Stop Before You Click: A Simple Habit That Blocks Many Phishing Attacks
Phishing attacks do not always look sloppy anymore.
Years ago, many fake emails were easy to spot because they had poor spelling, strange formatting, or obvious mistakes. Today, scammers can produce messages that look clean, polite, and professional. Some even copy the tone of a real supplier, bank, courier, government office, or co-worker.
That is why one of the best safety habits is also one of the simplest: pause before you click.
If an email, text message, WhatsApp message, or website pop-up is asking you to act quickly, take a moment before opening a link, downloading an attachment, approving a payment, or entering a password.
Why the pause matters
Phishing works because it creates pressure.
A message may say an account will be closed, a package is waiting, a payment must be made today, a mailbox is full, or a manager needs something urgently. The goal is to make you react before you think.
That short pause gives you time to check whether the request makes sense.
CISA’s Secure Our World guidance recommends a simple approach: recognize suspicious messages, resist clicking links or attachments, report the message where appropriate, and delete it. The FTC gives similar advice for businesses: employees should “take five” before responding and verify suspicious requests through a trusted contact method.
Before you click, check these things
Look closely at the sender, but do not rely on the display name alone. A message can say it came from a familiar company or person while the real email address is different.
Be careful with urgent language. Phrases like “final warning,” “immediate action required,” “payment overdue,” or “your account will be disabled” are common pressure tactics.
Do not use the link in the message to log in. If you think the request might be real, open your browser and type the official website yourself, or use a saved bookmark.
Do not open unexpected attachments, especially if the message asks you to enable macros, sign in again, scan a QR code, or download a “secure document.”
For payment, banking, payroll, or supplier changes, verify through a second channel. Call the person or company using a number you already know is correct — not the number included in the suspicious message.
Do this instead
If the message looks suspicious, do not reply to it and do not click the links.
Use your email system’s report phishing or report spam option if available. If your company has an IT helpdesk, forward or report the message according to your internal process.
Then delete the message.
If you already clicked a link or entered a password, report it immediately. The faster IT knows, the faster they can reset passwords, check account activity, block malicious domains, and protect other users who may have received the same message.
A practical office rule
For everyday office work, use this rule:
If a message creates urgency and asks you to click, pay, log in, scan, or download — pause and verify first.
That one habit can stop many common attacks before they become a business problem.
What to do if you are unsure
Ask before acting. Send the message to your supervisor or IT support team and say, “Can you confirm if this is safe?”
It is always better to check a legitimate message twice than to give a scammer one successful click.
Sources: CISA Secure Our World — Recognize and Report Phishing; FTC Business Guidance — Cybersecurity for Small Business: Phishing.
