Your shipment is waiting, but it needs your approval. Your subscription payment has failed, but your loyalty qualifies you for three free months. Payment is due on this account – please use these bank details. If you are tired of receiving these (unsolicited) marketing messages, just click this link to unsubscribe.

What do all these messages have in common? They are real-world examples of phishing attacks, emails designed to hoodwink people into doing the wrong thing: unintentionally installing harmful software, giving away their credit card details, or making a payment into the wrong bank account.

But one phrase can keep you secure: is it legit?

The phishing scourge

Phishing is the most widely used and successful cybercrime attack. Some estimates claim that over 3 billion phishing emails are sent every year. It’s a cheap, simple and very effective tactic because it targets people.

“I don’t like the saying that people are the weakest link in security,” says Gerhard Swart, chief technology officer at Performanta. “Instead, we should say that people are the best target. If a computer is properly secured, it takes a lot of technical effort and know-how to fool that machine into installing bad software or something to that degree.

“But, because of the trust we give humans, which need to use those computers, they can be manipulated into making those mistakes. And because the computer they use trusts them, humans can unintentionally subvert security. Humans enjoy a terrific amount of security privilege, that’s why cybercrime often targets people.”

Cybercriminals try to provoke us into sudden and spontaneous actions that we will regret later, but by then, the damage is done.

This is the purpose of phishing emails: they appeal to our base emotions and make us reactive. The promise of lotto winnings or an unexpected delivery, banking instructions from an angry customer, or even an odd letter from your child’s school – criminals will stoop low to hijack our attention and get us to interact with a dangerous attachment or link.

Is it legit?

Yet phishing attacks are not automatic. They require a person to interact with that bad attachment or link, hoping we don’t consider our actions. Hence why phishing messages lure us with great reward or urgency. The simplest countermeasure is to pause and ask: “Is it legit?”

“Are you waiting for a package? Did you expect that client to suddenly change their banking details? Has an unknown aunt really died and left a fortune to you? No, most likely not. Let’s take a common example: an email claiming your Netflix subscription has failed. But did you get a notice from the bank? Has your Netflix stopped working? It takes a few seconds to check. Phishing attacks hope you don’t until it’s too late,” says Swart.

When we take a few seconds to question the legitimacy of an email, we thwart phishing. Look at an email and ask yourself: “Is this legit?” If there is any doubt, don’t click on anything. Report the incident to your IT department or service provider, and delete the email. Phishing emails could even arrive from a trusted person whose account was hijacked.

Legitimacy must pass several tests:

* Are you expecting this correspondence?

* Does the correspondence sound like that person?

* Does the correspondence inform, not demand immediate action?

* Can you verify the message independently (such as calling the sender)?

If it fails on any of these points, the email (or SMS or instant message) is not legit. There are other signs as well because criminals keep evolving their tactics. But taking a moment to pause and evaluate the message will almost always stop their attempt.

Keep your business and people secure. Start by encouraging them to adopt this single habit – when responding to a message, pause and ask: “Is it legit?”