The Action Pause: A 10-Second Habit for Phishing That Passes Every Filter
A post-filter, user-layer defense calibrated against 2,511 classifications from the Threat Terminal study. Trigger on the request, not the content.
The work most security email gateways do is invisible when it succeeds. Microsoft and Google's native filtering, Proofpoint, Mimecast, Abnormal, SPF, DKIM, and DMARC between them discard the overwhelming majority of inbound phishing before anyone sees it. The industry reporting on this is consistent: technical controls catch most of what they are built to catch. When a breach begins with phishing, it almost always begins with the residual class. Those are the messages that bypassed every technical layer and landed cleanly in a user's inbox.
That residual class is, by selection, the hardest to detect. Clean authentication. Clean infrastructure. Fluent prose. Plausible context. The messages are not sloppy because the sloppy ones already got filtered out, and the attacker knows what passes.
This post is about that class specifically, and a framework I built to address it. The full specification lives at scottaltiparmak.com/research/action-pause, a standalone, PDF-shareable page designed for teams who want to use it. What follows is the argument for why the framework is what it is.
What the training in most organizations is optimized for
Most corporate awareness training still teaches detection through indicators. Look for misspellings. Hover over the URL. Check the sender domain. Watch for urgent language. These heuristics were built against a generation of phishing that was sloppy, authored at volume by attackers who could not afford the tooling or the time to write well.
That attacker is gone. The attacker who replaced them uses language models to produce emails with native fluency, tailors content to the recipient's role, and sends from infrastructure that passes authentication. By the time the message reaches the user, every traditional indicator has been sanded off. The email gateway already did the technical filtering it knows how to do. What remains is whatever the filter could not catch.
Users are not trained for that moment. I ran a study to measure exactly how badly.
What the data shows
Threat Terminal is a gamified research platform I built at research.scottaltiparmak.com. Over twenty-five days in March 2026, 153 participants completed 2,511 binary classification tasks against 1,000 email cards. All cards, both phishing and legitimate, were generated by Claude-family language models. Participants classified each as phishing or legitimate and reported a confidence level.
A mid-study protocol revision removed the display of authentication headers on March 22, creating a cleaner Phase 2 analytical baseline. In Phase 2, overall accuracy was 85.9 percent. That number is reasonable. What happened on the misses is not.
The technique-level miss rates ranked as follows in Phase 2:
| Technique | Miss rate |
|---|---|
| Authority impersonation | 20.5% |
| Urgency | 16.8% |
| Pretexting | 16.3% |
| Fluent prose | 16.2% |
| Hyper-personalization | 14.5% |
| Credential harvest | 12.5% |
Credential harvest is the only technique most corporate training programs drill systematically. It is also the easiest category to detect. The four categories users struggle with most are the ones training barely touches.
The confidence data is where the finding becomes alarming. Across the pooled dataset, 60.5 percent of phishing misses occurred when participants reported the highest confidence level. This is not a guessing problem. It is an overconfidence problem. People are not falling for phishing because they are uncertain and unlucky. They are falling for it because they are certain and wrong.
One more number. In Phase 1, phishing emails that displayed passing authentication results (SPF and DKIM pass) were detected at only 76.0 percent, compared to 86.8 percent for emails displaying failed authentication. Clean authentication reduced detection accuracy by more than ten points. The technical signal users were taught to trust made them more vulnerable, not less.
Full data, methodology, and limitations: Preliminary Empirical Findings (doi:10.5281/zenodo.19410549).
The failure mode is not missed signal. It is late signal.
The data tells you where people fail but not why. The why, in the course of running this study and talking to people about real-world phishing losses, came up over and over: they noticed something was off, but they had already clicked. "I knew it was weird the second I hit the button" is the modal account. The signal arrived. The reflection never fired in time to stop the action.
This is a cognitive property of a well-crafted phish, not a moral failing of the target. The message keeps the recipient in the action loop (reading, recognizing, responding) without surfacing the reflection that would interrupt it. The signal users cite in hindsight is there, but it arrives late. That is why good phishing is so successful against otherwise careful people.
Any framework only helps if its trigger fires before the action. "Pause when you notice an ask" helps only if noticing an ask is itself reflexive, surfacing automatically rather than requiring the user to remember a framework in the moment. The three questions and the calibration rule below are deliberate, considered interventions. They only work if a reflexive trigger hands them the moment.
That is what good training builds: a reflex that fires on "this is asking me to act." The Threat Terminal data shows this shape directly. Within a single session, accuracy rose from 79.3% on the first card to 89.3% by the fifth. That is not knowledge acquisition in five minutes. It is a trigger getting faster. Annual awareness modules do not produce this pattern. Short, frequent exposures do. That makes the curriculum principle on short-and-frequent training load-bearing rather than stylistic: the framework does not work without it.
The Action Pause
The framework is a single micro-habit, triggered by the structure of what the email is asking the reader to do rather than by the quality of the email itself. This trigger inversion is the conceptual move. Every prior awareness framework fires on content signals. Those signals no longer isolate the attack class.
Trigger. Any email, message, or document that asks you to take an action. Clicking a link, signing in, approving something, paying, forwarding data, replying with information, installing software, scanning a QR code. If there is no action request, no pause is needed. The pause is attached to action, not to reading.
The pause is about ten seconds. Three questions and one calibration.
Question 1: Am I expecting this? Unexpected requests carry a heavier burden of proof. This question addresses hyper-personalization and fluent prose, where the language is clean but the context is wrong. If the email reads perfectly but the request comes from nowhere, that is the signal.
Question 2: Does this request fit how this person or system normally reaches me? Wire instructions that always go through a procurement portal should not suddenly arrive by email. A vendor who normally uses a ticket system should not ask you to click a password reset in a direct message. This question addresses authority impersonation (20.5 percent miss rate) and pretexting (16.3 percent). Attacks in these categories succeed by mimicking a plausible sender. The defense is knowing what plausible actually looks like for that relationship.
Question 3: If this is fake, what breaks? Money, credentials, access, data. If the answer is any of those, the verification bar is high and non-negotiable. If the answer is nothing consequential, you can proceed with less ceremony. This question pulls urgency-driven decisions (16.8 percent miss rate) out of the emotional loop and back into a consequence frame.
Calibration. After the three questions, rate your certainty honestly. If you are not certain, you verify out-of-band before acting. If you are certain but have not verified out-of-band on a consequential action, downgrade your certainty and verify anyway.
That last rule is the one the data earns. Sixty percent of the misses happened at the highest confidence level. Certainty without independent confirmation is the failure mode. The calibration rule does not ask users to be more skeptical in the abstract. It asks them to treat unverified certainty as a warning sign about themselves.
The standing rule: clean is not safe
For any consequential action, the email itself is never sufficient evidence. Verification happens through a separate channel: a known phone number, a known portal, a walk to a desk, a conversation in a tool the attacker cannot impersonate. This rule survives AI-generated content, authentication-passing infrastructure, and convincing pretexts because it does not rely on the email to prove anything.
The Phase 1 finding that passing SPF and DKIM reduced detection from 86.8 percent to 76.0 percent is the strongest argument for this rule I know of. Clean is not safe. Clean is quiet. Those are different things.
Where this sits relative to prior frameworks
The Action Pause builds on prior work rather than replacing it. I ran through the comparison carefully because if this is actually novel, the novelty should be defensible on specifics.
| Framework | Trigger | Calibration | Scope |
|---|---|---|---|
| Stop. Think. Connect. (NCSA / DHS, 2010) | Online action or suspicious content | Implicit | General online safety |
| NIST SP 800-50 / 800-16 | Curriculum specification | Not addressed | Enterprise awareness |
| PhishGuru embedded training (Kumaraguru, CMU) | Post-click in simulation | Not addressed | Simulation-tethered |
| Indicator-based heuristics (SANS, vendor curricula) | Email content cues | Not addressed | Pre-AI phishing |
| The Action Pause | Request structure | Explicit rule | Post-filter, AI-era residual |
Two things are new. First, the trigger is structural rather than content-based: you pause on the request, not on signals in the message. That only matters in a world where content signals have been flattened by AI, which is exactly the world the Threat Terminal data is measuring. Second, the calibration rule is explicit rather than implicit: unverified certainty on a consequential action is treated as a warning sign. This operationalizes the confidence-calibration findings from Canfield, Fischhoff, and Davis (2016) into a behavioral rule at the point of action.
Everything else (trigger-pause-verify as a shape, the importance of forensic inspection, the value of embedded feedback) comes from the prior work and is gratefully cited in the framework spec page.
Rolling it out
For practitioners, four design notes follow from the data.
Teach the trigger first, not the questions. Most misses happen because the user did not notice they were about to act. Recognizing an action request is the core skill. The questions come second and are easier to teach once the trigger is reflexive.
Weight curriculum time toward the content-dependent categories. Most awareness programs are heavily oriented around credential harvest, which is the easiest category for users to detect and the one where training has already done its work. The marginal return on more credential-harvest content is low. The high-return material is authority impersonation, urgency, pretexting, and fluent prose. These are the categories where users struggle, and where forensic shortcuts like URL hovering do not help equally (the URL-inspection accuracy lift is +13 percentage points for authority impersonation but only +1 for fluent prose).
Prefer short, frequent exposures over annual modules. Mean participant accuracy in the study rose from 80.2 percent in the first session to 88.6 percent by the third. Within a session, performance rose from 79.3 percent on the first card to 89.3 percent by the fifth. Iterative exposure is doing real work. Annual sixty-minute compliance modules do not replicate this pattern.
Measure confidence alongside correctness. Overconfident misses are the highest-value feedback event you can surface to a user. A generic "you got one wrong" notification is weaker than "you were certain, and you were wrong." The latter is the specific signal the data says changes behavior.
What is next
I am preparing to validate this framework in an enterprise pilot through a gamified training system built on the same research instrument. Early results and dataset access will be published through Zenodo alongside the full analytical paper. Organizations interested in piloting the Action Pause with their users can reach me at scott@scottaltiparmak.com.
The full framework spec, citation block, and a print-ready version live at /research/action-pause.
The habit is simple. If it asks you to do something, pause. Ask whether you expected it, whether it fits the normal channel, and what breaks if it is fake. Rate your certainty honestly. If you are not certain, or if you are certain but have not verified through a separate channel on something consequential, verify before you act. Ten seconds. That is the whole framework.
The protocol paper (doi:10.5281/zenodo.19059296) and preliminary findings (doi:10.5281/zenodo.19410549) are openly available. Threat Terminal is at research.scottaltiparmak.com.
More posts
Preliminary Findings: How Humans Detect AI-Generated Phishing Across 2,511 Classifications
Findings from 153 participants classifying AI-generated phishing: technique-level bypass rates, overconfidence patterns, and what security training misses.
Threat Terminal v2.0: PvP Is Here
Real-time 1v1 ranked matches, a new unlock ladder, and a terminal AI that will not stop talking. Threat Terminal v2.0 goes live tonight.
Stay in the loop
I write about the security topics that interest me: IAM, cloud security, automation, threat intelligence, phishing, and incident response. If this was useful, there is more where it came from.