TLDR: Major sporting events trigger emotional arousal that predictably impairs phishing detection. Research from behavioral science and cybersecurity shows that excitement creates a “hot state” empathy gap, and users perform near chance levels at spotting phishes under cognitive load. The defense is not more training videos. It is self-awareness: teaching employees to recognize their own emotional states before they click.
The 2026 World Cup is underway. The NBA Finals are here. Millions of fans are streaming games, checking scores, hunting for tickets, and refreshing feeds in a state of sustained excitement.
Cybersecurity researchers are watching too. Kaspersky reported in May 2026 that threat actors are distributing the Massiv banking Trojan and Perseus malware through fake Android IPTV apps targeting World Cup streamers.1 The apps mimic legitimate platforms, open real sites in embedded browsers to avoid suspicion, and then abuse Android Accessibility Services to capture screenshots, log keystrokes, and harvest banking credentials and cryptocurrency wallet data from note-taking apps.
This is not a coincidence. It is a pattern. Major sporting events create predictable emotional conditions that attackers exploit by design.
The Attack Surface of Excitement
Every major sporting event produces the same attack playbook. Fake streaming apps. Ticket scams. Urgent account alerts tied to fantasy leagues. Limited-time merchandise drops. The content changes. The structure does not.
What makes these campaigns effective is not the quality of the forgery. It is the state of the victim.
Research in behavioral decision science has established that people in emotionally neutral states systematically underestimate how “hot” emotional states — craving, excitement, urgency — will alter their future behavior. Sayette, Loewenstein, Griffin, and Black demonstrated this in smokers: individuals in a low-craving state underpredicted the value they would place on smoking when actually craving a cigarette.2 The gap between prediction and behavior is called the cold-to-hot empathy gap.
The same mechanism operates during the NBA Finals or a World Cup knockout match. An employee in a calm morning meeting believes they would never click a suspicious streaming link. At 10 PM, trailing by one goal in extra time, that same employee is in a hot state. The empathy gap means their morning self cannot accurately predict their night self’s judgment.
Read and van Leeuwen found that current visceral states contaminate choices made for the future: hungry participants chose more unhealthy snacks for consumption one week later, showing that present appetite distorted future planning.3 Applied to security, present excitement distorts future risk assessment. The fan who is emotionally activated right now cannot accurately evaluate the threat posed by a phishing link.
Why Emotion Disarms Detection
The effect is not limited to appetite or addiction. Forgas and East showed that positive affect reduces skepticism and impairs the detection of deception.4 Participants in a positive mood were less likely to identify misleading information and more likely to accept false claims. Excitement, like happiness, narrows critical scrutiny.
Lain, Marczak, and Ribeiro, in a 2024 ACM CCS study, found that “phishing is an attention problem, rather than a knowledge one."5 Time pressure and cognitive load are the primary drivers of failure. Major sporting events deliver both: fans are multitasking, checking phones during commercials, and processing rapid emotional information. The result is not a knowledge gap. It is an attention collapse.
Hydari, Li, and So demonstrated that emotion framing in phishing simulations can eliminate the persistence of bad clicking habits.6 Emotional context modifies behavior. If attackers can weaponize emotion against users, defenders can weaponize self-awareness for them.
The Metacognition Blind Spot
Here is the most uncomfortable finding. People do not know they are failing.
Sarno and Neider, in a 2022 Human Factors study, examined how email load and phishing prevalence influence detection accuracy. The result was sobering: phishing detection was near chance levels across all conditions. More critically, participants demonstrated “poor metacognition with overconfidence, low self-reported difficulty, and low perceived threat."7
Users believed they were doing fine while performing at random. High email load made the task feel harder but did not make users more cautious. Low phishing prevalence decreased sensitivity. The participants did not adjust their behavior because they did not realize they needed to.
Canfield, Fischhoff, and Davis applied signal detection theory to phishing susceptibility and found that greater willingness to treat emails as legitimate was negatively correlated with perceived consequences and positively correlated with confidence.8 The people most at risk were the most confident. The authors concluded that providing feedback on detection abilities and consequences could improve outcomes.
This is the bridge between self-awareness and security awareness. Security awareness is often taught as a knowledge transfer: here are the indicators, here is the policy. The research says the problem is not knowledge. It is real-time self-monitoring.
Self-Awareness as a Security Control
Self-awareness, in psychology, is the capacity to observe one’s own internal state — thoughts, emotions, attention — as an object of reflection rather than being driven by it. In security, this translates to the momentary ability to ask: “What state am I in right now, and how is that affecting this decision?”
The Phishing Email Suspicion Test (PEST), developed by Hakim et al., provides a framework for quantifying phishing detection in ecologically valid settings. The model measures overall suspicion level, discriminability between phishing and legitimate emails, and sequential bias from recent emails.9 The critical insight for practitioners is that suspicion is a measurable cognitive variable. Training users to monitor their own suspicion level — rather than memorizing static indicators — aligns with the metacognitive approach the research supports.
Toth et al., in a 2025 IEEE BigData longitudinal study across 20 organizations, 1,300 employees, and 13,000 simulated phishing emails over 12 months, found that emotional triggers significantly influence susceptibility, and sustained training halves compromise rates within six months.10 But the training that works is not annual compliance video completion. It is continuous, embedded practice that builds attentional habits.
What This Means for Security Programs
If you are running a security awareness program, the World Cup and NBA Finals are not distractions from your training calendar. They are natural experiments in emotional vulnerability.
Three practical shifts:
1. Train for state recognition, not just signal recognition. Employees do not need another list of phishing indicators. They need practice noticing when they are emotionally activated, time-pressured, or cognitively loaded. Simulate emails that arrive on Monday morning, during breaking news, and after major sporting events. The context matters as much as the content.
2. Provide immediate metacognitive feedback. After a failed simulation, do not just assign a video. Ask the employee what they were thinking when they clicked. Canfield et al.’s findings suggest that feedback on detection ability and consequences improves performance.8 Reflection builds self-monitoring capacity.
3. Adjust simulation timing to real-world risk calendars. Run phishing simulations during high-distraction periods. If your organization has a culture of sports fandom, the risk window is not abstract. It is this week. Sarno and Neider showed that high email load compounds poor detection.7 If inboxes are already heavy with event-related communication, that is when your simulation should arrive — not during a quiet Tuesday when attention is abundant.
The One Question
The most effective security control might fit in a sentence. Before clicking any link during a major event, ask:
“If I were calm right now, would this still feel urgent?”
That question is the practical application of the cold-to-hot empathy gap research. It forces a perspective shift from the hot state to the cold state. It does not require technical knowledge. It requires self-awareness.
Attackers bet that you will not ask it.
References
[1] Kaspersky, “Don’t let fake IPTV apps ruin your World Cup,” Kaspersky Daily, May 29, 2026. https://www.kaspersky.com/blog/fake-iptv-apps-spread-android-malware/55872/
[2] M. A. Sayette, G. Loewenstein, K. M. Griffin, and J. J. Black, “Exploring the cold-to-hot empathy gap in smokers,” Psychological Science, vol. 19, no. 9, pp. 926–932, Sep. 2008. https://doi.org/10.1111/j.1467-9280.2008.02178.x
[3] D. Read and B. van Leeuwen, “Predicting hunger: The effects of appetite and delay on choice,” Organizational Behavior and Human Decision Processes, vol. 76, no. 2, pp. 189–205, Nov. 1998. https://doi.org/10.1006/obhd.1998.2803
[4] J. P. Forgas and R. East, “On being happy and gullible: Mood effects on skepticism and the detection of deception,” Journal of Experimental Social Psychology, vol. 44, no. 5, pp. 1362–1367, 2008. https://doi.org/10.1016/j.jesp.2008.04.010
[5] L. Lain, D. Marczak, and E. Ribeiro, “Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training,” in Proc. 2024 ACM SIGSAC Conf. Computer and Communications Security (CCS), 2024. https://doi.org/10.1145/3658644.3690348
[6] M. Hydari, Y. Li, and R. H. Y. So, “Research Note—Breaking Bad Email Habits: Bounding the Impact of Simulated Phishing Campaigns,” SSRN, 2024. https://doi.org/10.2139/ssrn.6343920
[7] D. M. Sarno and M. B. Neider, “So many phish, so little time: Exploring email task factors and phishing susceptibility,” Human Factors, vol. 64, no. 8, pp. 1379–1403, Dec. 2022. https://doi.org/10.1177/0018720821999174
[8] C. I. Canfield, B. Fischhoff, and A. Davis, “Quantifying phishing susceptibility for detection and behavior decisions,” Human Factors, vol. 58, no. 8, pp. 1158–1172, Dec. 2016. https://doi.org/10.1177/0018720816665025
[9] Z. M. Hakim et al., “The Phishing Email Suspicion Test (PEST): A lab-based task for evaluating the cognitive mechanisms of phishing detection,” Behavior Research Methods, vol. 53, no. 3, pp. 1342–1352, Jun. 2021. https://doi.org/10.3758/s13428-020-01495-0
[10] I. Toth et al., “Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training and Emotional Triggers,” in 2025 IEEE Int. Conf. Big Data (BigData), 2025. https://doi.org/10.1109/bigdata66926.2025.11402180