I’ve been in the IT game since 1981. Over those four decades, I’ve seen the landscape change from bulky mainframes to the sleek, borderless world of cloud computing. But if there is one thing that has remained a constant threat, and only seems to get more dangerous with time, it’s the art of deception.
Specifically, phishing.
We all like to think we’re too smart to fall for a “Nigerian Prince” email these days. But modern phishing has evolved. It’s no longer just about poorly written emails; it’s about sophisticated social engineering, look-alike domains, and exploiting the trust we place in “safe” websites.
In my work at Cloud Computer Company, I see even the most tech-savvy business owners get tripped up by these tactics. Today, I want to pull back the curtain on the mistakes people are making right now, even on sites they think they can trust.
The Myth of the “Secure” Padlock
One of the biggest mistakes I see is a blind trust in the little padlock icon in your browser’s address bar.
For years, we were told: “Look for the padlock and HTTPS. That means the site is safe.” While that was true in the early days of the web, it’s a dangerous assumption today. HTTPS simply means the connection between your computer and the website is encrypted. It doesn’t mean the person on the other end isn’t a criminal.
Hackers now easily obtain valid SSL certificates for their fraudulent sites. If you’re entering your Google Workspace credentials into a site that looks like Google, the padlock only confirms that your password is being sent securely to a hacker.
When people ask me how secure is cloud computing, I always tell them the infrastructure is incredibly solid, but the human element is the variable we have to watch.
Look-Alike Domains: The “Homograph” Attack
This is where things get really sneaky. You might receive an email that looks like it’s from your bank or a software provider you use every day. You check the URL, and it looks fine at a glance. But is it?
Attackers use “homograph” attacks where they use characters from different alphabets that look identical to Latin characters. For example, a Cyrillic “а” looks exactly like a Latin “a,” but to a computer, it leads to a completely different server.
Then there’s “typosquatting.” You might see micros0ft.com (with a zero) or cloudcomputercompany.co (missing the last letters). If you’re busy and skimming, your brain fills in the gaps.
Caption: A visual comparison of a legitimate URL versus a sophisticated look-alike domain using typosquatting.
I always recommend that my clients understand the basics of what is DNS because knowing how the internet routes you to a site is your first line of defense. If the domain doesn’t match perfectly, close the tab immediately.
The “Quishing” Trend: Phishing via QR Codes
Since the pandemic, QR codes are everywhere. We use them for menus, check-ins, and payments. But hackers have realized that QR codes are a fantastic way to bypass traditional email filters.
Standard security software is great at scanning links in an email, but it struggles to “read” the destination of a QR code embedded in an image. You might get an email saying there’s a problem with your Microsoft 365 billing and to “scan this code to update your details.”
Because we use our phones to scan QR codes, we often lose the security features of our desktop browsers. On a mobile device, a long, malicious URL is often truncated, making it nearly impossible to see that you’re on a spoofed site. I’ve written before about how to avoid common remote access scams, and the principle is the same: never use a link (or a code) provided in an unsolicited message.
Social Engineering: Exploiting Your Emotions
Phishing isn’t just a technical problem; it’s a psychological one. The most successful attacks don’t rely on fancy code; they rely on creating a sense of urgency or fear.
“Your account will be suspended in 2 hours.”
“Suspicious activity detected on your payroll.”
“Action Required: Unpaid Invoice #8842.”
When we’re stressed or in a rush, the logical part of our brain takes a backseat. This is exactly what the attacker wants. They want you to click first and think later.
In my years managing IT for major corporations like the State Bank of NSW and during the Sydney 2000 Olympics, I learned that the most secure systems in the world can be bypassed if an employee is pressured into “helping” someone or “fixing” an urgent problem.
Caption: An illustration of a high-pressure phishing email designed to trigger an emotional response.
The Invisible Threat: Credential Harvesting on “Safe” Platforms
One of the most sophisticated tactics I’ve seen lately involves hackers hosting phishing pages on legitimate, “safe” services like Google Drive, Dropbox, or even Microsoft OneNote.
Because the link points to drive.google.com, your email filter might let it through. You click the link, and you see a legitimate-looking login box. You think, “Well, I’m on a Google site, so it must be fine.” But that login box is just a form designed to steal your username and password.
If you are using Google Workspace for your business, remember that Google will almost never ask you to sign in again to view a document if you are already signed into your browser.
How to Protect Your Business
So, how do you stop these mistakes from happening? It comes down to a mix of technical settings and a healthy dose of skepticism.
- Implement Multi-Factor Authentication (MFA): This is non-negotiable. Even if a hacker gets your password through a look-alike site, they can’t get in without that second code.
- Hover Before You Click: Always hover your mouse over a link to see the actual destination in the bottom corner of your browser.
- Check Your Protocols: Ensure your business has common email security protocols explained and implemented, such as SPF, DKIM, and DMARC. These help prevent people from spoofing your own domain.
- Verify via a Different Channel: If you get an urgent “invoice” from a supplier, don’t reply to the email. Pick up the phone or start a new email to a known contact.
Caption: A checklist for verifying the authenticity of an email before taking action.
Final Thoughts
Technology has come a long way since I started in ’81, but the human element remains the most critical part of your security strategy. Phishing is getting harder to spot, but by slowing down and looking for these sophisticated red flags, you can keep your data: and your business: safe.
If you’re worried your team might be vulnerable, or you want to make sure your cloud setup is as tight as it can be, feel free to reach out. We’ve been helping businesses navigate the transition to the cloud since 2008, and we’re here to help you too.
About Mathew Hoffman
Mathew Hoffman is the Owner of Cloud Computer Company. With a career in IT spanning back to 1981, Mathew has held senior IT roles at the State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. He notably worked on the IT infrastructure for the Sydney 2000 Olympics before transitioning into IT consultancy for small and medium businesses in 2001.
A pioneer in the cloud space, Mathew was an original Google Partner in 2008 and re-branded his firm to Cloud Computer Company in 2017 to focus on delivering world-class cloud services. Now based in Noosa, Mathew is a dedicated family man and a passionate sports fan. You’ll often find him at the beach, on the golf course, or involved with cricket: having played and coached for many years both in Sydney and on the Sunshine Coast.
