Why you should never click a link in an email
The email looks like it is from your bank. There is a problem with your account, it says, and you have twenty-four hours to confirm your details or it will be locked. There is a button. Your heart rate ticks up, your thumb moves toward it, and that small jump, from worry to tap, is the entire attack.
This is phishing, and it does not need to be clever to work. It needs you to act before you think. So the most useful security habit you can build is almost embarrassingly simple: never act from inside the email. Don’t click the link, don’t tap the button, don’t open the attachment you weren’t expecting. The email is allowed to exist. You just don’t have to do anything it asks.
Phishing pulls one of two levers
Almost every scam email reaches for the same two emotions, because they both short-circuit careful thinking.
The first is fear. Your account is suspended. A payment failed. Someone logged in from another country. Act now or lose access. The countdown is the tell: a real company is happy to let you log in tomorrow. Manufactured urgency exists to stop you from pausing, because pausing is exactly when you would notice something is off.
The second is greed, or its gentler cousin, a pleasant surprise. You’ve won. There’s a refund waiting. A package needs a tiny fee released. An old contact has an opportunity for you. If an email makes you suddenly excited about money you weren’t expecting, treat that excitement as a warning light. The old rule holds: if it sounds too good to be true, it is.
You don’t need to memorise a list of scam types. Just learn the feeling. A jolt of sudden anxiety, or a jolt of sudden reward. That is your cue to slow down. Whatever new shape a scam takes next year, it will still have to pull one of those two levers, and you will feel it.
You can’t reliably spot the fakes anymore
The common advice is “check the sender.” It’s worth doing, but it is no longer
enough to rely on. The display name on an email is just a label the sender chooses,
so “PayPal Support” can sit on top of any address at all. And the address itself
can be a look-alike: paypa1.com with a digit, or a real-looking domain bolted
onto a service you’ve never heard of. The fakes have gotten good, and “I’ll just
look carefully” is a habit that fails on the one busy morning it matters.
So instead of trying to win a spot-the-difference game you will eventually lose, change the rule entirely: assume you cannot tell, and go direct.
Going direct, in practice
When an email wants you to log in, pay, or “verify your details,” the safe move is to reach that service the way you always do, not through the email.
- Open the app. If it’s your bank, your inbox, your shop account, open their app on your phone. A real alert will be waiting for you inside. A fake one won’t exist there.
- Use your own bookmark. No app? Open the site from a bookmark you saved earlier, when you were calm and on the real site.
- Let your password manager find it. If you use one, click its entry for the service and let it open the page.
One thing not to do: don’t type the address fresh from memory into the bar each time. Attackers register misspellings of popular sites and wait, and a single slipped letter can land you on a convincing copy. Typing carefully is not a defence; bookmarks and saved logins are.
And a quick myth to retire: clearing your browsing history does nothing against phishing. It’s fine for privacy on a shared computer, but it doesn’t stop a single fake link. The real protection is the boring stuff above: reaching the service your own way.
The quiet alarm most people miss
Here is the part worth remembering even if you forget everything else.
A password manager fills your login on a site by matching the site’s real address.
That matching is exact. So when you land on paypa1.com instead of paypal.com,
your password manager does something very helpful: nothing. No autofill prompt.
No saved login offered. It simply stays quiet, because as far as it is concerned,
this is a site it has never seen.
People usually read that silence as a glitch and type the password in by hand. It is the opposite of a glitch. The silence is the alarm. If a login page won’t autofill the way it normally does, stop. You are very likely not where you think you are. A tool that can’t be fooled by a look-alike domain is doing the spotting you no longer have to. (If you don’t use a password manager yet, that’s its own small story: you only need to remember two passwords .)
The attachment you didn’t ask for
The same “don’t act from the email” rule covers files. Don’t open an attachment you weren’t expecting, even from a name you know. Addresses get spoofed and accounts get hijacked.
A document is not always just a document. PDFs and Office files can carry embedded scripts and macros, and opening one can be enough to hand a foothold to whoever sent it. If an invoice, parcel slip, or “updated contract” arrives out of nowhere, confirm it through a channel you trust before opening it. A quick message to the real person beats a regretful click.
Images deserve a precise word, because the internet exaggerates this one. A picture can only run code through a genuine flaw in the program that opens it, the kind of rare, unpatched bug behind the occasional “zero-click” headline. That’s real, but it is not every cat photo in your inbox. The everyday image risk is quieter: a remote image loaded from an unknown sender quietly tells them your address is live and that you opened the message, which moves you from a random address to a confirmed target. That is exactly why mail apps block remote images from strangers by default. Leave that setting on.
Make a stolen password survivable
Build all these habits and one day something might still slip through: a tired moment, a very good fake. That’s why the last layer matters. Turn on two-factor authentication wherever it’s offered. With it, your password alone is not enough to get in, so a single bad click stops being game over. It’s the difference between losing a key and losing a key to a lock that also needs your fingerprint.
(Not all second factors are equal, and the strongest kind can’t be phished at all, even if you do click. That’s a story for another post.)
None of this asks you to become suspicious of your own inbox or to study a threat report. It’s one calm reflex, built once and reused forever: let the email sit there, and go reach the real thing yourself. The link was never the only way in. It was just the one someone else chose for you.
