Lesson 1.3

Verifying Links You've Never Seen

7 minutes

According to the Verizon 2024 Data Breach Investigations Report, the median time from opening a phishing email to clicking the link is 21 seconds. Entering credentials takes 28 more seconds. Total time from email open to account compromise: under 60 seconds.

The attackers are counting on you NOT having a verification process. This lesson gives you one. It has four steps, it works for any suspicious link, and it takes less time than the attack itself.

Step 1: Search for the company yourself

Open a new browser tab. Type the company’s name into a search engine. Their real website will appear in the organic results (skip any ads at the top). Now compare that domain to the one in the suspicious message.

Worked example: You receive an email from “Northstar Logistics” with a link to northstar-logistics-portal.com. You search “Northstar Logistics” and find their real website is northstarlogistics.com. The domains don’t match. That’s your answer — don’t click.

This takes about 15 seconds and catches the majority of phishing attempts. Most attackers can’t actually register the real company’s domain, so they register something close. A quick search reveals the difference.

Step 2: Check your own records

Look at past emails, invoices, contracts, or bookmarks from this company. What domain have they used before?

Worked example: You search your inbox for previous emails from Northstar Logistics. Every one came from @northstarlogistics.com. This new message comes from @northstar-logistics-portal.com. Something changed — and that change deserves a phone call before you click anything.

Your own records are one of the most reliable references you have. If a company’s domain suddenly changes without explanation, treat it as suspicious until confirmed.

Step 3: Go directly instead of clicking

If you need to take action — pay an invoice, log into a portal, update your information — don’t use the link in the message. Go there yourself:

  • Type the address you found in Step 1 into your browser
  • Use a bookmark you saved previously
  • Open the company’s app on your phone

Worked example: An email says your bank account has been locked and provides a link to “verify your identity.” Instead of clicking, you open your bank’s app on your phone and log in normally. No alerts, no lockout, no action needed. The email was fake.

If the action is real — your account genuinely needs attention, your invoice is actually due — you’ll see it when you log in through your own path. If nothing appears, the message was a phishing attempt.

Step 4: Call them

Use a phone number from YOUR records — past invoices, your company’s vendor list, or the Contact Us page on their real website. Do NOT use a phone number from the suspicious message.

Ask: “Did you just send me an email about [describe it]?”

Worked example: You receive an invoice from a vendor with updated wire transfer instructions. Instead of processing it, you call the vendor at the number on your original contract. They confirm they never sent updated banking information. You just prevented a wire fraud attempt.

This is the most powerful verification step, and the one people skip most often. A 30-second call has stopped millions of dollars in fraud. We’ll explore this further in Module 4.

What if it’s on a legitimate platform?

In the last lesson, we covered how attackers host phishing content on Google Forms, Notion, SharePoint, and other trusted platforms. The domain checks out — because the platform really is owned by Google, Microsoft, or whoever.

For these, the question shifts from “is the domain real?” to “does the content make sense?”

Ask yourself:

  • Would this company really ask for my password through a Google Form? (No. No legitimate company collects passwords via Google Forms.)
  • Would HR really distribute a benefits enrollment through a Notion page? (Unlikely, unless your company actually uses Notion for HR.)
  • Would my bank send me to a Microsoft Forms page to verify my identity? (Never.)

If a page on a legitimate platform asks you to enter a password, credit card number, or Social Security number — that’s the red flag. The platform is real, but the person who created that form is not who they claim to be.

The golden rule of verification

All four steps share one principle:

Never use the suspicious message itself to verify the suspicious message.

The phone number in the phishing email goes to the attacker. The “support chat” link in the phishing email leads to the attacker. The “click here to verify” button in the phishing email takes you to the attacker. Every element of the message is controlled by the person who sent it.

Verification only works when you go outside the message. Search independently. Check your own records. Navigate directly. Call a number you already have. The moment you use the message’s own contents to check whether the message is real, you’ve lost.

The Rule: Never use a suspicious message to verify itself. Go outside of it.