Posts

Where things happen

Click?

To click, or not to click?

Tip…don’t click

We have all received a text or email claiming, “Your package couldn’t be delivered” or “Please verify your identity/account information”. The messages may look different, the goal is almost the same.
…to get you to click.

When an employee of an organization falls victim to a phishing link, the attacker is usually after something bigger - initial access in the companies network, credentials for pivoting, or a way to deploy malware.

When a private citizen receives a phishing link its generally more direct. Looking to steal banking credentials, credit card numbers, or tricking them into sending money or gift cards - some type of quick and easy financial gain.

Across industries click rates average between 3%-14% in enterprise enviroments, where employees normally have some type of security awareness programs or training. Outside of those organizations, the average is much higher. Everyday users rarely receive the same training and the attackers know that. They focus their scams where curiosity, convenience, and emotion, often blind users from logic and caution.

Why do we still click?

Even when we know better, many of us are still compelled to click. I like to think its not because we are completely careless. Attacker messages tap into parts of our brains that are flawed.

They design messages that sound urgent, create some type of emotion or curiosity.
Urgency: Key words like immediately, suspended, or final notice cause panic and trigger us to act before thinking.
Curiosity: We hate unanswered questions. “Your account has been flagged” or “See your delivery updates” triggers the need to know more.
Trusted source: Messages that look official, from your bank, a delivery company, or even your boss, drop our guard.

In that moment, emotion and curiosity wins over logic. Clicking feels like the fastest way to fix, or check whatever is in the message. That’s exactly what the attacker is hoping for.

Rethink the click

A few habits can make a big difference.

  1. Pause before you act: Urgency is the bait. Take a moment before responding to any message that feels rushed.
  2. Check the source: Look closely at the sender’s address, not just the display name. A single letter off can be a red flag.
  3. Go straight to the source (BEST OPTION): Visit the official app or website associated with the message.
  4. Trust your gut (UNLESS YOU HAVE A UNTRUSTWORTHY GUT): If something feels off, it probably is.

Phishing isn’t going anywhere, it’s just getting harder to catch. Whether it’s from your bank, a delivery service, a toll company, the goal is always the same - to get you to click before you think. Awareness is your best defense. Slow down, trust your gut, and remember it’s better to miss one link than to regret one click.