Your Best Phishing Defense Is Context, Not Analysis

Someone asked me a good question about Threat Terminal recently: how does the game account for the fact that most phishing gets caught by contextual signals, not analytical ones?

The examples were specific. I do not have an Apple account, so a billing failure from Apple is immediately suspicious. I know all my employer's suppliers, so an invoice from an unknown vendor is obviously fake. I am not expecting a parcel, so a failed delivery notification does not land.

These are not analytical judgments. They are contextual ones. The recipient does not need to inspect the sender domain, check the reply-to header, or evaluate the tone of the email. They already know the premise is false. The email is dead on arrival.

The honest answer is that the game does not account for this. It cannot. But the reason it cannot is worth exploring, because it points to something the security industry does not talk about enough.

Context is doing most of the work

Think about how you actually process your inbox. Before you evaluate anything about an email's construction, you are already filtering against what you know about your own life. You know which services you use. You know which colleagues would contact you about what. You know whether you have an outstanding order, a pending payment, or a scheduled meeting.

That contextual filter eliminates the majority of phishing before any analysis even begins. A credential harvesting email for a bank you do not use fails instantly. An authority impersonation email from a "CEO" you have never heard of does not survive first contact. A pretexting email referencing a project you are not on gets flagged without effort.

This is not a minor factor. For most people, context is the primary defense mechanism. Analytical skill, the ability to inspect headers and spot inconsistencies, is the secondary one. It only activates when context does not resolve the question first.

Where context fails

The problem is that context is only a defense when it contradicts the phish. When context aligns, the defense disappears entirely.

Consider what happens when an attacker gets the context right. You are expecting a delivery. You do use that bank. Your company did just announce a new HR policy. The contextual filter that catches 90 percent of phishing is now working against you, because the premise of the email is plausible. You move past the contextual check and into the analytical one, and most people are not trained for that transition.

This is exactly why targeted phishing is so much more dangerous than bulk campaigns. A mass phishing email only lands when the context happens to match by coincidence. A targeted email is built to match your context on purpose. The attacker has done the research. They know you use that service, report to that manager, and are working on that project. Your contextual filter, the thing that catches everything else, waves it through.

Hyper-personalized phishing is not just more convincing. It disables the defense mechanism that most people rely on without even realizing it.

Why the study does not test this

I spent time thinking about how to incorporate contextual signals into the study. Every approach I considered ran into the same wall: doing it properly would require collecting detailed personal information from players. What services do you use. Who your employer is. What you are expecting in the mail. What projects you are working on.

That is the kind of data I would never be comfortable collecting, especially in a study about security. Asking people to hand over the exact information an attacker would need to target them, in order to study whether targeting works, is a contradiction I could not resolve.

So the study tests something different. Threat Terminal measures whether people can recognize the structural signature of a phishing technique when context is removed entirely. Players review emails as a neutral third party. They cannot rely on "I do not use that service" because the email is not addressed to them. They have to evaluate the email on its construction: is the manipulation mechanism visible, and can they identify it?

That is a narrower question than "would this email fool you in your actual inbox." But it is a useful one, because it isolates the analytical skill that takes over when context fails.

The gap that matters

This distinction has real implications for how phishing training should work.

Most awareness programs focus on analytical skills: check the sender, hover over links, look for urgency. Those skills matter. But they are the backup system. The primary system, the contextual filter, is never trained at all. It is assumed.

That assumption holds for bulk phishing. It does not hold for targeted attacks. And the barrier to producing targeted phishing has dropped to nearly zero. AI can generate contextually appropriate, well-researched, individually personalized phishing emails at scale. The attacker does not need to spend hours researching each target manually. The model handles it.

When contextual signals can be matched by the attacker, analytical skills become the only line of defense. The Threat Terminal data will show how well people actually perform on that analytical layer, stripped of contextual support. If certain techniques produce low detection rates even when players are actively looking for them, that tells us something important: those are the techniques that will succeed when an attacker gets the context right.

The organizations that take this seriously will train people for the moment when context stops helping. That is the gap between defending against bulk phishing and defending against what comes next.

Play Threat Terminal or read the full methodology.