Earlier this month, I received a call from a “Telus” employee informing me I was eligible for a 45% discount on my monthly cell phone bill due to my years of loyalty. What a deal! All I had to do was provide him with my credit card details, and they’d make the changes to my account.
Unfortunately for the rep, I work in cybersecurity, and my spidey sense was tingling. Not to mention, my wife works for Telus, so as both shareholders and consumers, we know they’re not exactly in the business of handing out surprise discounts.
Instead of giving him my credit card, I decided to have a little fun by asking him some questions:
What department are you with?
Can you confirm the last payment on my account?
What’s my current address?
What part of India are you in?
That last one tipped him off.
He told me he was in Kolkata, that I was a “smart” guy, and that I should go, well, you know, myself.
It was obviously a scam. But the only reason I knew better was because of years working in the security industry. It’s armed me with a healthy skepticism that acts as a makeshift Kevlar to situations. However, not everyone carries the zero-trust mindset, least of all people like my parents—and that’s exactly the problem.
These scams are everywhere now, and despite their ridiculous tactics—see above 45% discount—they still work. Which is why I’m writing this: to imbue some of the tacit skepticism I’ve gained so you’re better equipped to spot, understand, and protect against online attacks.
This post won’t make you a cybersecurity expert. But a little awareness, combined with a few simple habits, can go a long way in keeping you safe.
Attacks are rising, losses are growing, and the most vulnerable are paying the price
Before we talk about how threat actors are deploying cyberattacks and what you can do to defend against them, let’s first look at the data to understand how pervasive they are.
The most recent Internet Crime Report, published by the FBI, found that Americans lost 12.5 billion dollars to online scams in 2023, representing a 22% increase from the year before. The demographic hit the hardest is people over the age of 50, who account for nearly 40% of all incidents and suffer the greatest financial losses. Like most of us, cybercriminals have a soft spot for the aged, just not in the way you’d hope.
While threat actors have a wide arsenal of ways to compromise systems, phishing was the leading technique, making up 43% of all cybercrime complaints. Therefore, it’s the one attack you should be most aware of.
Go phish
Phishing is a form of social engineering that uses deception to trick people into revealing sensitive information, like their password, SIN number, credit card details, or approving unauthorized transactions, such as transferring money. Phishing works because it exploits emotions like fear, urgency, trust, and even curiosity to provoke a response. And to further strengthen the con, attackers will masquerade as legitimate entities, like a brand, authority, or colleague, to earn a victim’s trust.
Phishing is the most pervasive type of attack because it offers cybercriminals a high return for relatively little effort. And unfortunately, AI has made it even easier to carry out phishing campaigns with greater sophistication. For example, some attackers now use voice cloning technology to impersonate the voices of a victim’s loved ones.
The typical phishing process involves an attacker sending a fake link, which leads the victim to a fraudulent website where they unknowingly enter their legitimate information, which the attacker then harvests to gain access to the real service. Albeit, it’s not just email anymore. Variants like vishing (voice phishing) and smishing (SMS phishing) have adapted phishing for mobile-first attacks.
In my example, the caller was impersonating Telus (the legitimate brand), preyed on my curiosity (emotion) with the discounted offer, and delivered the attack via a phone call (vishing).
How to spot a scam
Now that we’ve understood how pervasive the attacks are and how they work, let’s dive into how you can identify them.
Irrespective of the form it takes, phishing preys on emotion. Fear, urgency, trust, curiosity.
These are emotional levers attackers pull to get you to act before you think. Some scams rely on fear, like a fake FBI agent calling about unpaid taxes. Others create a sense of urgency, like a supposed Amazon rep offering a “limited-time” promotion that’s about to expire.
The general rule of thumb is that if something feels off, too urgent, or a little too convenient, that’s your cue to pause. Ask yourself: Why the rush? Why now? Why this mode of communication? That split-second gut check can be the difference between staying safe and getting scammed.
While we’re on the topic of methods of communication, you should be highly suspicious of brands engaging you via WhatsApp or Facebook Messenger, but I digress.
Beyond the emotional triggers, there are technical signs you should scan for. Albus Dumbledore once said, “Magic, especially dark magic, leaves traces.” Well, so do cyber attacks. You just have to know where to look.
Courtesy of Crowdstrike, here are some signs of phishing:
- The sender’s domain is off: Maybe the name looks right, but the email is from a sketchy domain like support@amazon-billing-secure123.com or support@amaazon.com (notice the double “a”?). On your phone, this is easy to miss. Look closely.
- Links don’t match the domain: Always hover or press and hold on a link. If it’s claiming to be from your bank but points somewhere else entirely, don’t click. For example, the sender might be support@td.com, but the link in the email directs you to port123.net.
- Poor grammar or strange formatting: It’s not always present, but when it is, it’s a red flag. Legitimate brands have extensive review cycles to ensure customer communications are grammatically correct. For what it’s worth, attackers aren’t necessarily bad spellers. They sometimes do this on purpose to weed out weaker targets.
- Unsolicited attachments: PDF and ZIP files are a dead giveaway. If you weren’t expecting a file, don’t open it. Even if it looks like a receipt, invoice, or shipping label, it’s not worth the risk.
- Generic greetings: “Hi valued user” or “Hello member” are telltale signs. Real companies have technology in place to personalize communications and will use your name.
- They ask for private information: Credit card numbers, account logins, or SINs, no real company will ask for that over the phone without prior context, consent, and authentication.
- There’s urgency or fear: Even though we’ve discussed it above, it’s worth reiterating. “Act now.” “Your account will be deactivated.” “You’ll be fined.” That kind of language is designed to get you to respond before you think.
Shields up, Scotty!
Identifying a phishing attack is half the battle, but mere identification isn’t enough. We need to think about layering forms of defense to protect ourselves against attackers. Think about your house. You have outdoor lights, doors, windows, locks, chains, cameras, and even alarm systems to deter thieves. Online security follows the same principles (in the industry, this concept is referred to as “Defence in Depth”).
Below are some practical steps you can take to strengthen your defenses online. Each recommendation includes a beginner and advanced suggestion depending on your cybersecurity maturity. The list is also ordered by effort and return on investment. Prioritize the recommendations at the top of the list first, gradually incorporating the ones further down.
Remember, you don’t need to implement everything at once. Think of this like upgrading your home security over time: start with the deadbolt, then install the camera, and finally add the alarm system.
Passwords
Beginner: Use a password manager like 1Password
Attackers love people who reuse passwords. When you reuse the same password across accounts, one breach gives attackers a master key to all your online accounts. A password manager creates and stores strong, unique passwords so you don’t have to remember them all. This way, even if one of your accounts gets phished, the others are safe. If there is any action you take after reading this post, it should be to invest in a password manager to eliminate password reuse across your online accounts.
Advanced: Use passkeys
Passkeys are a form of passwordless login that provide a faster, easier, and more secure sign-in experience. They use biometrics (like your fingerprint or face), are always strong, and can’t be reused or stolen the way passwords can. As a result, they’re more phishing-resistant. Apple, Google, and Microsoft devices support passkeys, as do many vendors like Amazon, WhatsApp, and Yahoo Finance. Where possible, opt for passkeys. If you’re interested in learning more about passkeys, check out my talk at Oktane.
Multi-Factor Authentication (MFA)
Beginner: Enable MFA using text messages (SMS) or email on all your accounts
Think of MFA as a second lock on your door. Even if someone steals your key (your password), they still need a code to get in. It’s so effective that Microsoft claims MFA can block 99.9% of account takeover attempts. I recognize MFA can be annoying, so start by adding it to highly sensitive accounts like your bank, email service provider, utilities portal, and even social media accounts. The latter might seem harmless, but attackers are targeting social media profiles because they contain a wealth of personal info and can be sold or used to launch further scams. Remember that sketch crypto ad your old friend was suddenly posting on Instagram? That’s how it starts.
Advanced: Use an authenticator app like Google Authenticator or Okta Verify
Text message codes can be intercepted in attacks like SIM-swapping—where someone transfers your phone number to their own device—or through other social engineering tactics. Authenticator apps are more secure because they eliminate that risk by generating one-time codes directly on your device. And for those of you who really want to go Fort Knox, consider a hardware authenticator like a Yubikey.
Account Monitoring
Beginner: Set up account alerts
Most banks and services offer notifications for logins, password changes, and large transactions. It’s a simple way to catch suspicious activity early and acts as a digital tripwire.
Advanced: Use dark web monitoring tools
Sites like Have I Been Pwned can alert you when your email or phone number shows up in a known breach. Many password managers like 1Password and email service providers like Google also offer dark web monitoring which notifies you if and when your credentials have been exposed online. If your info shows up there, it’s time to reset those credentials immediately.
Unexpected Calls
Beginner: Have a trusted buddy
If you’re unsure whether a call is legit, pause and call someone you trust; think of this like the phone-a-friend lifeline on “Who Wants to be a Millionaire”. It can be a tech-savvy colleague, sibling, or that one cousin who’s always fixing computers who can help you gut check the situation. Note, scammers will try to dissuade you from reaching out to anyone, and if they do, it’s a clear sign they’re up to no good. This approach also has the added benefit of giving you the time to think before you act, breaking the attacker’s advantage.
Advanced: Ask the caller to authenticate
I recently did this with CAA. Before handing over my credit card to renew my membership, I asked them to verify details on my account — recent payments, billing address, and the last service I used. Real reps have nothing to hide and will happily answer your security questions to give you the assurance you need. Scammers won’t. Be sure to ask questions only the legitimate entity can verify such as the exact amount on your last payment, your full account number, or when you initially became a customer.
Spam Filters
Beginner: Mark suspicious emails as spam
When you report an email as spam or phishing, your email provider (like Gmail or Outlook) improves its filtering and is less likely to let similar emails through in the future. Deleting isn’t enough, mark it as spam.
Advanced: Use a separate email address for public or non-essential services
Consider keeping your primary inbox private and using a secondary email for newsletters, online shopping, or giveaways. That way, if that address gets flooded with spam or leaked in a breach, your core accounts stay safer and cleaner.
Device Updates
Beginner: Install software updates when prompted
Yes, they’re annoying. But they often include fixes for security vulnerabilities that attackers are actively exploiting. Delaying them is like refusing to lock your door because it’s inconvenient. Hit “Update” immediately and the future you will be more secure.
Advanced: Enable automatic updates
Make sure automatic updates are turned on for your phone, laptop, and browser. If you’re using older devices that no longer receive security updates (like an iPhone 6 or a Windows 8 laptop), it’s time to upgrade. Unsupported devices are low-hanging fruit for attackers. I know it’s frustrating that companies use this as a means of forcing you to upgrade, but your online security is more valuable than a few hundred dollars.
Public Wi-Fi
Beginner: Avoid public Wi-Fi
Free Wi-Fi at the airport or coffee shop is convenient but it’s also a goldmine for attackers who can snoop on traffic or run fake networks. If you can, tether to your phone instead. It’s more secure and usually faster.
Advanced: Use a VPN when connecting to public networks
If you must use public Wi-Fi, use a trusted VPN like NordVPN. It encrypts your traffic, making it unreadable to anyone lurking nearby. And avoid logging into sensitive accounts (like banking or healthcare portals) while on open networks, save that for when you’re back on a secure connection.
Final Thoughts
Technology is a lot like dynamite. Alfred Nobel invented it with good intentions to help civilization reshape terrains, build roads, and unlock progress. However, it didn’t take long for people to find more destructive uses for it.
The same goes for the tools we rely on today. Smartphones, social media platforms, and AI have changed the way we live. But they’ve also been weaponized by attackers. In our pursuit of a more digital life, we’ve inadvertently exposed ourselves to more risks.
That doesn’t mean we reject technology. It means we have to be more cognizant of how we use it. Phishing attacks and scams are not going away. My hope for you is that after reading this post, you’re better equipped to understand, identify, and defend against them.
If there’s one mindset to adopt, it’s this: don’t blindly trust, always verify. Because in a world where attackers prey on our trust, a healthy dose of skepticism might just be your best defense.
Quarter Life Views 