How to Not Get Got

You don't need to be a security analyst to dodge almost all phishing. You need a handful of habits. This is the 80/20 — the few checks that catch the large majority of attacks.

The five-second gut check

Before you click or reply, ask: Was I expecting this? Is it rushing me? Is it asking for money, credentials, or a download? Any "yes" means slow down and check the details below.

1. Read the real sender address

The friendly name ("PayPal Service", "IT Help Desk", "Your CEO") is just a label anyone can type. Look at the actual email address in angle brackets. Is the domain — the part after the @ — really the company's normal domain? Watch for look-alikes: paypa1.com (a 1 for an l), micros0ft.com (a zero), or the brand name buried in a subdomain like paypal.account-security.ru.

2. Read a link the right way: from the right

A web address is owned by the registrable domain — the rightmost label before the slash. In login-microsoftonline.secure-auth.ru/oauth, the owner is secure-auth.ru, not Microsoft. Everything to the left is decoration the attacker picked. When in doubt, don't click the link in the message — go to the site yourself by typing its address.

3. Reply-to and "from" should match

If a mail claims to be from your bank but a reply would go to a random address on a different domain, that mismatch is a red flag.

4. Know what a fake login page looks like

The most dangerous moment is after you click. A credential-harvesting page can look identical to the real Microsoft, Google, or bank sign-in. The one thing the attacker usually can't fake is the address bar. Before you type a password anywhere, glance at the domain (rule #2). If your browser bounced you through several redirects to get there — be suspicious.

5. Know what the attacker actually wants

Most attacks end in one of four ways. They want you to:

  • Hand over credentials on a fake login page,
  • Download and run a file (then your machine is theirs),
  • Send money or change payment details (invoice and CEO-wire scams),
  • Give up information (codes, personal details) over email, text, or phone.

If a message is steering you toward one of those, treat it as guilty until proven innocent.

Sketchy file types

Be wary of attachments and downloads ending in .exe, .scr, .iso, .img, .lnk, .js, or macro-enabled Office files (.docm, .xlsm). Watch for double extensions like invoice.pdf.exe. A real invoice is almost never a program.

What social engineering feels like

Attacks pull psychological levers. Learn the feeling:

  • Urgency — "act in the next 24 hours."
  • Authority — "this is your CEO / the IRS / IT."
  • Fear — "your account is compromised."
  • Secrecy — "don't tell anyone, handle this quietly."
  • Reward — "you won," "you're owed a refund."

When you feel pushed, that's the moment to stop and run the checks above.

A word on the brackets you see here

Throughout Phish Flash, dangerous-looking links are written defangedhxxps:// instead of https://, and paypa1[.]com instead of paypa1.com. The brackets make the link harmless if it's ever pasted into a browser, and it's the standard convention security teams use. Read them as normal links — and get comfortable with the style, because you'll see it everywhere in the field.