Lesson 3.1

Systematic Validation

7 minutes

The Shift: From Spotting Fakes to Confirming Truth

In the old approach to phishing training, we tried to answer: “Is this message fake?”

The problem? With modern AI and sophisticated attacks, we often can’t tell. The fake looks perfect.

The VERIFY approach asks a different question: “Can I confirm this is real through a channel the attacker doesn’t control?”

This is a fundamental shift. Instead of trying to spot the lie, we verify the truth.

What Does “Verification Through a Separate Channel” Mean?

A separate channel is any way of confirming information that doesn’t use the potentially compromised communication.

Examples of Separate Channels

If you received a suspicious email:

  • Call the company using the phone number on their official website (not from the email)
  • Log in to your account by typing the URL directly (not clicking a link)
  • Contact the sender through a different method you already use (Slack, phone, in person)

If you received a suspicious phone call:

  • Hang up and call back using the number on your card or their official website
  • Log in to your account online to check for any alerts

If you received a suspicious text:

  • Call the sender directly at a number you already have
  • Visit the company’s official website by typing it yourself

The key is: don’t use any contact information provided in the suspicious message itself.

Why This Works: The Attacker’s Blind Spot

Attackers can create incredibly convincing fake communications. They can:

  • Make emails appear to come from legitimate addresses
  • Clone voices to sound like people you know
  • Build perfect replicas of real websites
  • Create deepfake video that looks real

But there’s one thing they cannot do: control what happens when you contact the real organization through its real channels.

If you call your bank at the number on your card, the attacker's fake email becomes irrelevant. Either the bank confirms there's an issue (it was real) or they have no record of it (it was fake). Either way, you're safe.

The Power of “Let Me Verify That”

One of the most powerful phrases you can use:

“Let me verify that and get back to you.”

This phrase works because:

  1. It’s polite and professional — no one can reasonably object
  2. It gives you time to check through a separate channel
  3. It immediately exposes most scams (they rely on immediate action)

Legitimate requesters will understand. They might even appreciate your caution. Only scammers will push back against verification.

Process Beats Perception

Here’s a counter-intuitive truth:

A systematic verification process is more reliable than your ability to spot fakes.

Even security experts can be fooled by sophisticated attacks. The difference is that experts don’t rely on spotting fakes — they verify regardless of how legitimate something looks.

100% The success rate of verification when done through a truly separate channel. If you call the real company and they confirm, you know. If they don't, you know.

When to Use VERIFY

Use VERIFY when:

  1. You feel PUSHED — any of the six emotional manipulation tactics
  2. Something feels “off” — even if you can’t explain why
  3. The request is high-risk — money transfers, password changes, sensitive data
  4. The communication is unexpected — especially for important matters
  5. You’re being asked to bypass normal procedures — “keep this confidential,” “don’t follow the usual process”

Don’t worry about “over-verifying.” The small time investment is worth the protection.

What About False Positives?

“But what if I verify something that turns out to be legitimate? Won’t that waste time or annoy people?”

Two responses:

  1. The time investment is minimal. A verification phone call takes 2-3 minutes. That’s insignificant compared to the hours, days, or months of dealing with a successful attack.

  2. Legitimate people understand. If your bank, boss, or colleague is asking for something important, they’ll appreciate that you take security seriously. If someone gets angry that you want to verify, that itself is a red flag.

The VERIFY Framework

Now that you understand why systematic validation works, let’s look at the six specific steps. That’s what the next lesson covers.

Key Takeaways

  1. Shift from “Is this fake?” to “Can I verify this is real?”
  2. Verify through channels the attacker doesn’t control
  3. Never use contact information from a suspicious message
  4. “Let me verify that” is a powerful phrase
  5. A verification process beats trying to spot fakes
  6. Legitimate people understand and appreciate verification