Phishing guidance is often taught using obvious examples, poorly worded messages from implausible senders, urgent requests that seem transparently suspicious. Real phishing, however, rarely looks like that. Modern attempts are built around legitimacy: they imitate suppliers, internal systems, collaboration platforms, and normal business processes closely enough to pass a quick glance. Rather than judging a message in isolation, consider whether it fits the context and expectations of a genuine communication.
Most successful phishing exploits familiarity, not ignorance
The more convincing attacks are designed around things people already recognise such as notifications from collaboration platforms, document sharing requests from what appear to be known contacts, payment or approval requests that follow normal processes closely. The goal is to produce something that feels routine enough to act on without additional thought. That familiarity is the technique, not a coincidence.
In regulated industries and supply chain environments this is worth taking seriously. Procurement relationships, delivery programmes, and supplier structures are sometimes publicly visible or discoverable. An attacker who has researched an organisation’s supply chain can craft a message that references specific projects, contacts, or processes. It doesn’t need to be perfect, just plausible enough in context to avoid attracting extra analysis.
Urgency is a technique, not an emergency
Pressure to act quickly is one of the most consistently used mechanisms in phishing and social engineering. A document requiring immediate sign-off, a payment that needs processing before a deadline. These messages are designed to reduce the time available to verify the request. The urgency is manufactured specifically to prevent the kind of pause that would allow someone to notice something is wrong.
When a message creates pressure to act immediately, that pressure is itself worth treating as a signal rather than a reason to comply.
Login requests and attachments follow a predictable playbook
Many phishing emails direct users towards imitation login pages designed to capture credentials. The domains used frequently resemble legitimate services very closely, sometimes differing by only a single character or a slight variation in wording. Viewed quickly during an ordinary working day, these differences are easy to miss.
Attachments present similar risk. Invoice documents, spreadsheets, compressed files, and PDFs appear routine within normal business communication, which is precisely why they’re used. An attachment that arrives unexpectedly, or that feels slightly inconsistent with how the sender usually communicates, is worth treating with additional care. The vulnerability is greatest when something feels familiar enough not to attract examination.
Multi-factor authentication provides important additional protection, but it isn’t a complete answer. Some phishing techniques are specifically designed to capture authentication codes or prompt users to approve login attempts they didn’t initiate. Current guidance recommends phishing-resistant methods — hardware security keys or passkeys — where these are supported.
Social engineering extends well beyond email
Phishing is one method within a broader category of social engineering. Attacks increasingly take place across messaging platforms, collaboration tools, phone calls, and video meetings. The medium varies; the principle is consistent, create a believable scenario that produces the desired action.
In practice this means verifying unexpected or unusual requests through a separate channel, regardless of how legitimate they appear on the surface.
Technical controls help, but the target is behaviour
Technical controls remain an essential part of cyber security, but social engineering succeeds by exploiting trust, routine, and human behaviour rather than technical weaknesses alone. The most effective defence is often not spotting something obviously malicious. It is recognising when a request, message, or interaction feels inconsistent with what would normally be expected and taking the time to verify it.
That pause matters. Most phishing attempts rely on people acting quickly, following familiar patterns, or assuming legitimacy because something appears routine. Creating a culture where individuals are encouraged to question unexpected requests, verify unusual activity, and report concerns without hesitation remains one of the most effective ways to reduce risk.
Cyber security awareness is not about treating every interaction as suspicious. It is about understanding context well enough to recognise when something doesn’t fit.
Further reading
