ÁñÁ«ÊÓƵ18

October is Cybersecurity Awareness Month, but staying secure online is a year-round challenge, especially as criminals use new tools like generative AI to create sophisticated phishing emails, fake websites and even cloned voices.

Sebastian Schuetz

Sebastian Schuetz, an assistant professor of organizational leadership and information analytics at the Leeds School of Business, studies how leadership and human behavior shape cybersecurity outcomes.ÌýCU Boulder Today spoke with Schuetz about whyÌýpeople fall for scams even when they know better and what both individuals and leaders can do to reduce risk.

Why do so many people still fall for phishing emails and online scams, even when they know to be cautious?

Awareness alone isn’t enough to avoid phishing emails. Spotting scams depends not just on knowing what to look for, but on paying attention to subtle cues. Research shows that both knowledge and mindfulness when handling emails strongly influence people’s ability to spot phishing attempts.

Under time pressure, mindfulness decreases, making people more vulnerable to scams. Meanwhile, phishing tactics are evolving: Cues that once signaled phishing—like poor formatting, grammar mistakes or generic greetings—are increasingly rare. With generative AI, attackers can now craft sophisticated, targeted phishing emails at scale, leaving most of us less equipped to spot the difference.

What are some of the most common mistakes people make when it comes to passwords and online security?

One of the most common mistakes is failing to enroll in multi-factor authentication (MFA). While it can feel cumbersome and isn't foolproof, MFA is highly effective at strengthening account security by making it much harder for criminals to exploit stolen credentials.Ìý

Another frequent error is reusing passwords. Although convenient, reuse is particularly risky because the security of all accounts using the same credentials depends on the weakest link. When passwords are reused, even accounts on platforms with strong security measures can be compromised if attackers obtain credentials from less secure websites. The best way to improve online security is to enable MFA and to use password managers (e.g., Keychain, 1Password) to generate unique passwords for each website.

How have cybercriminals’ tactics evolved, especially as more of our shopping and banking happens online?

Generative AI has enabled cybercrime in three important ways. First, it helps even inexperienced scammers create convincing, error-free phishing emails. Second, it has made large-scale attacks cheaper and faster—what once took hours of manual work can now be done instantly. Third, AI-generated voices and videos allow criminals to impersonate real people on calls or video chats.

Together, these advances mean consumers must stay more alert than ever.

With the holidays approaching, what are the biggest digital threats consumers should watch for when shopping or donating online?

Online retail is particularly prone to scams. We all know the stories about people buying empty boxes, receiving counterfeit goods or never receiving their purchases at all. Scammers take advantage of the convenience of online shopping by creating fake storefronts, offering too-good-to-be-true prices or hijacking legitimate marketplaces to mislead buyers.Ìý

The holiday season makes this even worse. High demand and limited stock create urgency that criminals exploit. Consumers should shop with known retailers and marketplaces that provide clear refund or dispute processes.

In terms of the human side of cybersecurity, what does research tell us about how habits and emotions shape our digital safety decisions?

The human factor often gets blamed for cybersecurity failures—and for good reason, since many breaches stem from our own actions. It’s natural to trust too easily, skip updates or password changes, or click too quickly out of hope or fear. These instincts make us human, but they’re also what criminals exploit. Research shows that people who stay mindful and cautious by default are the most resilient to cybercrime.

Are there small, practical steps that make a big difference in protecting personal data—things people can do today without extra software or tech skills?

Be cautious with how you share information online. Avoid sharing sensitive or personal information through unencrypted channels like email or text. If someone asks you to provide documents or information, upload them only through the organization's official website, where appropriate security controls are more likely to be in place.Ìý

Never click on links in emails—go directly to the site by typing the address into your browser. When creating passwords, make them long. Each additional character exponentially increases password strength—even increasing from 10 to 12 characters makes a dramatic difference.

For companies or leaders, what role does culture or leadership play in keeping employees vigilant against attacks?

Culture is everything. Leadership sets the tone for cybersecurity. When managers model good security habits and treat data protection as part of doing the job well, employees follow suit.Ìý

Our research shows that organizations with strong security cultures are less vulnerable to attacks because people see protecting data as part of their core responsibilities. The opposite is also true—when leaders don’t prioritize security, security measures often fall flat.Ìý

Ultimately, a leader’s attitude toward cybersecurity ripples through the entire organization. Top leaders, in particular, set expectations for behavior—not only through communications and policies but also by modeling the right actions themselves. Research shows that when managers take security seriously, their subordinates do too.Ìý

If you could correct one major misconception about cybersecurity, what would it be?

The biggest misconception is that cybersecurity is just about technology. It’s not—it’s about strategic choices. No one can be 100% secure, and security requires effort and sacrifices. The real challenge is deciding what to prioritize and what risks you’re willing to live with. That’s as true for companies as it is for all of us at home.