The con, not the code

A message lands. It looks exactly like your bank. The logo is right, the wording is right, the sender name reads as your bank. “Unusual activity on your account. Your account is locked. Verify within 24 hours to avoid suspension.” There is a button. Your heart does a small jump. Here is the strange part: nothing on your phone has been hacked. No code was cracked. The attack is not aimed at your computer at all. It is aimed at you.

Hacking the person, not the machine

This is social engineering: getting a person to do the attacker’s work for them. Instead of breaking a lock, the attacker talks you into opening it.

In the last lesson we saw that attackers prefer to log in, not break in — they want a working username and password. The fastest way to get one is to ask. Not bluntly, of course. They dress the ask up as something normal and urgent, and they let your own helpfulness, fear, or hurry do the rest. The technical name for the message-shaped version is phishing: a lure cast out hoping someone bites.

The con is old; only the medium is new. A street swindler and a phishing email pull the exact same levers.

The levers a con pulls

A good lure is built from a small set of pressures. Naming them is half the defence — once you can feel a lever being pulled, the spell breaks.

Authority. The message pretends to be someone you obey or trust — your bank, your boss, the tax office, the IT department. We are trained from childhood to comply with authority, and an attacker rents that habit for free.

Urgency and fear. A deadline. A threat. “Within 24 hours.” “Your account will be closed.” The point of the clock is to stop you thinking. A calm person checks; a frightened, rushed person clicks. Manufactured panic is the single most common ingredient.

Familiarity. It looks like a brand you already use, in a format you have seen a hundred times. The message arrives wearing a trusted face, and a trusted face lowers your guard.

A small, routine ask. It rarely demands something outrageous. It asks you to confirm your password, verify your details, approve a payment, open an attached invoice. Each feels like a tiny, normal task — which is exactly why people do it without weighing it.

Stack those together — your bank (authority), account locked (fear), familiar logo (familiarity), just confirm your login (small ask) — and you have the message from the hook of this lesson.

The tells that give a lure away

Every con leaves fingerprints. Here are the five worth memorising.

One — the address is almost-but-not-quite right. Real banks own clean domains. A lure uses a lookalike: your-bank-secure.example instead of your-bank.example, or an extra word, a hyphen, a swapped letter. It reads right at a glance. It is not right.

Two — the link text lies about where it goes. The blue text might say your-bank.example, but the actual link underneath points somewhere else. What you see is not where you land.

Three — manufactured urgency or threat. A real bank does not lock your account by text and give you a countdown. Pressure to act now, before you can check, is itself the warning sign.

Four — an unexpected ask for a secret or a payment. No legitimate organisation emails you to “confirm your password.” They already have it. A request for a password, a one-time code, or a sudden payment is a red flag on its own.

Five — it pushes you off a channel you trust. “Don’t call the number on your card — use this one.” “Reply here, not through the app.” Moving you onto a new channel the attacker controls is a classic move.

The master defence fits in one line: slow down, and verify on a channel you already trust. Don’t use the link, the number, or the reply button the message handed you. Type the bank’s address yourself. Call the number printed on your card. Open the app you already have.

A worked example

Read this lure line by line.

From: Security Team <alerts@your-bank-secure.example> Subject: ⚠️ Account locked — action required within 24 hours Dear customer, we detected unusual activity. To restore access, verify your password here: [your-bank.example/verify]

Now catch the tells. The sender is your-bank-secure.example — a lookalike, not the bank’s real domain (tell one). The subject is a countdown threat (tell three). The body asks you to verify your password, which a bank never does (tell four). And the link says your-bank.example but hover over it and it points to the lookalike (tell two). Four fingerprints on one short message.

Caught, each tell defuses it. You don’t click. You close the message, open a new browser tab, and type your bank’s address yourself — or you call the number on the back of your card. If something is genuinely wrong, the real bank tells you through the channel you chose. If nothing is wrong, you have lost ten seconds and avoided handing your login to a stranger.

When the lure still works

Suppose the best lure fools you and you type your password in. This is why a second factor — a code or a tap on your phone, which we reach later — matters: the stolen password alone may not be enough to get in.

But don’t lean your whole weight there. The sharpest attacks relay that second code in real time: the fake site asks for the code you just received and passes it straight to the real site within seconds. So the second factor raises the bar; it does not remove the need to spot the lure in the first place. The habit is still the strongest lock.

On the whole

Almost every defence in this course protects a machine. This one protects a person, because the person is usually the weakest link — not because people are foolish, but because a person under pressure, in a hurry, wearing a familiar face’s trust, is easy to nudge.

You are inside this, not above it. The same levers that catch everyone else — authority, fear, a familiar logo, a small routine ask — are built to catch you too, on the day you are tired and busy. The defence is not cleverness; the cleverest people fall for it. The defence is a habit: when a message makes you want to act right now, that urge is the signal to slow down and check on a channel you already trust.