5ive Stupid Ways to Avoid Phishing
Hi there! I am a curious techie. My spare time is spent with books.
Phishing is terrible. It accounts for most cyber attacks globally, costing billions of dollars annually.
First things first, I don’t have a solid reason I used the word ‘stupid’ in the title, maybe because it’s so simple, and requires just a little common sense, or because it.
The Challenge of Phishing Detective Methods
Caveat aside, let’s get to the real deal.
There are many ways to avoid phishing attacks today, but many of these methods have one thing in common: They are too uncommon, and as a result, most people don’t follow them.
Checking for domain extensions, reading the full link text, or scanning emails for certain phrases works, but how many people actually do this? Hovering over links is extremely simple, and ideally should be here, but it has its own limitations.
The methods outlined here work, but like EVERY way of catching phishing, none are a hundred percent foolproof. This is because threat actors are always finding new ways to bypass or evade existing detection methods.
However, these methods that I will list here aren’t technical in nature, and as a result, will compel more people to actually do these checks.
Check Previews
If someone sends you a fake Facebook login page, what are the odds that the link would have a preview? What are the odds that even if it has one, its preview will resemble that of the original Facebook? Low!
Sometimes legitimate sites don’t show previews, but here is the catch: most of the platforms used to spread phishing links can auto-generate link previews for any webpage link sent using them — Facebook, Email, WhatsApp, Telegram, Instagram, X, etc.
What’s more, the ones that don’t generate visible previews often show them when your mouse hovers around the link. For instance, I am typing this using Google Docs, and if I insert a link here, hovering over the link will bring up the webpage of the link I inserted, and its full URL.
Be on the lookout for link previews, and when you don’t see one, double-check by copying and pasting it in a text box instead of clicking directly.
Note: Some platforms (like Signal or Telegram’s Secret Chats) may disable previews for privacy reasons. So, a missing preview doesn’t always mean it’s phishing — it’s just a prompt to double-check. Well, that’s a bit stressful, but that’s the price you pay for using a secret chat.
Here is an example:
This is a conversation I had with ChatGPT that I decided to share with my WhatsApp contact. You can see that it has a preview that can easily be seen.
Check Domain Age
Suppose you are already on a site, perhaps it has HTTPS on it, but you are cautious not to input sensitive data into it. What can you do?
Check how long the domain has existed. The logic behind this is that the older a site is, the more likely it is to be genuine.
You can do this using a WHOIS lookup service like who.is or other similar tools. A domain that was registered only a few days or weeks ago, especially if it mimics a known brand, is suspicious.
The site docs.google.com is very old.
Let’s see this one:
Let’s see this one:
Judging from these two pages, which is more likely to be trustworthy?
How then do you check the status of a site?
Depending on the browser you use, check the padlock icon, the info button, or, on Google Chrome, the tune icon.
The tune icon looks like two opposite pins:
This brings up detailed information about the site.
If it’s Too Good To Be True, it's probably not true
I know this sounds so common, but you won’t believe how many people still fall for such. It comes in different forms, all leveraging human greed.
You may ask, “What or how do I even know when faced with such a scam?” The answer is simple. If it excites you immediately, that’s EXACTLY when you need to pause and possibly delay taking that action.
Common examples include:
Crypto gifts or funds.
Someone claims they sent money to you by mistake (Don’t send anything back. Contact your bank or payment provider first.)
The Nigerian Prince (I’m Nigerian, so this is a blow to me; however, many non-Nigerians now use this scam format).
Elon Musk is doing a giveaway, etc.
Here is an example from my X:
Too Good to be true, right?
Speed Kills: Beware of Urgent Requests
I have never seen a legitimate platform that forces me to do anything, and even when it is time-sensitive, they handle it professionally, using methods that are a bit complex for the average scammer to easily mimic.
For instance, Google notifications for untrusted signups will only send you the link to your Google Account settings, and in most cases, you’re already signed in. Google may send these as both in-app alerts and security emails, but they’ll always come from verified domains such as no-reply@accounts.google.com and link to official Google pages.
That’s a professional way of handling a time-sensitive issue. I already know what to expect when Google asks me to validate a login or change my password if I don’t know the person logging in. Many hackers won’t attempt to recreate that experience accurately.
Unless you were specifically targeted in a whaling or spear phishing attack, which has lots of resources poured into it, a scammer will find it difficult to create that professional urgency experience and will resort to the usual urgent request, which is an immediate red flag.
Techno-Blockers
Invest in technology that helps you filter and block unwanted calls, SMS, chats, and emails. I call them Techno-Blockers.
Many communication services come with default block settings and options, but you need to fine-tune them.
Truecaller for phone and SMS can complement the traditional security measures of default phone and messaging apps.
Email providers also offer anti-phishing protections. If you use a custom email, it gets even better — you can enable SPF, DKIM, and DMARC to verify senders, and block messages that fail these checks. Some business email systems also allow you to restrict emails from certain regions or IPs.
Ending Notes
Detecting phishing requires a working brain and a short pause — that’s all. You don’t have to know how to trace IPs or run digital forensics; you just need to think before you click.
Phishing thrives on emotion — mostly excitement, fear, or the feeling that you might miss out on something. Once you learn to spot those emotions the moment they appear, you’ve already beaten half the scam.
The other half is discipline — not clicking every link, not replying to every message, and not assuming that every “urgent” alert is real.
Stay curious, stay suspicious, and remember: every link, message, or “offer” deserves a few seconds of doubt before your next click.
That small delay could be the smartest move you make all day.
