Hacked by Curiosity

Imagine receiving a message on a Thursday afternoon

It appears harmless at first glance — perhaps a notification about an EMI card from Bajaj. You’ve never applied for one, and you have no connection to the company. But your thumb still hovers over the blue link for a split second. That brief hesitation, that spark of curiosity, is exactly what cybercriminals are counting on

This is smishing, a form of phishing delivered through SMS. But the real weapon isn’t just the malicious link, it’s behavioural science.

Over the years, researchers have explored the powerful role of curiosity. Loewenstein’s (1994) Information-Gap Theory explains that curiosity is triggered when there’s a gap between what we know and what we want to know. A vague but urgent message creates that tiny mental itch: What if this is real? What card? What delivery? Even when the rational mind suspects it’s fake, the brain nudges toward investigating it.

Smishing works by hijacking the emotional system. These messages often use behavioral triggers — phrases like “Great News!” spark excitement, “CHECK NOW” instills urgency, and the use of personal details adds familiarity. This taps into System 1 thinking (Kahneman, 2011) — our fast, automatic, emotional mode of processing. While System 1 helps in everyday decision-making, it’s not designed to detect manipulation or deception. Smishing thrives in that vulnerability.

Add to this the reality of modern life — people are often multitasking, distracted, or mentally fatigued. Psychologists refer to this as cognitive load, and when it’s high, individuals are more likely to rely on mental shortcuts and less on critical thinking. Research by Shah and Oppenheimer (2008) on cognitive ease reveals that when the brain is tired, effortless choices feel more appealing. Clicking a link becomes easier than questioning its authenticity.

So, how can individuals protect themselves?

The solution isn’t fear, it’s mindfulness. Taking a moment to pause before reacting to emotionally charged messages can go a long way. Messages mentioning deliveries, banking issues, or limited-time offers should always be verified through official websites or apps instead of clicking links directly. Promoting digital hygiene — especially among those less familiar with online threats — can build a collective behavioral immunity. Cybersecurity nudges like browser alerts, spam filters, and pop-up warnings also act as behavioral guardrails.

Smishing is more than a scam — it’s a psychological manipulation. In a world where hackers may understand cognitive patterns better than browsing history, cybersecurity begins with behavioral awareness. Click less and think more.

References:

• Kahneman, D. (2011). Thinking, Fast and Slow.

• Loewenstein, G. (1994). The psychology of curiosity: A review and reinterpretation. Psychological Bulletin, 116(1), 75.

• Shah, A. K., & Oppenheimer, D. M. (2008). Heuristics made easy: An effort-reduction framework. Psychological Bulletin, 134(2), 207.