You trust your team. They’re sharp, capable, and tech-savvy. They know what a phishing email looks like – or at least, they think they do.
Most employees are confident they could identify a scam. They’ve been told not to click dodgy links or download suspicious attachments. They’ve sat through awareness talks and heard the horror stories. They know phishing emails are designed to trick people.
So surely, they’d never fall for one… right?
Overconfidence: A Hacker’s Best Friend
Here’s the uncomfortable truth: Confidence does not equal competence.
Recent studies show that a staggering 86% of employees believe they can spot a phishing attack, but over half of them have already fallen for a scam at some point.
This disconnect – between what people think they know and how they actually behave – is exactly what cyber criminals exploit.
Phishing tactics have come a long way from the days of obvious grammar mistakes and “Nigerian prince” emails. Remember those?
Today’s scams are far more subtle and sophisticated. They often include:
- Emails that appear to be from trusted banks or suppliers
- Invoices that look completely legitimate
- Internal messages seemingly from a manager or colleague
When these messages land in an inbox, it’s not always obvious they’re fake. And when someone’s overconfident, they’re more likely to take them at face value.
The Dunning-Kruger Effect in Cyber Security
Psychologists call this the Dunning-Kruger Effect – when people with limited knowledge overestimate their abilities. In cyber security, it’s especially dangerous.
When someone believes they’re “too smart” to fall for a phishing scam, they let their guard down. Instead of double-checking email addresses or verifying suspicious requests, they act quickly and carelessly. That’s when mistakes happen. And that’s how criminals gain access to your systems, data, and even your money.
Why Confidence is Killing Your Cyber Defences
An employee’s false sense of security can lead to:
- Ignoring red flags in emails
- Trusting fake links or domains
- Failing to report suspicious messages
- Hesitating to ask questions or flag concerns
This creates the perfect storm: risky behaviour combined with a culture that doesn’t encourage speaking up. Cyber attacks don’t always happen because someone is uninformed – they happen because someone thinks they already know better.
Building a Culture of Caution, Not Complacency
So, what can you do?
The first step is acknowledging that confidence alone is not enough. Even your most tech-savvy employees need regular, up-to-date phishing awareness training. This helps them recognise new and evolving threats, not just the obvious ones.
But education isn’t the only answer. You also need to foster a workplace culture where security concerns are taken seriously – and where employees feel safe raising the alarm, even if they’re unsure.
Encourage a “no blame” approach to reporting. The quicker suspicious activity is flagged, the faster you can take action and minimise damage.
Cyber Security: It’s Not About Being Smart – It’s About Being Careful
In the end, cyber security is not a measure of intelligence – it’s a measure of vigilance.
Even the most experienced or tech-literate employee can be fooled by a well-crafted scam. The key is to question everything, stay cautious, and assume that any unusual message could be a threat.
Because the moment someone says, “I’d never fall for that”… is often the moment they do.
Need Some Advice?
Get in touch with us today, and we can run through the options best suited to your business.
