Phishing: How to Recognize It and What Actually Helps
The patterns attackers use, how to train yourself to spot them, and technical controls that reduce the damage when someone clicks.
Phishing works. It's the most effective way attackers get initial access. No matter how good your technical controls are, if someone enters their credentials on a fake page, those credentials are gone.
I've seen sophisticated engineers fall for phishing. The attacks are getting better.
What Makes Phishing Work
Urgency. "Your account will be suspended in 24 hours." "Unauthorized access detected." The goal is to make you act before you think.
Authority. Emails pretending to be from IT, from your CEO, from a trusted service. People comply with authority figures.
Familiarity. Attackers copy legitimate emails pixel-for-pixel. Same logos, same formatting, same footer. The only difference is where the links go.
How to Spot It
Check the sender address. Not the display name - the actual email address. Anyone can set their display name to "IT Support" or "Microsoft Security." The address tells you who actually sent it.
Hover before you click. Every link shows its destination if you hover over it. If it says "Login to Microsoft" but the URL is login-microsoft.suspicious-domain.com, don't click.
Verify through another channel. Got an urgent request from your CEO? Call them. Got a security alert from IT? Slack them directly. Never use contact info from the suspicious message itself.
Look for pressure. Legitimate organizations rarely create artificial urgency. "Act now or else" is a red flag.
Technical Controls That Help
MFA blocks most phishing impact. Attackers get your password? With MFA, they still can't log in. This single control dramatically reduces what phishing can accomplish.
Email filtering catches a lot. Modern email gateways block significant phishing volume before it reaches inboxes. Not perfect, but it reduces exposure.
Password managers don't autofill on fake sites. Your password manager knows what domain it saved credentials for. If it won't autofill, something's wrong.
Hardware security keys are phishing-proof. FIDO2 keys are cryptographically bound to legitimate domains. A fake site can't authenticate with your hardware key, even if you try.
For Organizations
Run phishing simulations. You can't train awareness you can't measure. Regular simulated phishing shows where training gaps exist.
Make reporting easy. If people have to dig through menus to report a suspicious email, they won't. One-click reporting buttons work.
Verify payment requests by phone. Any email requesting wire transfers, payment changes, or vendor updates should be verified through a known phone number. This stops business email compromise.
Don't punish reporters. If someone reports a phishing email, thank them. If someone clicks a simulated phish, train them - don't shame them. You want people to report, not hide their mistakes.
Key Takeaways
- Phishing exploits urgency and authority - slow down before acting
- Always check the actual sender address, not just the display name
- Hover over links to see where they really go
- Verify unexpected requests through a different channel
- MFA limits damage when credentials are phished
- Hardware security keys are immune to phishing attacks
- Organizations: make reporting easy and run simulations
Written by Bar Tsveker
Senior CloudOps Engineer specializing in AWS, Terraform, and infrastructure automation.
Thanks for reading! Have questions or feedback?