Psychology behind cyberattacks: Why even clear warnings are ignored
As an IT specialist, it is not unusual for acquaintances or friends to ask me for advice on technical problems. But recently I had a case that really bothered me from both a technical and psychological point of view - and it shows why even obvious threats are often ignored.
The moment of alarm
It started with a WhatsApp message from an acquaintance:
"I can't access my banking right now because I have a virus. I don't know what to do."
For me the matter was immediately clear: The device must be turned off immediately. A compromised device should not be used any further, as every further action gives an attacker more information and control. My answer was therefore direct: “Turn off the phone and have it analyzed!”
But what happened? My friend ignored my advice. The device remained active for several days while he tried to "carry on as normal". His assumption: "I'm not doing anything critical. No banking, just YouTube and chatting."
The Psychology Behind It: Why Warnings Are Ignored
From a technical perspective, it was clear to me that this negligence represented an enormous risk. But why do people act so irrationally in such situations? The answer lies in a combination of psychological mechanisms that attackers often exploit:
- Displacement:
Threats that cannot be directly seen or felt are often ignored. The thought “I won’t be affected” is widespread – a classic example of the so-called optimism bias. - Underestimating the danger:
Many people think that cyberattacks only affect large companies or celebrities. They believe that they are "too insignificant" to be the target of an attack. My friend thought that as long as he didn't use online banking, there was no risk. - Illusion of Control:
There is a widespread assumption that as long as you avoid certain things (e.g. not banking), you are in control of the situation, ignoring the fact that an attacker already had full access to the device. - Comfort:
The idea of turning off the phone, no longer being able to read the news and having to change the way we live our lives was apparently more unpleasant than the invisible threat of the virus. People tend to choose the path of least resistance - even if it is harmful in the long term.
The Consequences: What We Later Found Out
A few days later, my friend finally had the device analyzed. The results were not surprising: two malicious apps, disguised as PDF readers and document readers, were reported as "malicious" by Google Play Protect. The attacker could have easily intercepted passwords, read messages, or even communicated on behalf of my friend - which may have already happened. A comprehensive analysis was no longer possible at this point, as phishing messages and various apps had already been deleted.
What was also exciting was the fact that several “antivirus” programs did not detect any problems – a false sense of security.
Fortunately, no real damage occurred in this specific case.
What would have happened if the device had been turned off immediately? The possibility of real damage could probably have been minimized. But by delaying the attack and continuing to use the device, the attacker could consolidate control and potentially steal even more data.
What IT specialists can learn from this
This incident reminded me that technical knowledge alone is often not enough to convince people. Cyberattacks are not only a technological problem, but also a psychological one. As IT professionals, we should engage with the mindsets and reactions of average users in order to better support them.
Tips to raise user awareness more effectively:
- Communicate simply and concretely:
Technical details about malware or exploits may be correct, but they often scare off laypeople. Instead, clear instructions like: “Turn it off immediately and have it analyzed.” - Making dangers tangible:
Many people underestimate the consequences. It helps to give concrete examples or scenarios of what data misuse or identity theft could look like. - Emphasize urgency:
People tend to postpone threats. Phrases like “Every minute the device is on gives the attacker more control” can help convey the necessary urgency. - Show understanding:
Convenience and denial are human. Instead of accusations, it is more helpful to explain empathetically why security measures are important, even if the threat is not visible.
The responsibility of the media in educating people
The media have a central responsibility to inform the general public about the dangers of cyber attacks and security gaps. Unfortunately, reporting often focuses on spectacular cases such as large-scale hacker attacks or data scandals at prominent companies. The everyday risks that normal However, threats that affect people - such as phishing emails, fake apps or insecure passwords - receive little attention. This gap in reporting means that many people underestimate the threat and feel poorly informed when they are suddenly affected themselves. The media could help to make the risks tangible through understandable explanations and concrete examples. Practical content - as shown in the YouTube videos below - is an effective way to promote security awareness. The media should focus more on such everyday topics and also offer clear recommendations for action in order to support an informed and security-conscious society.
Tracking virtual bank robbers | ZDF | WISO
https://www.youtube.com/watch?v=rXGaCyhddXo
Conclusion: IT security begins in the mind
This case has shown me once again how important it is to understand not only the technical aspects of cyberattacks, but also the psychological ones. It is not enough to inform users about threats - we must also break down the emotional and cognitive barriers that prevent them from taking the right action.
As IT specialists, our job is not only to secure systems, but also to raise people's awareness. And sometimes that means being not only an expert, but also a kind of translator between technology and psychology.
Have you had similar experiences? What strategies do you use to raise awareness of IT security among non-technical people? I look forward to exchanging ideas!
English 
German 