Skip to content
Phishing
Foundation·4 min·DE · EN

Spot phishing in 3 seconds

Three quick checks before every click. With this routine you catch 95 % of phishing attempts - in under three seconds.

The three seconds that decide everything

Phishing works because we click on autopilot. A familiar-looking email, an urgent tone, a routine reflex - and the damage is done. The good news: three very quick checks are enough to expose most attempts.

01

Check the sender

Does the domain match exactly? microsoft.com is not micros0ft.com - and not ms-alerts-secure.com either.

02

Hover the link

Hold your mouse over the link without clicking. The real destination URL appears in the bottom-left of your browser or mail client.

03

Question the context

Did I expect this email? Does the tone fit the relationship? If not - don't click.

Step 1 - Actually read the sender

Your mail client often shows only a display name like "Microsoft 365 Team". The real address behind it might be noreply@ms-alerts-secure.com - a completely foreign domain. Click on the display name or hover over it to reveal the real address.

The tricks that show up in 90 % of phishing mails:

  • Letter swaps: rn instead of m, 0 instead of o, paypa1.com
  • Subdomain trap: microsoft.com.support-portal.ru - the real domain is support-portal.ru
  • Plus tricks: info+microsoft@phisher.com looks at first glance like "microsoft"

Step 2 - Check links before you click

Always hover over a link before clicking. The status bar or a tooltip shows the real target.

  • Does the domain match the sender?
  • Does the URL start with https://?
  • Do you see a URL shortener like bit.ly or t.co? Extra caution.

On mobile, long-press the link - a preview appears without opening it.

Real case

"Your mailbox is full - click here to expand." Sender: IT Support <it-support@company-cloud-help.com>. The real IT domain would be company.ch. The link led to company-cloud-help.com/login - a near-perfect copy of the login page. Anyone who entered credentials handed them to attackers.

Domain mismatch between the expected brand and the link target - classic phishing.

Step 3 - Context and gut feeling

The most effective defense is the simplest question: did I expect this?

  • Did DHL actually tell me a package was coming?
  • Has my bank ever asked me for a password by email?
  • Does my CEO talk like this?

If the answer is "no" or "unsure": don't click. Ask the sender directly - but through an independent channel (phone, in person, a saved address).

The golden rule

Legitimate organizations never ask for passwords, PINs, or one-time codes by email. Never.

If something feels rushed, pushy, or threatens consequences - it is almost always trying to bypass your judgment. Three seconds of pause is all you need.

Training catalogue

See more modules

12 modules covering phishing, MFA, compliance, and remote work.

View catalogue →

Member area

With quiz and certificate

Track progress, complete the quiz, get your PDF certificate.

Sign in →

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping - for your industry.

Book a demoContact us