I pride myself on spotting phishing emails. Genuinely. Nine times out of ten, I clock them immediately.

It also helps that I’ve basically stopped reading emails altogether.

The Setup#

So there I am, Monday morning. I decide to open Outlook. I wait ten minutes whilst it remembers how to launch on a Mac. Standard procedure.

An email arrives. It’s from Teams. The image doesn’t render properly… but that’s Outlook, isn’t it? Nothing unusual there.

I click. I click preview.

And the moment I do, I see the sender domain.

mcrosoft.com

The mouse went across the room.

The Aftermath#

Not my proudest moment. But when you realise you’ve been had, there’s a brief window where your brain just… rejects reality. I knew instantly. The clicking, the previewing, the casual assumption that everything was fine. All of it, completely wrong.

Luckily it was a test. One I failed spectacularly.

I’ve been working in and around IT for years. I’ve seen compromised accounts. I’ve helped clean up the aftermath. I’ve sat through more security awareness training than I can count. I genuinely thought I was good at this.

Turns out, none of that matters.

The Real Lesson#

Here’s what I got wrong. I thought spotting phishing was a skill. Something you develop, refine, and eventually master. Spot enough dodgy emails and you become immune.

But it doesn’t work that way.

Phishing isn’t designed to fool stupid people. It’s designed to catch smart people at the wrong moment. People who are tired. People who are distracted. People who are just trying to clear their inbox before the first meeting of the day.

People who think they’re too clever to fall for it.

That confidence is the vulnerability. The more convinced you are that you’ll notice something suspicious, the less likely you are to actually check. You trust your instincts. You assume you’d spot it. You stop paying attention.

And then mcrosoft.com slips right past you.

Why It’s Inevitable#

The volume of communication we deal with daily makes this inevitable. Emails, Teams messages, Slack pings, calendar invites, automated alerts from systems you forgot existed. Every single one trains you to click without thinking. Because if you scrutinised every notification carefully, you’d never get anything done.

Phishing exploits that. It doesn’t need you to be careless. It just needs you to be busy.

I wasn’t rushing on Monday. I wasn’t being reckless. The email looked completely normal. Teams sends notifications constantly. Outlook failing to render images is so common I don’t even register it anymore. Everything about the moment felt routine.

That’s exactly why it worked.

The Uncomfortable Truth#

There’s a lesson here I didn’t want to learn. You can be experienced, trained, vigilant, and aware. You can spot nine out of ten attempts without breaking a sweat. And you will still get caught eventually.

Not because you’re bad at this. Because you’re human.

The security teams running these tests know something we don’t want to accept. Everyone has a weak moment. Everyone has a Monday morning where they’re not quite switched on. Everyone has an email that arrives at exactly the wrong time, looking exactly normal enough to slip through.

It’s not a question of if. It’s when.

Your Turn Is Coming#

So if you’ve never failed a phishing test, one of two things is true. Either you’re paying superhuman attention to every single email you receive, every single day, without exception.

Or your security team just hasn’t found your moment yet.

They will.

Somewhere right now, there’s a security analyst crafting an email designed specifically for people like you. People who think they’re immune. People who’ve spotted so many obvious attempts that they’ve stopped expecting subtle ones.

It’ll arrive when you’re tired. When you’re distracted. When you’re just trying to get through your day. It’ll look completely normal.

And you’ll click it.

Not because you’re careless. Because no one stays vigilant forever.

The sooner we accept that, the better. Thinking you’re too good to get caught is exactly how you get caught.

Trust me. I know. My mouse knows too.

Anyone else been humbled by one of these lately? Or still convinced it won’t happen to you?