- #phishing
- #security
- #small-business
Phishing tests you can run on yourself
Four free drills you can run on your own inbox: hover the link, read the sender domain out loud, spot the urgency tell, and verify invoices by phone. The goal is a two-second pause.

Most phishing emails do not look like scams. They look like an invoice, a package update, or a note from Google about your business listing. The people who click are not careless. They are busy, and the email landed while they were doing something else.
I am studying for Security+ (SY0-701) right now. Not certified yet, still working through it, but one thing the material keeps repeating matches what I run into talking with small business owners around Heber City: the weak point is almost never the software. It is the two seconds between reading an email and clicking it. Here are four tests you can run on yourself, free, using the emails already sitting in your inbox.
The hover test
Open your inbox. Pick any email with a button or a link in it. Do not click. On a computer, rest your mouse on the link and wait. The real destination shows up in the bottom corner of your browser or mail app. On a phone, press and hold the link and a preview pops up.
Now read it. Slowly.
A real notice from your bank points at something like wellsfargo.com. A phishing link points at wellsfargo-secure-login.info or wells-fargo.account-verify.net. The trick is that the familiar name is in there somewhere, just not in the part that matters. The part that matters is the last two chunks before the first single slash. wellsfargo.com/anything belongs to Wells Fargo. wellsfargo.com.verify-account.ru does not.
Run this on ten emails. Real ones, junk ones, all of them. You are not hunting scams. You are building the habit of looking before clicking, and the habit is the whole point.
Honest limit: hovering is not bulletproof. Attackers use link shorteners, and sometimes they compromise a legitimate site and send you somewhere real that has been poisoned. But the hover catches most of the lazy stuff, and most phishing is lazy.
The sender domain test
The display name on an email is whatever the sender typed. Anyone can type "Chase Bank". The address behind it is harder to fake well.
Tap or click the sender name so the full address expands. Read the part after the @ out loud. Actually out loud. Your ear catches what your eye skims. "service at chase.com" sounds fine. "service at chase-alerts-online.com" sounds wrong the moment you say it. So does "billing at paypa1.com" with a number one where the L should be.
Run it on your last twenty emails. It takes about three minutes. After a week you will do it automatically on anything that asks for money or a password.
The urgency test
Phishing almost always puts a clock on you. "Your account will be suspended in 24 hours." "Unusual sign-in, verify now." "Final notice." Urgency is the tell because urgency is the tool. The attacker needs you to act before you think.
The self-test: next time an email makes your stomach drop a little, stop and name the feeling. Then look for the time pressure. Is there a countdown? A threat? A penalty for waiting an hour? Real companies almost never need you to act in minutes. Your bank will still be your bank tomorrow.
One rule to train: the more urgent the email, the slower you go. And if it might be real, skip the link entirely. Type the site address yourself, or call the number on the back of your card. That path costs you ninety seconds and closes off the whole attack.
The invoice test
If you run a salon, a grooming shop, a landscaping crew, or a restaurant, there is a version of this aimed straight at you. An email arrives with an invoice attached. Sometimes it claims you owe for a domain renewal or a business listing. Sometimes it pretends to be a supplier you actually use. The amounts are small on purpose, often a few hundred dollars, because small invoices get paid without questions.
The test: pull up the last five invoices you paid from email. For each one, ask whether you could have verified it with a phone call to a number you already had. Then set the rule going forward:
- New bank details on an invoice: call the supplier first.
- A supplier suddenly changes how they want to be paid: call.
- A company you do not remember hiring: do not reply, do not pay, look them up yourself.
Replying goes to the attacker. Calling a number you already had goes to the real business.
I keep this rule for my own one-person company: no payment moves based only on an email. It has cost me nothing, and it removes a whole category of attack.
None of this needs software or a subscription. The skill is a two-second pause: hover, read the domain, notice the clock, verify the invoice. Run the drills once and you will catch the obvious stuff. Run them for a month and the pause becomes reflex, and reflex is what actually protects you on the day you are tired and rushed.
If you run a local business and want a second set of eyes on your website's security basics, forms included, I do a free 24-hour audit. Three real findings, yours to keep either way.
community rating
$ ls ./comments
sign in or create an account to rate and comment.
no comments yet, be first.