Why Phishing Still Works
Every year, cybersecurity threats evolve—with buzzwords like ransomware, DDoS, and man-in-the-middle attacks making headlines. While you don’t need to know every technical detail, you do need to understand one thing: most cyberattacks begin with phishing.

According to Trend Micro, 91% of cyberattacks start with phishing, a form of social engineering that manipulates people into handing over information or clicking malicious links. This blog will help you recognize the signs of phishing and show you how to protect yourself and your organization.

What is Social Engineering?
Social engineering is a tactic where cybercriminals trick people into performing actions or revealing sensitive data. These attacks rely on psychological manipulation, not just technical exploits. Here are some common forms:

Pretexting
Attackers pretend to be someone you know—like IT support—asking for login credentials to “resolve an urgent issue.” Remember: no one should ever ask for your password, not even IT.

Quid Pro Quo
“Something for something.” You may be offered a reward (like a gift card) in exchange for completing a survey—but it could be a trap to collect sensitive information.

Tailgating
Attackers seek unauthorized physical access by following you into secured areas—often by posing as delivery staff or using friendly conversation to distract from security protocols.

Phishing (Email-Based Attacks)
The most common form, phishing emails look legitimate but are designed to trick you into clicking links, downloading files, or entering login information.

Types of Phishing Attacks

• Spear Phishing – Targeted emails to specific individuals (e.g., finance team) for access or credentials.

• Whaling – Targeting executives or “big fish” with customized emails (e.g., fake DocuSign requests to steal login data).

• Vishing – Voice phishing over the phone, often impersonating law enforcement or banks.

• Smishing – Phishing via SMS/text messages, prompting you to click malicious links or share personal data.

How to Spot a Phish
Phishing messages often play on urgency, fear, or curiosity. Look out for these red flags:

• Offers that are too good to be true

• Messages requesting personal or financial info

• Unexpected attachments or links

• Emails with odd grammar, formatting, or generic greetings

• Threatening messages claiming legal action or blocked accounts

• Unfamiliar sender addresses or domain names (e.g., "suntust.com" instead of "suntrust.com")

What You Shouldn’t Do

• Don’t click on suspicious links—hover over them to check where they lead.

• Don’t open unexpected attachments.

• Don’t trust emails on mobile devices without verifying—view them on a desktop when in doubt.

What You Should Do

• Verify the sender – Check email addresses carefully for misspellings or inconsistencies.

• Use official websites – Open a new browser tab and type the address manually instead of clicking embedded links.

• Call to confirm – Use known, official numbers (not the one in the message) to verify unexpected requests.

• Report it immediately – Contact your IT or cybersecurity team if you suspect a phishing attempt, even if you clicked something. 

You Are the First—and Last—Line of Defense
Phishing attacks are designed to bypass even the strongest technical defenses. That’s why your awareness and caution are critical. Some of the world’s most high-profile data breaches started with a single phishing email.
By staying alert and following these tips, you help keep your organization secure, and protect your own personal information too. Let’s all do our part to stop phishing in its tracks.