Phishing, Scams & Clickbait

Phishing is a fake message — most often an email, but increasingly a text or chat — that pretends to come from someone you trust. The goal is to trick you into handing over a login, sending money, or opening an attachment that plants malware. Phishing is so common because it skips the hard work of breaking into systems and targets the easiest part of any organisation instead: a busy person who’s trying to be helpful and move fast. Understanding how these messages are built is the best way to stop falling for them.

Why phishing works

The engine behind almost every phishing message is urgency. “Your account will be closed in 24 hours.” “Unusual sign-in detected — verify now.” “Final reminder: invoice overdue.” The aim is to spike your stress so you react before you reason. When you feel that flash of panic, that’s exactly the moment to slow down, because a real organisation rarely demands that you act this instant or lose everything.

Phishing also leans on authority and familiarity. The message may appear to come from your bank, a delivery company, a popular app, or even your own CEO. A particularly nasty variant, sometimes called business email compromise, impersonates a senior leader and asks an employee to buy gift cards, change payment details, or wire funds quietly. Because the request seems to come from the top, people hesitate to question it — which is precisely what the attacker is counting on.

The red flags to watch for

No single clue proves a message is fake, but a few together almost always do. Check the sender’s real address, not just the display name — “IT Support” can sit on top of an address like it-support@payroll-secure-login.com, which has nothing to do with your company. Hover over links before clicking to reveal where they actually lead; a button labelled “Verify my account” may point to a lookalike domain designed to harvest your password. Be cautious with a generic greeting (“Dear Customer”) from a service that knows your name, and treat unexpected attachments — especially .html, .zip, or files asking you to “enable content” — as guilty until proven innocent.

The same instinct applies to clickbait. “You’ve won a prize!”, “See who viewed your profile”, “Shocking photo of a colleague” — these sensational hooks exist to get a reckless click that leads somewhere harmful. If a link promises something that feels too good, too dramatic, or too strange, that feeling is your warning.

If a message creates pressure to act right now, slow down. Urgency is the scammer’s main tool, and a few seconds of doubt is your best defence.

What to do when something looks off

The single most powerful move is a pause followed by verification through a known channel. Don’t reply to the suspicious message and don’t click its links to “check if it’s real” — that’s what the attacker wants. Instead, contact the supposed sender a way you already trust: phone the colleague using the number in your directory, type your bank’s web address yourself, or message your manager directly. If a finance request seems even slightly unusual, confirm it out loud before any money moves.

Then report it. Most workplaces have a “Report phishing” button in the email client or a dedicated address for IT and security. Reporting matters even if you didn’t click, because you’re rarely the only target — flagging one message helps the security team warn everyone and block the sender. And if you realise you did click or enter your password, report it immediately and without embarrassment. Fast reporting lets IT reset credentials and contain the problem; staying quiet out of shame is what turns a small mistake into a serious breach.

Spot it: Phishing Red Flags

Read each situation and decide for yourself, then tap a card to flip it and check your answer.

Sort the Phishing Clues

Drag each clue into the bucket it belongs to — or tap an item, then tap a bucket. Hit Check placement when you’re done.

How to use it

Build a simple routine for any message that asks you to click, pay, or log in. Read the sender’s full address. Hover over links. Ask yourself whether the urgency makes sense. If anything feels off, verify through a channel you already trust, and report it using your company’s tool. Make this your default for unexpected requests, not just the obviously dodgy ones.

Why it matters

Phishing is the entry point for a huge share of real-world incidents, from drained accounts to company-wide ransomware. You don’t need special tools to defend against it — you need the discipline to pause when a message pushes you to hurry. Every careful check and every report you file makes you, and everyone around you, harder to fool.