only trying to help, or emphasize how the message was urgent so they had to react immediately. Provide whatever support is needed to prove to your employee that you trust them.


These emotional responses underscore how successful social engineering is in tricking people to act. To prevent this, make sure your company has a consistent communication strategy about phishing risk and threats and the importance of being cyber aware at all times.

Remind phishing victims that this cyber attack was not personal, and it doesn’t mean that they are bad. Highlight to all employees the importance of speaking up when they believe they were tricked by an email, phone call, or other request. Emphasize how this helps the company recover more quickly and makes it easier for authorities to catch the criminals.

Stage #4: Depression

“I am embarrassed”, “I feel bad about what I’ve done”, or “Oh no, I’m in serious trouble.”

As the reality of their actions sink in, many phishing victims feel regret, despair, and embarrassment. Most employees have heard of other companies who were hurt by a cyber attack and they begin to fear the results of their click, download, or email reply.


To help ease these emotions, companies need to remind all employees of the prevalence of cybercrime. Give them easy access to a range of cyber security awareness training including gamification, simulations, newsletters, and microlearnings. Recognize employees who are on the top of the leader board or who have improved their cyber awareness education.

Provide communication with posters and email newsletters that spread the word about best practices. Remind employees that if they’re in doubt or slightly suspicious of a request – to reach out to your internal cyber heroes or help desk before clicking or responding to the email request.

Stage #5: Acceptance

“I wasn’t paying attention”, “I don’t know how to recognize a phish”, or “What can I do to make sure this doesn’t happen again?”

This fifth stage of being phished is the ideal opportunity for you to convert this person into an internal cyber hero. Empower this employee by providing immediate access to just-in-time training that makes it easy for them to take action. It’s key at this stage to support employees with tools, training, and messaging that allows them to move forward.


Remind all employees of how cybercriminals use social engineering techniques and rely on the reality that people are busy and often don’t pay attention. Use microlearnings, , email newsletters, interactive videos, and phishing simulations to harness employee desire to never be a cyber attack victim again.

A Cyber Aware Culture Empowers and Protects

The more your users s know and understand about phishing and other types of cyber attacks – the better off everyone is. Don’t wait until a data breach occurs to take action.

The best time to take action is now. Take advantage of phishing awareness training and a proven security awareness platform to build a cyber aware culture.



Webcast – 5 Stages of Being Phished

Watch Five Stages of Being Phished, the free on-demand webcast and be confident you’re taking the first step in preventative action against cybercriminals.