Skip to main content

Stress, Decision Fatigue & Vulnerability

Every successful scam has a timing component. Attackers do not just choose targets - they choose moments.

The Evening Transfer

Rajesh was a finance manager at a mid-size logistics company. On a Thursday evening, after a full day of back-to-back reviews, budget approvals, and vendor calls, an email arrived at 7pm.

It appeared to come from the CFO. The subject: "Urgent - payment needs to go out tonight."

A person at a desk late in the evening, looking tired, with a screen showing an urgent email.

The email was brief. A supplier needed payment before the weekend. The CFO was travelling. Rs. 4.2 lakh should be transferred to a new account. Details attached.

Rajesh had already made dozens of decisions that day. He was tired, he trusted the CFO, and the request had the shape of something he had done before.

He transferred the money. The CFO knew nothing about it.

The email domain had an extra hyphen. At 7pm, after a full workday, the difference between company.com and company-hq.com did not register.

What Is Actually Happening: Decision Quality Degrades

41%

drop in accuracy on threat detection tasks after a sequence of unrelated decisions, compared to a rested baseline.

Decision fatigue is a measurable cognitive state - not a character trait or a matter of willpower.

Source: Gloria Mark, Attention and Distraction Lab, UC Irvine, 2023
Decision Fatigue

The Quality Drain

Every decision depletes the same cognitive resource. After a day of choices - work, meals, traffic, messages - the resource is lower. The brain defaults to simpler heuristics: trust the familiar, comply with authority, act on urgency. All three are exploit vectors.

Source: Baumeister et al., Ego Depletion Studies, replicated 2024
Stress Response

Stress Narrows Attention

Under financial, relationship, or work stress, the brain narrows its focus to the immediate problem. Peripheral threat detection - noticing the wrong domain, the odd request, the inconsistency - requires attention that stress removes.

Source: American Psychological Association, Stress and Decision Making Report, 2025
Cognitive Overload

Too Much, All at Once

When working memory is full - multiple open tasks, unread messages, pending decisions - new information is processed shallowly. Complex verification tasks get skipped. The quick-check instinct takes over.

Source: Baddeley, A., Working Memory Research, 2022
Attack Timing

Evenings, Fridays, and Crises

Business Email Compromise attacks cluster heavily in Thursday-Friday afternoons and before public holidays - when fatigue is highest and verification is hardest. This is deliberate. Attack timing is part of the attack design.

Source: FBI IC3 BEC Report, 2025; Proofpoint Threat Report, 2025

When You Are Most at Risk

Vulnerability is not constant. It peaks at specific, predictable conditions:

  • End of a long workday - decision resource is depleted
  • Financial stress periods - attention is narrowed to the immediate problem
  • Emotional distress - the brain prioritises short-term relief over careful analysis
  • Multi-tasking - working memory is divided, reducing capacity for verification
  • Just after a crisis - follow-up fraud targeting people who have just experienced a loss

Knowing your own peak vulnerability windows is the most direct form of protection. Not willpower - scheduling. High-stakes decisions deserve your best cognitive state, not your most depleted one.

Try It: The Tired Decision Test

Make 8 quick choices. Then evaluate a phishing email. See what fatigue does to your accuracy.

What That Just Showed You

1. Fatigue does not feel like fatigue. You do not notice your accuracy dropping. The brain compensates by becoming more confident, not less. Rajesh did not feel uncertain - he felt the request was clear. That certainty was the symptom.

2. Attackers engineer the context, not just the message. The email content in BEC attacks is often simple. The sophistication is in the timing - arriving when defenses are lowest. Awareness of when your cognitive state is depleted is as important as knowing what phishing looks like.

3. The correct response to urgency at a vulnerable moment is a pause, not a decision. "This needs to happen tonight" is both the most common BEC framing and the clearest signal to delay. A legitimate transfer request survives a verification call the next morning.

Three Things Worth Doing

1. Flag end-of-day financial requests automatically. Create a personal rule: any financial request that arrives after 5pm or before a weekend gets verified the following morning, through a separate channel. No exceptions for "urgency."

2. Name your current cognitive state before acting on high-stakes requests. Before approving a transfer, clicking a verification link, or granting account access under pressure - ask: "What is my decision quality right now?" If the honest answer is low, delay.

3. Reduce decision load in the hours before high-risk work. Scheduling important security decisions (account reviews, payment verifications, contract sign-offs) for morning rather than end-of-day is a structural protection - not a hack, but an acknowledgment that cognitive state is a security variable.

One Question Before You Continue

Knowledge Check

Rajesh transferred the money to a fraudulent account on a Thursday evening after a full workday. What made him vulnerable at that specific moment?