Lesson 3.2

The Six VERIFY Steps

12 minutes

The Six Steps in Detail

Let’s break down each VERIFY step with practical guidance on how to apply it.

V — View Carefully

What it means: Examine who’s actually contacting you and how.

For Emails:

Check the actual email address, not just the display name.

The display name can say anything — “Bank of America,” “Your CEO,” “Amazon Support.” What matters is the actual email address in the <brackets>.

Spotting Fake Addresses

Legitimate:

Suspicious:

Look for lookalike domains:

  • Extra words: paypal-secure.com, amazon-support.net
  • Character substitutions: paypa1.com (number 1), rnicrosoft.com (‘rn’ looks like ‘m’)
  • Different extensions: google.co (not google.com), apple.info

For Phone Calls:

Caller ID can be spoofed. Just because it says “Bank of America” doesn’t mean it is.

Questions to consider:

  • Is this how this organization normally contacts me?
  • Did I initiate this interaction, or did they contact me?

For Texts:

Check the sender number. Be suspicious of:

  • Links in texts from unknown numbers
  • Texts from numbers that don’t match the organization’s known short codes

E — Evaluate Context

What it means: Does this make sense given what you know?

Key Questions:

  1. Was I expecting this?
    • A password reset I didn’t request = suspicious
    • A package notification when I haven’t ordered anything = suspicious
    • A login alert when I just logged in = expected
  2. Is this how they normally contact me?
    • Does your bank usually text you, or do they use their app?
    • Does this company ever email you, or is this the first time?
  3. Does this person normally make these requests?
    • Has your CEO ever asked you for gift cards before?
    • Does this vendor usually request wire transfers?
  4. Does the timing make sense?
    • Request at 11 PM from someone who works 9-5?
    • Urgent message while the sender is supposedly on vacation?

Context is powerful. If you didn't request a password reset, ignore the password reset email. If you're not expecting a package, ignore the delivery notification.

R — Request Examination

What it means: What exactly are they asking you to do, and how risky is it?

Analyze the Request:

  1. Is this request unusual for this sender?
    • Does your IT department normally ask you to download software via email?
    • Does your bank ever ask for your password?
  2. How sensitive is the information or action?
    • Sharing your password = very high risk
    • Clicking a link = high risk
    • Viewing information = lower risk
  3. Does this follow normal procedures?
    • Would this usually go through an approval process?
    • Is there usually paperwork or official channels?
  4. Am I being asked to bypass security processes?
    • “Don’t verify this with IT”
    • “Keep this between us”
    • “Ignore the usual approval process”

High-Risk Requests That Always Deserve Extra Scrutiny:

Always verify before:

  • Financial transfers or wire payments
  • Sharing passwords or security codes
  • Downloading files or software
  • Clicking links to log in
  • Providing personal information (SSN, DOB, etc.)
  • Buying gift cards for anyone

I — Interrogate Action

What it means: Challenge the urgency and ask what happens if you wait.

Questions to Ask:

  1. Why must this happen immediately?
    • Real emergencies are rare
    • Most business and personal matters can wait for verification
  2. What happens if I take 10 minutes to verify?
    • If the answer is “catastrophe” — that’s suspicious
    • If the answer is “nothing, I just want it done” — take the time
  3. Can I confirm this deadline through official channels?
    • Is this urgency documented anywhere official?
    • Would the organization confirm this timeline?
  4. If I push back, how do they react?
    • Legitimate requesters understand verification
    • Scammers often escalate pressure or get angry

The golden rule: Legitimate requests can wait for verification. Only scams fall apart when you pause.

F — Freeze Action

What it means: Stop before you take any action. Don’t click, don’t download, don’t share.

What to Freeze:

  • ❌ Don’t click links in unexpected messages
  • ❌ Don’t download unexpected attachments
  • ❌ Don’t share passwords or security codes
  • ❌ Don’t transfer money outside normal procedures
  • ❌ Don’t call phone numbers from suspicious messages
  • ❌ Don’t reply with personal information

Power Phrases:

Use these to buy yourself time:

  • “I need to verify this through official channels first.”
  • “Let me check with my manager and get back to you.”
  • “I’ll call you back on your official number.”
  • “Can you send this through the proper system?”
  • “I need to confirm this before I can proceed.”

Remember: Saying no or delaying isn't rude — it's responsible. If someone makes you feel bad for wanting to verify something important, that's a red flag.

Y — Your Instincts Matter

What it means: Trust your gut. If something feels wrong, it probably is.

Your Instincts Are Valid When:

  • The tone feels wrong for this sender
  • The timing seems suspicious
  • Something just feels “off” but you can’t explain why
  • You feel uneasy about proceeding

You Don’t Need Technical Proof To:

  • Decline a request
  • Ask to verify
  • Report something suspicious
  • Say “I’m not comfortable with this”

Many successful phishing attacks are stopped by people who just had a feeling something wasn’t right. They didn’t need to identify the technical red flags — they just trusted their instincts and verified.

Real Story

A financial controller received a perfectly crafted email from what appeared to be their CEO requesting a wire transfer. The email looked completely legitimate — correct domain, correct signature, correct formatting.

But something felt off. The CEO normally used a slightly different sign-off. The request, while plausible, wasn’t quite how they usually did things.

The controller called the CEO directly. The CEO knew nothing about it. The company avoided a $450,000 loss because someone trusted their gut.

Quick Reference

Step Question to Ask
V - View Who is actually sending this? Is the address/number legitimate?
E - Evaluate Was I expecting this? Does this make sense?
R - Request What are they asking for? How risky is it?
I - Interrogate Why the urgency? What if I wait to verify?
F - Freeze Stop! Don’t click, download, or share yet.
Y - Your Instincts Does something feel off? Trust that feeling.

Key Takeaways

  1. View the actual sender details, not just display names
  2. Evaluate whether this message makes sense in context
  3. Examine what’s being requested and how risky it is
  4. Interrogate the urgency — can this wait for verification?
  5. Freeze all action until you’ve verified
  6. Trust Your instincts — you don’t need technical proof to be cautious