Plaintext with Rich

Phishing and Social Engineering: Why the Strongest Defense Is Being Slower

Rich Greene Season 1 Episode 11

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 8:59

You don't need to break a system if someone will open it for you. You don't need malware if a message feels urgent enough. Most modern breaches don't start with code. They start with a conversation.

This episode breaks down phishing and social engineering by explaining why these attacks keep working: they don't fight logic, they sidestep it. It covers how modern phishing has evolved beyond email to include text messages, voice calls, MFA fatigue attacks, QR code phishing, and AI-assisted impersonation. The episode walks through the emotional triggers attackers rely on (urgency, authority, fear, curiosity, helpfulness), why "I'd never fall for that" is often the opening, and what to do if you've already clicked. The starter kit covers the ten-second pause, second-channel verification, treating "unexpected plus urgent" as suspicious, inspecting senders and destinations, never typing passwords from links, using password managers for detection, strong MFA methods, two-person approval for money movement, and reporting phishing to help stop it for others.

Whether you're responsible for protecting a team or you just want to stop second-guessing every email, Plaintext with Rich explains what actually works.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube  
Apple Podcasts your usual stop? → https://links.sith2.com/Apple  
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify  
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog  
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord  
Follow the human behind the microphone → https://links.sith2.com/linkedin  
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

Why Phishing Works

SPEAKER_00

You don't need to break a system if someone will simply open it for you. You don't need malware if a message feels urgent enough. And you don't need to be smarter than your target if you can make them rush. Most modern breaches don't start with code or something fancy. Sometimes they start with a simple conversation. Welcome to Plain Text with Rich. Today we're talking about phishing and social engineering. Let's start easy, as always. Let's start with some definitions. Phishing is when someone sends a message designed to trick you into doing something unsafe. Clicking a link, opening a file, typing a password, approving a login, sending money, just confirming details. We've all seen those before. And now social engineering is the bigger category. It's any tactic that uses psychology instead of technology to get a result. So if we think about that, phishing is one method. The real target is behavior. So when people say I got hacked, what they often mean is I got convinced. And that distinction matters because it explains why this keeps working. Phishing succeeds because it doesn't fit logic or fight logic. It sidesteps it. These attacks are built to trigger emotion first and thinking second. Usually one emotion at a time. And when we think about emotions, we're thinking of urgency, authority, fear, curiosity, greed, helpfulness, right? Things like do this now, I'm your boss, there's a problem, is this you? You've won something. Can you handle this quickly? Right? Once emotion is engaged, typically speed follows. And speed is where mistakes happen. And that's the design behind this. Phishing isn't about, it's not about fooling smart people. It's about catching normal people in normal moments. Now let's talk about how this shows up today because phishing, you know, as we move into 2026, doesn't look like it used to. Now, email is still common, but it's no longer the whole story. We have text message phishing or smishing is everywhere. Delivery notices, bank alerts, unpaid tolls, missing packages. Again, that's something I feel a lot of us listening to have probably already seen. We have voice phishing, or what you might hear as fishing. And this is using phone calls that sound official and calm. You might hear this from support desks, fraud departments, police departments, executives asking for a quick favor. Business email compromise or BEC targets organizations directly. Now, this is when attackers impersonate vendors or leadership and request payments or account changes or assistance in some capacity. And in these cases, no malware required. Again, just trust. And unfortunately, we also have MFA fatigue or multi-factor authentication fatigue. And I've mentioned MFA numerous times already, right? This is just repeated login prompts sent until someone just taps approve because they just want to make it stop. QR codes became really popular during the pandemic area because of COVID. It was easier to scan a QR code for menus and to place orders and everything, right? But this just became another attack vector. Scan a code, land on a fake login page, hand over credentials without ever seeing a link whatsoever. And of course, right, increasingly now AI is supporting a lot of these attacks. Better writing, more natural language, voice cloning, familiar tone. But overall, the goal hasn't changed. They want your actions, not so much your attention. So how do you defend against something designed to feel normal? Well, first off, you don't outsmart it. The goal here is to interrupt it.

unknown

Right?

If You Already Clicked

Three Persistent Myths

Plain Text Wrap‑Up And CTA

SPEAKER_00

So if we were to throw you a plain tech starter kit, this is gonna be your anti-phishing starter kit, right? We're looking at practical, fast, and designed for real life. So step one, hey, pause for 10 seconds. Any message involving money, passwords, codes, downloads, or or urgency, again, it earns a pause. Not to decide forever, but just to break the momentum. Again, phishing needs speed, but you don't have to give it any. Step two, again, verify using a second channel or an out-of-band channel. If a message asks you to click, don't. Go to the site yourself, open the app you already use, call a number you already trust. Again, never verify inside the same message. That's where the trap lives. Step three, we want to treat unexpected plus urgent as suspicious by default. Right? That combination does most of the work for attackers. Unexpected and urgent should slow you down, not speed you up. And if you have the ability to add a couple things into your starter kit, look at adding these. Inspect senders and destinations. Look really closely at domains. One extra letter matters. One character that looks slightly off matters. We all know a message can say one thing and link somewhere completely different. Never type passwords from links that you were sent, right? Open a new tab, go to the real site and log in there. Don't simply click on a link and then log in once you get there. As always, I'll find everywhere I can to throw this in there, but use a password manager. Again, not for convenience, but for detection. If it won't autofill, that's a signal. So just keep that in mind. Use strong multi-factor authentication methods, pass keys or hardware keys when possible. Authenticare apps over SMS when you have the choice, but at least the bare minimum, do whatever is afforded to you by that account or service. At work require two-person approval for money movements. And I mentioned this previously: wire transfers, vendor changes, payroll updates. Look, no exceptions, right? I think for anything whatsoever, there should be a two-person approval for any important task, whatever you have. And always, always, always report phishing when you see it. Even if you didn't click it, your report might stop it for dozens of other people. A lot of people just delete the messages. Please report phishing if you think it is a phishing message. All right. Now the part though that everyone worries about, what if you already have clicked? First, hey, look, there's no shame. That's how this works. What matters is what happens next. All right. If it's a work device, tell security immediately. Don't try to hide it. Bad news doesn't get better with time. Here, speed beats silence. Change affected passwords, right, from a clean path, not the link, the real site. You want to check those MFA settings, make sure that the attackers didn't add their own inside of there. Look for email forwarding rules. That's usually a quiet persistence trick. If money was involved, make sure we escalate fast. Again, when it comes to money, minutes matter. Again, this isn't about perfection, it's about limiting damage and recovering quickly. As always, let's clear up a few myths really quick. Myth number one, phishing is obvious. The reality is bad phish is obvious. And we can all take a minute and think about all those emails we've seen over the years that want to, you know, change. They have millions of dollars in gold and they just need your assistance to get it out right. But nowadays, good phishing feels routine and it looks routine. Myth number two, I'd never fall for that. The reality is confidence is often the opening. Fatigue and time pressure do the rest. There's been plenty of times where I've been super busy and I'm just getting focused on work and my phone goes off and it's Amazon saying they can't deliver my package, right? Just always be aware. Myth number three, training solves fishing. The reality is training can help, but really processes and safeguards actually stop it more. Security works best when it assumes humans will be busy, distracted, and helpful. All right. So if we give this a big wrap-up in plain text, phishing is about persuasion, not technology. The strongest defense isn't being smarter, it's being slower and having a verification habit. If you remember one thing, remember this unexpected and urgent means pause and verify every single time. If there's a security topic that you want broken down in plain text, send it my way. Email, DM, in the comments, doesn't matter. However you reach me, I will respond and I will read it. If this episode helped, share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.