For years, the advice was simple: check for typos, look for a suspicious sender address, and watch out for requests for sensitive information. But new research published this week signals a significant shift in how employees are identifying phishing threats. According to a KnowBe4 poll, the top email urgency phishing red flag today is not a grammatical error. It is the artificial pressure to act fast, and that shift has direct consequences for every security awareness training program.
The numbers are striking. In KnowBe4’s survey, 34% of workers named “pressure to act quickly” as the primary signal that an email is fraudulent. That outpaced unknown sender addresses (23%), requests for sensitive information (23%), and poor spelling or grammar (20%). Workers have adapted. The question is whether training programs have kept pace.
What AI Has Done to Phishing Emails
The reason urgency has risen to the top is not a coincidence. Artificial intelligence has removed the rough edges that once made phishing emails easy to spot. Attackers now use large language models to generate thousands of highly personalized, grammatically flawless messages in minutes. Spelling mistakes and stilted phrasing, once reliable warning signals, are fast becoming relics of an older threat landscape.
What AI cannot easily fake is legitimate urgency. Real business emails rarely demand immediate action with a hard deadline or a threat of consequences. When an email tells you that your payroll access will be suspended in two hours, or that an executive is waiting on your wire transfer approval, the pressure itself is the red flag. Your team’s ability to pause on that feeling, rather than respond to it, is now a core security skill.
The scale of this shift is significant. Research from Hoxhunt and others suggests total global social engineering attacks increased roughly 47% year over year, with AI-generated content driving much of that volume. The cost of a phishing-related breach averaged $4.88 million in 2024, according to IBM’s Cost of a Data Breach Report. These are not abstract numbers. They represent real organizations whose people were caught off guard by a well-timed, well-crafted message.
The Psychology Behind the Pressure
Urgency works because it hijacks the brain’s threat response. When people feel time pressure, analytical thinking decreases and reactive behavior increases. Attackers have exploited this for decades in phone scams and door-to-door fraud, and it translates directly to email. A fabricated crisis bypasses the very diligence that organizations spend considerable resources building through employee training.
One data point from KnowBe4’s research deserves particular attention: 6% of employees now ignore suspicious emails entirely rather than reporting them. That silent dismissal is a problem. An unreported phishing attempt gives the security team no visibility into active campaigns targeting the organization. If your people are not reporting because they assume someone else will handle it, that gap needs to close.
What Good Training Looks Like Now
The shift in red flags has direct implications for how organizations build employee education programs. Generic training that focuses on grammar checks and sender verification is no longer sufficient on its own. Effective security awareness training in 2026 needs to help employees recognize psychological manipulation tactics: urgency, fear, authority impersonation, and false scarcity. Those are the levers attackers are pulling.
Research supports the investment. Regular, ongoing training reduces phishing susceptibility by approximately 23%, compared to just 8% after a single training session. That gap underscores why repeated exposure to realistic scenarios matters far more than a one-time annual module.
Equally important is how organizations test their people. Phishing simulations that only send misspelled emails with obvious red flags will not prepare staff for the polished, AI-assisted campaigns they are actually facing. Simulations should include high-pressure, grammatically correct lures that mimic real-world attack patterns, including Business Email Compromise scenarios, fake IT alerts, and executive impersonation attempts.
If you are unsure where your people are most vulnerable, a cybersecurity assessment can surface those gaps before an attacker does. Understanding which roles and departments face the highest social engineering exposure is the first step toward a training approach that actually reduces risk.
Three Things to Tell Your Team This Week
If you manage a team or lead security culture in your organization, here are three concrete messages worth sharing right now.
First, if an email makes you feel rushed, slow down deliberately. The urgency you feel may be manufactured, and pausing for 30 seconds is never the wrong call. Second, report suspicious emails even when you are not certain they are malicious. Every report gives the security team data on what attackers are testing against your organization. Third, any request involving money, credentials, or access changes deserves an out-of-band verification, meaning a phone call or a direct message through a separate channel, before action is taken.
Phishing attacks are becoming better at mimicking legitimate communication. The defenses that work in 2026 are the ones built around the tactics attackers are using right now, not the ones that were common five years ago. Urgency is the new red flag. Make sure your people know it.
Sources
- KnowBe4: The Urgency Trap – Why Time Pressure is Your Biggest Email Red Flag (March 23, 2026)
- Hoxhunt: Phishing Trends Report 2026
- Bright Defense: 200+ Phishing Statistics for 2026
- Kymatio: Phishing Trends 2026 – AI-Phishing, QRishing and Voice Deepfakes
- StrongestLayer: AI-Generated Phishing – The Top Enterprise Threat of 2026
