How-To & Security
Phishing works by rushing you. A calm guide to the warning signs — manufactured urgency, mismatched links, requests for your login — and the single habit that defeats almost all of it.
A good phishing message doesn't feel like a trap. It feels like your bank, your delivery company, or your boss — and it feels urgent. That's the trick. Phishing isn't really an attack on your computer; it's an attack on your attention. It catches you mid-rush, mid-distraction, and counts on you reacting before you think.
The reassuring part is that once you know how these messages are built, you start seeing the seams. You don't need to be technical. You just need a few signs to watch for and one steadying habit. Let's go through them calmly, the way I'd want a friend to.
Almost every phishing attempt shares one ingredient: pressure. "Your account will be suspended in 24 hours." "Suspicious login detected — act now." "Your package couldn't be delivered, confirm immediately." "Unpaid invoice, final notice."
That pressure isn't an accident. Urgency exists to switch off the part of your brain that asks questions. A scammer wants you anxious and moving fast, because a careful person spots the holes and a panicked person clicks. So treat urgency itself as the first warning sign — not proof of a scam, but a cue to slow down rather than speed up.
Real organizations understand that things take time. Your bank isn't going to delete your account because you didn't click a link within the hour. When a message tries to make your heart race, that's precisely the moment to set the phone down and take a breath.
Phishing doesn't beat you with technology. It beats you with a clock. The most powerful thing you can do is refuse to be hurried.
Once you've slowed down, a few quick checks reveal most fakes.
Start with who it's really from. A display name is easy to fake — anyone can label themselves "Your Bank." Look at the actual email address behind the name, not just the friendly label. Phishers often use addresses that are almost right: an extra letter, a swapped character, a slightly-off domain, or a public email service standing in for a company that would never use one. These lookalikes are designed to pass a quick glance, so give them a slow one.
Then check where links actually lead. Before you click, you can usually hover your mouse over a link on a computer, or press and hold it on a phone, to preview the real destination. If the text says one thing but the address underneath points somewhere unrelated or strange, that mismatch is a classic phishing fingerprint. Be especially wary of addresses crammed with odd words, random characters, or a familiar brand name buried in the middle of an unfamiliar one.
A few more things that should raise an eyebrow:
None of these alone proves fraud, but together they paint a picture. Trust that uneasy feeling when something looks just a little off.
Beyond how a message looks, pay attention to what it's asking you to do. Phishing almost always wants one of two things: your credentials, or your money.
Here's a rule worth carrying with you: a legitimate organization will not ask you to confirm your password, PIN, or a security code through a link in a message. Your bank already knows your details; it doesn't need you to "verify" them by typing them into a page you reached from an email. Anyone asking you to do that is fishing for the keys to your account.
Be equally cautious with requests for one-time codes. Those codes are the second factor protecting your accounts, and no honest support agent will ever ask you to read one aloud or type it somewhere they sent you. If a message or caller wants your code, that's not security — that's the attack.
The same caution applies to pressure around money: an urgent request to pay an invoice, buy gift cards, move funds, or send payment in an unusual way. Scammers love payment methods that are hard to reverse, precisely because once you've sent it, it's gone. If something about a payment request feels rushed or strange, that feeling is doing its job.
Every sign above folds neatly into one habit, and if you remember nothing else, remember this: when in doubt, stop and verify through a channel you trust.
That means not using the contact details in the suspicious message itself — those lead right back to the scammer. Instead, reach the organization the way you normally would. Type the website address yourself or use your saved bookmark rather than clicking the link. Call the number printed on your card or on an official statement. If a message seems to come from a colleague or family member asking for something unusual, contact them directly through a number you already have. It takes a couple of minutes, and those minutes are what scams can't survive.
This habit is gentle but powerful, because it doesn't depend on you spotting every clever fake. Even if a message is polished enough to fool you, verifying independently catches it. You're not trying to be a detective — you're just refusing to act inside the scammer's frame.
One honest closing note. Phishing keeps evolving; the tactics get more convincing, and what looks obvious today may be subtler tomorrow. So hold these signs loosely and keep that core habit firmly: slow down, look closer, and confirm through a trusted channel. If you ever click something you shouldn't have or hand over a detail by mistake, don't spiral — change the affected password, turn on two-factor authentication, watch for unusual activity, and contact the real organization or a qualified professional if money or identity is involved.
The scammers are betting you'll be too rushed to think. Prove them wrong by slowing down. That single calm pause is the strongest protection you have.
Mara is a digital-security writer who believes good security is a set of small habits, not constant paranoia. She turns intimidating topics — passwords, backups, phishing, privacy — into calm, doable steps. She's helped enough people recover from avoidable disasters to take backups very, very seriously.
Keep reading
A calm, practical guide to online privacy for normal people — what data you quietly leak, the settings worth tightening, and why sharing less is the simplest protection you have.
Mara Lindqvist
Forget the symbols-and-numbers gymnastics. A calm guide to passwords that are actually strong — why length beats complexity, how to build memorable passphrases, and why a manager does the heavy lifting.
Mara Lindqvist