Of everything we cover in a CrypChip cybersecurity session, one habit consistently prevents the most real-world damage: pausing before you click a link in an email. Phishing isn't a sophisticated hack — it's a well-disguised request for trust, and it works because it's designed to feel routine.
What phishing actually looks like
Most phishing emails don't look like scams. They look like a delivery notice, a password reset, a message from a teacher, or an urgent request from someone in authority. The goal is always the same: get you to click a link, download a file, or hand over a password before you've had time to think it through.
The tells that give it away
- Urgency. "Your account will be suspended in 24 hours" is designed to short-circuit careful thinking.
- Mismatched sender details. A display name that says "School Admin" but an address that doesn't match your school's domain.
- Links that don't match their label. Hovering over a link (without clicking) shows you where it actually goes.
- Requests for information a legitimate sender would already have. Banks and schools rarely ask you to "confirm" a password by email.
The one habit that matters most
Before clicking anything in an unexpected email, ask: was I expecting this? If not, go to the website or app directly instead of through the link, and verify through a second channel if it claims to be urgent. That ten-second pause is the entire defense — no technical skill required.
Why we teach this first
In our Cybersecurity Workshops, we run a live phishing demonstration so students see, firsthand, how convincing these emails can look — and how quickly the tells become obvious once you know what to look for. It's the fastest way to turn a vague warning into a habit that sticks.