We all know what phishing is. We have been told a thousand times: “don't open strange emails”, “be careful with the links”, “look carefully at the sender's address”. And yet... we still fall for it. You, me, your systems friend, even the CEO. Not to be naive, it's more complicated than that.
You get an email from the bank. It looks good, the logo is where it should be, the message sounds serious: "We detected suspicious activity on your account. Click here to verify your identity." You do it. And that's it. Your data, your logins, your accounts... in someone else's hands.
It's not a movie story or an oversight by someone “not tech-savvy”. It happens every day. Because phishing doesn't target what you know, it targets how you react: when you're in a hurry, distracted or just trusting. It gets in through emotions, not firewalls. And the worst thing is that you often don't even realize it... until it's too late.
Why does phishing still work?
Yes, we all know what phishing is. That trick that tries to get personal data out of you by pretending to be your bank, a social network or even your boss. It has been explained to us a thousand times. And yet... we keep falling for it. How is it possible?
The answer lies in how our head works. According to Daniel Kahneman (the Nobel Prize-winning psychologist who wrote: Think fast, think slow), we use two types of thinking:
-
System 1: fast, automatic, impulsive. It is the one that clicks without thinking twice.
-
System 2: slow, logical, more analytical. It is the one that reviews, doubts, verifies... when it has time.
And which one do we use most of the day? Exactly: the fast one. The one who answers emails while drinking coffee, jumps between meetings and has a thousand tabs open. That's where the attackers come in. And not only with emails. There is something called tabnabbing, which takes advantage of the chaos of having a thousand tabs open. It works like this: you leave a page open, go to something else, and in the meantime, that tab changes its content without you noticing. When you come back, it seems to ask you to log in (in Gmail, for example), and you confidently enter your username and password. But it's not Gmail... it's a trap.
That's how easy it is to fall for when you're on autopilot. Phishing messages are designed to trigger just that impulsive mode. They pressure you, scare you, or impersonate someone in authority. Some classics:
-
Urgency: “Your account will be suspended today if you don't do something!”
-
Fear: “We have detected unusual activity on your account.”
-
False authority: “Respond as soon as possible to your boss's message.”
And of course, you're busy, distracted, and before you know it... you've already clicked.
How does your brain react to a suspicious email?
You open your mail and there it is, waiting for you in your inbox:
When System 1 (the impulsive one) sends:
He sees words like “URGENT” or “your account will be suspended” and panics. He doesn't even look at who sent the email, or where the link leads to. He just thinks: "My account, my money, my life! And he clicks without thinking. You don't analyze anything, you just react out of fear. The result? The attacker tricked you.
When System 2 (the rational one) takes over:
It feels the urgency, but slows down for a second. It looks at the email with a critical eye and wonders: "Would my bank really write like this? He hovers his mouse over the link and sees something strange: it doesn't say tubanco.com, it says something like security-tubanco-alert.xyz. He opens the bank's app to see if there is something similar. And decides not to click. Rather, he reports it to IT. The result? System 2 thought twice. And it won.
Today's phishing is not as obvious as it used to be.
Forget about those emails with bad spelling and “click here” phrases. That's gone. Now phishing attacks come well disguised, in different formats, and most of them look quite legitimate. Here are some examples:
| Type of Phishing | How Does It Disguise Itself? |
|---|---|
| Email phishing | Emails with logos, signatures, and professional tone. They look real. |
| Spear phishing | Personalized messages with your name, title, or details only someone “inside” would know. |
| Smishing | Text messages saying your package is arriving... and ask you to click a link. |
| Vishing | Phone calls from fake technicians or banks urgently requesting your personal data. |
| Quishing | QR codes placed in public spaces that redirect you to fraudulent websites. |
| Pharming | Websites identical to real ones, but with a slightly altered URL. Hard to spot unless you’re paying close attention. |
Today's attacks don't shout “I'm phishing!” at you, they whisper in your ear as if they are trustworthy. That's why it's increasingly important to look twice before you click.
Read more: Cyberattacks Disguised as Disney, LEGO and MrBeast on the Rise
How do we avoid falling for phishing?
The key lies in two things: training the autopilot (the one that clicks without thinking) and activating the most analytical part of your brain, the one that makes you say: “Let's see, this sounds weird”. And no, you don't need to be a security expert to achieve this.
1. Train your automatic mode with drills.
That impulsive side we all have, the one that answers emails while drinking coffee or leaving a meeting, can also be trained. And the more you practice it, the harder it will be to get caught in a corner.
A cybersecurity user awareness solution like the one we offer at TecnetOne is super useful for that. They send you realistic booby traps, you respond as you normally would, and then they tell you if you fell for it or not. This way you get to know your blind spots without putting your information at risk. Not sure if you or your team would click? Try it. Better to fail in a simulation than in real life.
2. Activate your logical side with little nudges (nudges).
Sometimes you don't need a whole course to perform better. Just a little reminder at the right time. That's called a digital nudge: it doesn't block you or nag you, it just makes you think two seconds longer... and that can make all the difference.
| Nudge | What Is It For? |
|---|---|
| Alert on external emails | Makes you think twice before trusting something from outside the organization. |
| Tooltip on links | Shows you the real URL before you click. |
| Confirmation before sending data | Stops you before you accidentally send sensitive information. |
| Signature with security message | Constantly reminds you to stay alert with every email. |
The solution is not only technical... it is also cultural
It's not enough to give one cybersecurity talk a year or send out a boring PowerPoint. Security is built every day, like any habit. Here are some ideas to reinforce the security culture in your company:
-
Frequent drills.
-
Challenges, trivia or quick information capsules by mail.
-
Recognize those who report suspicious e-mails
-
Include the topic from onboarding
Think of your team as a muscle: the more it trains, the stronger it responds. And with phishing, that muscle can save you from more than one scare (or million-dollar loss).
At TecnetOne we help you stay one step ahead of phishing
Facing phishing is not only about having good tools, but also about creating habits and reinforcing the security culture within the team.
That's why at TecnetOne we offer a complete awareness solution, which includes customized drills, educational content, trivia, short capsules and dynamics so that everyone (from the intern to the management) knows how to react to an attack attempt. Because yes, prevention starts with people.
But we also know that not everything depends on the user. So we complement that training with TecnetProtect, our advanced protection solution against threats like phishing, malware and fake sites. This platform:
-
Analyzes emails, files and links in real time to detect spoofing attempts.
-
Blocks access to cloned or suspicious pages, even if they look almost identical to the real ones.
-
Protects your computers' browsing without interrupting productivity.
-
Give full visibility to your IT team with clear reports and recommended actions.
With TecnetOne, you combine education + technology to protect your company on all fronts. Interested in learning more? Contact us and we'll show you how we can help you protect your company from phishing, from the first click until not a single breach is left open.
