The Cognition-First Fallacy
The uncomfortable truth at the center of modern fraud prevention is that we have been training the wrong part of the human being.
For three decades, anti-fraud and cybersecurity programs have been built on the clean, reassuring premise that if people know what to do, they will do it. Teach the checklist. Circulate the policy. Run the phishing simulation. Measure compliance.
And yet the links are still clicked. According to the FBI’s 2024 Internet Crime Report, victims reported more than 859,000 complaints of cyber-enabled crime and online fraud in 2024, a roughly 33 percent increase from the prior year. That figure reflects a dramatic surge in the scope of scams and internet-enabled fraud, underscoring that the problem is not declining, and it’s not plateauing, it’s accelerating.
This is not because people are stupid. It is because the entire model is misdiagnosed. Fraud is not primarily a failure of knowledge. It is a failure of state.
Criminals don’t win by outsmarting their targets. They win by altering the target’s emotional climate. They manufacture urgency, fear, relief, flattery, obligation. And by doing so, they destabilize, they narrow attention, and they accelerate time. And in that altered state, the checklist dissolves. Cognition, which training treats as sovereign, is bypassed altogether.
Under stress, the brain does not deliberate. It reacts. And yet we continue to design as if the moment of attack will occur in a serene conference room with a laminated policy binder nearby. We keep designing cognitive solutions for emotional problems.
When I put this to Dr. Alexander Stein, he didn’t hesitate.
“My opening gambit,” he told me, “is to announce that cybersecurity is a human issue that involves technology, not a technology problem that can be solved technocratically.”
That inversion is diagnostic.
Fraud Is Emotional First, Cognitive Second
Dr. Stein leverages his background as a trained clinical psychoanalyst to deliver deep expertise in leadership decision-making and the psycho-social dynamics that shape behavior inside organizations. He is the founder of Dolus Advisors, a specialist strategic consultancy based in New York City.
His starting point is disarmingly simple: malicious human behavior is a human problem.
Not a dashboard problem.
Not a compliance problem.
Not a user-awareness problem.
A human problem.
“What’s being exploited isn’t technology,” he said. “It’s emotion.” Fear of loss. Fear of punishment. The longing to be valued. The need not to disappoint. The instinct to reciprocate kindness. These are not defects in the system. They are the system.
We pathologize ordinary human responses because it is easier than redesigning systems. We call people “weak links” instead of admitting that susceptibility is inseparable from the capacity to trust. To function in society at all, we must assume good faith most of the time. This is a feature, not a bug, of being human. Fraudsters parasitize that instinct.
I told Dr. Stein about a tiny experiment I’d been running. I’d been on a Telegram chat with a scammer posing as “Jenny,” watching the routine unfold— the compliments, the warmth, the manufactured intimacy, the slow drip of validation designed to hook a lonely target.
I started to frame it the way people often do, about our “psychological pathology,” our “weakness,” the idea that victims must have something wrong with them.
Dr. Stein cut in immediately.
“I’m sorry to interrupt you, but I just need to make this point,” he said. “A lot of it isn’t pathological. It’s normal. And that’s part of the problem. If you pathologize all of this, it makes it too hard to understand why it happens so often. Because it’s actually normal.”
If fraud only happened to the gullible, it wouldn’t be the epidemic it is. If victims were simply stupid, we’d just educate them and move on. The reason scams work at scale is that they exploit ordinary human machinery: trust, reciprocity, deference, longing, the need not to disappoint. The very traits that make cooperation possible are the traits being weaponized.
This is why the cognition-first approach is so flimsy. It treats susceptibility as a knowledge gap when it’s actually a human default. Trust is a social lubricant, Dr. Stein told me. “If you walk around assuming the worst in everyone, you can’t function. You can’t build anything.” The problem is not that people feel. The problem is that our systems pretend they don’t.
The Cognition-First Illusion
Nearly every fraud, cybersecurity, and compliance program assumes a neutral mind. The hypothetical employee is calm, well-rested, unhurried, cognitively available. When the crisis email arrives, this idealized figure will recall the training module and behave accordingly.
But attacks are engineered precisely to destroy that neutrality.
The “urgent wire request” arrives five minutes before school pickup. The spoofed CEO email hits a junior analyst desperate not to disappoint. The “fraud protection team” calls a retiree already anxious about losing savings.
The state changes first, and the cognition follows later, usually after it’s too late. Under acute emotional arousal, working memory constricts. Deliberation falters. Inhibition weakens. The body shifts into mobilization mode. Act now. Decide fast. Resolve the threat.
“The fraudster isn’t outsmarting you,” Dr. Stein says. “They’re out-feeling you.”
And we respond by adding another training module.
When organizations humiliate employees for failing phishing tests, they compound the problem. I told Dr. Stein about a company that sent a phishing test at 7:30 a.m. on a Monday, assuming everyone would be overwhelmed—and then watched nearly the entire workforce fail.
“They’re setting everyone up to fail,” he said flatly.
Shame does not produce vigilance; it produces concealment. People learn that it is safer to hide mistakes than to discuss them. The organization reports strong compliance metrics while quietly accumulating unreported near-misses.
Psychodynamic Intelligence
Psychodynamic intelligence is the capacity to recognize, work with, and design around the emotional, relational, and unconscious forces that shape behavior.
“I’m not a behaviorist,” Dr. Stein told me. His work is grounded less in surface-level behavioral theory and more in in-depth psychoanalytic traditions that take unconscious relational dynamics seriously. As he put it, behavior is the outcome of internal processes. Fraud succeeds because something happens inside a person — emotionally and relationally — before anything happens externally.
Psychodynamic intelligence does not ask, what rule was violated? It asks:
What emotional field was active when this happened?
What pressure was felt?
What need was being touched?
And here is the uncomfortable implication: you cannot make people un-emotional. You can only design systems that assume emotion will show up.
Designing for the Usable State
If a control only works when someone is calm, unafraid, and cognitively spacious, then it is misaligned with reality. The better question is What state must a person be in for this safeguard to work—and how often does that state actually exist?
Psychodynamic intelligence shifts the design lens from content to context. It treats emotional state as part of the control environment itself. A few ways organizations can do this include modifying the environment, rehearsing heightened stress situations, building controls in for high risk conditions, establishing purposed pauses, and studying failure.
De-Stressing the Environment
Visual and linguistic cues shape emotional state long before any conscious decision is made. A screen that glows red and flashes “APPROVE NOW” activates urgency and adrenaline—the very states that suppress reflective thinking.
A calm environment induces calmer cognition. When designing neutral color palettes, balanced spacing, and invitational language such as “Review before approving” or “Confirm details when ready” extend the mental pause needed for judgment to re-engage. Subtle shifts from command to collaboration lower perceived pressure.
As Dr. Stein observed, “We keep designing cognitive solutions for emotional problems. Under stress, cognition goes offline.” As a result, designing a low-stress environment is a key scam prevention tactic.
Rehearsing the Usable State
Most training assumes the learner is relaxed. In a real attack, the target is anything but. When an organization rehearses procedures under manufactured stressful circumstances, those procedures become embodied, that is a person’s “somatic memory” is activated. Somatic memory refers to the body’s ability to remember experiences through physical sensation or muscle memory, rather than through conscious, verbal recall. It’s the kind of memory that lets you ride a bike or type on a keyboard without thinking about each movement.
In psychological terms, it’s how emotions, stress responses, or practiced actions become stored in the nervous system and expressed through automatic physical reactions. In the context of psychodynamic intelligence and fraud prevention, somatic memory means training protective responses (pausing, verifying, escalating) until they become instinctive and accessible even when stress hormones flood the brain and higher reasoning is momentarily offline.
The goal is to make safe behavior felt rather than merely remembered for those times when cognition goes offline.
Red-Alert Windows
Human vulnerability follows predictable rhythms.
Monday mornings.
Late Fridays.
Month-end closes.
Fiscal year deadlines.
Fatigue, divided attention, and performance pressure elevate risk. Rather than pretending otherwise, organizations can build compensating friction directly into the system.
High-risk tasks such as funds transfers or credential resets should be scheduled for periods when staff are more likely to be alert rather than fatigued. Context-aware throttles can anticipate human vulnerability, imposing tighter controls during high-risk windows when people are more likely to act impulsively or with excessive emotion, such as early Monday mornings or around the end of the fiscal year rush.
Dr. Stein used a metaphor I’ve come to love: submarine compartments. If one overwhelmed employee can trigger a tsunami of damage, the structure was flawed to begin with. Flooding should not sink the whole vessel. Red-alert windows operationalize that logic. You can’t eliminate human vulnerability, but you can contain its blast radius.
The Pause Protocol
Perhaps the most powerful intervention is also the simplest: formalizing inaction.
If a message, call, or request triggers an immediate visceral response—fear, urgency, relief, flattery—the default action becomes no action for a defined period. Twenty minutes is often enough for the body’s stress response to subside.
“Unless something is physically coming at you,” Dr. Stein said, “it’s almost always better to give yourself time to pause and assess.”
Organizations can support this structurally. One-click “hold” buttons. Flag-for-review features. Automatic cooling-off periods for high-value transactions. During the pause, individuals are encouraged to name the emotion—I feel rushed. I feel anxious. I feel flattered. Naming emotion helps down-regulate it.
Over time, the pause protocol teaches that emotional arousal is itself a risk signal, just as meaningful as a technical anomaly. It reframes composure as compliance and transforms what would otherwise be impulsive reactions into opportunities to slow down and make a more informed decision.
Failure Analysis Labs
Instead of shaming mistakes, organizations can create structured spaces to dissect them. Dr. Stein advocates for what amounts to a failure analysis lab—a place where teams review incidents the way athletes review game tape. Objectively. Neutrally. Without bleeding over the loss.
How did this happen?
What were the micro-inflection points?
Where were the pressures?
What did we miss?
What structural buffers failed?
Such analysis can extend beyond a single organization. Industries can learn collectively from one another’s failures, reducing stigma and accelerating shared resilience. Shame silences, but curiosity strengthens.
The Harder, More Honest Path
Psychodynamic intelligence forces leaders to admit something uncomfortable: vulnerability is structural, not exceptional. The problem is not that a few careless people keep messing up. The problem is that we have built systems that assume calm minds in moments engineered to produce panic. It demands that we stop scapegoating individuals for responding like human beings. It insists that system design must account for fear, longing, status pressure, urgency, and fatigue.
It also offers something deeply practical.
If fraud is emotional first and cognitive second, then prevention is not about perfecting the checklist. It is about redesigning environments so they don’t inflame urgency. It is about rehearsing protective responses under stress so the body remembers what the slide deck cannot. It is about embedding structural shock absorbers, like submarine compartments, so one panicked click does not sink the whole ship. It is about normalizing early reporting instead of punishing it. It is about elevating psychological literacy so people can recognize the surge before they obey it.
Most of us don’t have to imagine the stakes. Most of us know someone who has been scammed. A parent. A colleague. A friend who wired money they’ll never see again. Or maybe you’ve felt it yourself—that flash of terror after clicking a link, the sudden heat in your chest when a message says your account has been compromised, the split second where urgency overrides judgment.
In that moment, you are not stupid. You are human.
There is a little bit of every scam victim in all of us. The part that wants the story to be true. The part that wants to trust. The part that wants relief. The part that needs to feel seen or safe or competent or chosen.
Fraudsters exploit that part.
Psychodynamic intelligence does something more radical: it dignifies it. It treats the wish to believe not as weakness but as evidence of aliveness—and then designs with that aliveness in mind.
If we want to stop clicking the link, we must stop pretending that the mind that clicks it is purely rational. We must build institutions that assume fear will show up, that urgency will distort, that authority will pressure, that fatigue will narrow attention.
Fraud is a human problem. And human problems require the courage to look beneath the surface and the structural imagination bold enough to design for the way people actually are.
Photo by Vitaly Gariev on Unsplash. Article first posted on GovIntegrity.