Why You Shouldn’t Ignore ‘Was This You?’ Emails
Study finds users feel anxious and suspicious when alerts appear, but most don't take meaningful action
When an unfamiliar device pings your inbox with a “Was this you?” message, chances are you hesitate before clicking. Those prompts, known as risk‑based authentication (RBA) account security alerts, are meant to stop intruders without forcing you through constant two‑factor hurdles.
However, a new NDSS 2025 cybersecurity study from Nankai University suggests the notices often leave people more anxious than empowered. Surveying 273 volunteers, the researchers probed how real‑world users react when RBA alerts are triggered by someone else entering the correct password, mistyping it, or initiating a password reset. Their findings show that while users grasp the stakes, confusion and design missteps still blunt the alerts’ protective power.
Why these login alerts matter
RBA has become the web’s silent bodyguard. It layers behavioral analysis over the traditional password. This makes it so that extra checks only appear when something looks off, like a form of multi-factor authentication. Major platforms quietly rely on the technique to catch credential‑stuffing or logins from suspicious IP addresses, making it one of the few defenses that scales without sacrificing convenience.
Understanding whether people treat these messages seriously is crucial because ignoring an unexpected login notification can turn a near‑miss into a full‑blown account takeover.
How the researchers tested real-world reactions
The team recruited 258 online participants and 15 in‑person interviewees. Volunteers viewed three common pre‑login scenarios: a correct password from an unknown device, multiple incorrect password attempts, and a password‑reset request.
They then reported emotions, perceived risk, and intended actions. By mirroring incidents users actually face, the study goes beyond hypothetical lab prompts and captures decision‑making under mild stress.
Anxiety, suspicion, then shrugs
More than 90 percent of respondents judged RBA notifications “important,” yet 46 percent worried the alert itself might be part of phishing attacks. Despite that fear, 65 percent said they would simply log in and scan recent activity. If nothing looked amiss, they would do nothing further.
Users across all three scenarios reported feeling nervous, suspicious or anxious first, then uncertain about next steps, causing an emotional whiplash that can delay decisive action when seconds matter.
Design gaps undermine trust and cause chaos
Participants blamed sparse details for their hesitation. Many notifications lacked IP address, device data or clear instructions, making them indistinguishable from sophisticated scam emails.
The paper calls for richer context, one‑click secondary verification and plain‑language risk explanations. Without those upgrades, well‑intentioned alerts risk fading into background noise. Worse, they train people to ignore genuine warnings.
What this means for everyday users
Until providers refine RBA notices, consumers should treat every unexpected login alert as credible for online account protection. They should verify account activity from a trusted browser and change passwords if anything looks off.
The study also reinforces a broader message: layered security only works when human factors are built in. Transparency and guidance, not just algorithms, determine whether the next alert stops an attacker or merely adds to inbox clutter.
For more on email safety and security, read about this recent study on hidden email bugs that open the door for hacking attacks.
