Marcus had worked at the same company for eleven years. He knew everyone by name, remembered birthdays and always held the door. One Tuesday afternoon, he got an email from IT asking him to verify his account before a system migration. It looked right. The logo was there. The sender looked familiar. He clicked the link, entered his credentials and moved on with his day.
By Thursday, his email account was sending messages he never wrote. His manager's inbox had a request to transfer $14,000 to a vendor Marcus had never heard of. The finance team almost approved it.
Marcus wasn't careless. He wasn't naive. He was just busy, and no one had ever shown him what to look for.
Marcus received a phishing email. It was designed to look like a legitimate IT request. The link led to a fake login page that captured his username and password. Once the attacker had his credentials, they had full access to his email account. From there, they tried to commit financial fraud using his identity and his trusted position inside the company.
Your login credentials are the keys to your work life and, often, your personal life too. One stolen password can open your email, your files, your contacts and your company's finances. Attackers don't need to break through walls. They just need one person to click one link. That person is rarely reckless. They are usually someone exactly like Marcus. Exactly like you.
Before you click a link, pause. Before you enter your password, verify the source. If something feels off, report it to IT. You don't need to be certain. You just need to be cautious.
Slow down before you click. One extra second is often enough to catch something suspicious.
Check the sender's actual email address, not just the display name. Attackers can make a name look real while hiding a fake address underneath.
If an email asks you to log in, go directly to the website instead of clicking the link in the message.
At home, apply the same habit. Fake login pages target personal accounts just as often as work ones.
When in doubt, ask IT. There is no such thing as a silly question when your account is on the line.
Open your email inbox and look at the last five messages that asked you to take action. Check the actual sender address on each one. Not just the name. The full address. Did anything look unexpected?
I pause before clicking links in email or text messages.
I check the sender's full email address, not just the display name.
I go directly to websites instead of clicking through links.
I know how to report a suspicious email to IT.
I apply the same habits at home as I do at work.
Before you click any link in an email, hover over it first and read the actual web address. If you are on a phone, press and hold the link to preview the destination. If it does not match what you expect, do not click it.