RSAC 2026: The Surprising Reason Phishing Still Works on Everyone - PCMag UK

What’s the most dangerous component of an automobile? The nut behind the wheel, of course. The same is true in cybersecurity. You can have the most amazing security system in place, and it won’t do any good if someone persuades an unsuspecting user to unlock it. Randy Rose is the vice president for security operations at the Center for Internet Security, and in a presentation at the RSAC Conference in San Francisco, Rose took attendees on a journey inside the mind, seeking to understand just why we are all so easy to fool. In his introduction, Rose pointed out that his presentation is not cyber-focused at all. Rather, it looks at long-standing persuasion techniques used by con men and phishing fraudsters alike. He also called out PCMag for mentioning his talk in our conference preview. Thanks for the shoutout! Humans: The Most Dangerous Component of Security Rose opened by reviewing an eclectic collection of studies on how humans make bad choices. Yale psychologist and researcher Stanley Milgram demonstrated that good people will do bad things if enjoined to do so by an authority. Psychologist Robert Cialdini identified seven types of influence that can spark agreement. You May Also Like Perhaps most importantly, he referenced the work of Nobel Prize winner Daniel Kahneman. Kahneman identified two systems the brain uses to make decisions. “System 1 is fast, automatic, emotional, and intuitive,” noted Rose, “while System 2 is slow, effortful, logical, and deliberate. We live in System 1 all day, every day.” Rose explained that System 2 thinking literally uses more of your body’s energy, and that having evolved through periods of scarcity, we’re inclined to avoid expending that energy. Rose pointed out that our decision-making, especially System 1 decision-making, is affected by cognitive biases and logical fallacies. “A lot of us don’t realize that the mistakes we make when we’re trying to make decisions are things that we could avoid if we knew how,” said Rose. He noted that we can’t really eliminate biases and fallacies; the best we can do is recognize them and deploy mitigation tactics. “But this is a System 2 problem,” he continued, “so our brain is going to fight it every step of the way.” Get Our Best Stories! Stay Safe With the Latest Security News and Updates Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox. Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox. Email Sign Me Up By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. The highest caliber people I’ve ever worked with tend not to promote the work they’re doing. They tend to question everything. Rose went on to review several cognitive biases common in the cybersecurity field, such as assuming correlation between unrelated events or anchoring too strongly on a single data point. He noted that the Dunning-Kruger effect, where those with the least ability rate themselves highest and vice versa, is all too common in the cyber world. “The highest caliber people I’ve ever worked with tend not to promote the work they’re doing,” he said. “They tend to question everything.” Slowing Down: The Key to Outsmarting Scammers Rose pointed out that phishing remains the top entry vector for cyberattacks and that our attempts to train users to detect it are misguided. “Our training is noisy,” said Rose. “We focus on what to look for instead of how to think about it.” He went on to explain that AI is gradually eliminating all those red flags we were trained to spot. “The way that AI is changing the phishing game, the things we told people to look for in the past aren’t necessarily applicable,” said Rose. Recommended by Our Editors How to Spot and Avoid Phishing Scams: 5 Tips From Our Security Expert Your Company's Annoying Anti-Phishing Training? Probably a Huge Waste of Time and Money Former NSA Chiefs: We've All Become 'Numb' To Cybersecurity Threats Rather than look for signs of phishing or other fraud, Rose advised his listeners (and all of us) to slow down and be skeptical. “Slowing down helps a lot,” noted Rose. “It can push your brain into System 2 thinking.” He went on to recommend exercises such as reflecting on your own thinking, walking through your thinking processes with others, and even challenging your long-standing beliefs. The point is to get away from lazy (but practical) System 1 thinking and apply your brain’s full power to seeing through any fraud or deception. In the age of AI-driven scams, the best defense isn't spotting red flags—it's thinking harder, slower, and smarter than the attacker. About Our Expert Neil J. Rubenking Principal Writer, Security Experience When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces. Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link. In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions. Areas of Expertise Antivirus Malware Protection & Removal Ransomware Protection Security Suites Spyware Protection Latest By Neil J. Rubenking Google VP: Stop Playing Whac-A-Mole With Hackers Stop! These 5 Antivirus Misconceptions Could Leave You Unprotected The Best Antispyware Software for 2026 The Best Security Suites for 2026 The Best Antivirus Software for 2026 More from Neil J. Rubenking Read Full Bio