How Phishing Wins By Borrowing Your Emotions Artwork

Plaintext with Rich

Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?

Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!

All Episodes

Plaintext with Rich

How Phishing Wins By Borrowing Your Emotions

February 06, 2026 • Rich Greene • Season 1 • Episode 11

0:00 | 8:59

Most breaches don’t start with malware. They start with a feeling. We explore why social engineering works so well in ordinary moments, and how attackers lean on urgency, authority, and fear to push quick clicks, rushed approvals, and hasty payments. From email to texts, calls, QR codes, and AI‑polished messages, the goal is always the same: capture your action before your judgment arrives.

We walk through clear definitions to separate phishing from the broader field of social engineering, then map the modern attack surface: smishing that imitates banks and delivery alerts, vishing that mimics support desks and fraud departments, business email compromise that reroutes invoices, and MFA fatigue attacks that poke until someone taps approve. You’ll hear how voice cloning and fluent writing make lures feel familiar, and why the best fix isn’t being smarter it’s being slower.

To make that practical, we share an anti‑phishing starter kit you can use today. Pause for ten seconds when messages touch money, passwords, codes, downloads, or urgency. Verify requests in a second channel you already trust. Treat “unexpected plus urgent” as suspicious by default. Then add stronger layers: inspect domains and destinations, use password managers for detection, prefer passkeys or hardware keys for MFA, and require two‑person approvals for wire transfers, vendor changes, and payroll updates. If you’ve already clicked, act fast: alert security, change passwords from a clean path, check MFA and forwarding rules, and escalate immediately when money is at risk. We end by busting three myths: good phishing isn’t obvious, confidence invites mistakes, and training helps but processes stop more.

If this helped, share it with someone who moves fast under pressure, subscribe for future plain‑text breakdowns, and leave a quick review to help others find the show.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

SPEAKER_00: 0:00

You don't need to break a system if someone will simply open it for you. You don't need malware if a message feels urgent enough. And you don't need to be smarter than your target if you can make them rush. Most modern breaches don't start with code or something fancy. Sometimes they start with a simple conversation. Welcome to Plain Text with Rich. Today we're talking about phishing and social engineering. Let's start easy, as always. Let's start with some definitions. Phishing is when someone sends a message designed to trick you into doing something unsafe. Clicking a link, opening a file, typing a password, approving a login, sending money, just confirming details. We've all seen those before. And now social engineering is the bigger category. It's any tactic that uses psychology instead of technology to get a result. So if we think about that, phishing is one method. The real target is behavior. So when people say I got hacked, what they often mean is I got convinced. And that distinction matters because it explains why this keeps working. Phishing succeeds because it doesn't fit logic or fight logic. It sidesteps it. These attacks are built to trigger emotion first and thinking second. Usually one emotion at a time. And when we think about emotions, we're thinking of urgency, authority, fear, curiosity, greed, helpfulness, right? Things like do this now, I'm your boss, there's a problem, is this you? You've won something. Can you handle this quickly? Right? Once emotion is engaged, typically speed follows. And speed is where mistakes happen. And that's the design behind this. Phishing isn't about, it's not about fooling smart people. It's about catching normal people in normal moments. Now let's talk about how this shows up today because phishing, you know, as we move into 2026, doesn't look like it used to. Now, email is still common, but it's no longer the whole story. We have text message phishing or smishing is everywhere. Delivery notices, bank alerts, unpaid tolls, missing packages. Again, that's something I feel a lot of us listening to have probably already seen. We have voice phishing, or what you might hear as fishing. And this is using phone calls that sound official and calm. You might hear this from support desks, fraud departments, police departments, executives asking for a quick favor. Business email compromise or BEC targets organizations directly. Now, this is when attackers impersonate vendors or leadership and request payments or account changes or assistance in some capacity. And in these cases, no malware required. Again, just trust. And unfortunately, we also have MFA fatigue or multi-factor authentication fatigue. And I've mentioned MFA numerous times already, right? This is just repeated login prompts sent until someone just taps approve because they just want to make it stop. QR codes became really popular during the pandemic area because of COVID. It was easier to scan a QR code for menus and to place orders and everything, right? But this just became another attack vector. Scan a code, land on a fake login page, hand over credentials without ever seeing a link whatsoever. And of course, right, increasingly now AI is supporting a lot of these attacks. Better writing, more natural language, voice cloning, familiar tone. But overall, the goal hasn't changed. They want your actions, not so much your attention. So how do you defend against something designed to feel normal? Well, first off, you don't outsmart it. The goal here is to interrupt it.

unknown: 4:07

Right?

SPEAKER_00: 4:07

So if we were to throw you a plain tech starter kit, this is gonna be your anti-phishing starter kit, right? We're looking at practical, fast, and designed for real life. So step one, hey, pause for 10 seconds. Any message involving money, passwords, codes, downloads, or or urgency, again, it earns a pause. Not to decide forever, but just to break the momentum. Again, phishing needs speed, but you don't have to give it any. Step two, again, verify using a second channel or an out-of-band channel. If a message asks you to click, don't. Go to the site yourself, open the app you already use, call a number you already trust. Again, never verify inside the same message. That's where the trap lives. Step three, we want to treat unexpected plus urgent as suspicious by default. Right? That combination does most of the work for attackers. Unexpected and urgent should slow you down, not speed you up. And if you have the ability to add a couple things into your starter kit, look at adding these. Inspect senders and destinations. Look really closely at domains. One extra letter matters. One character that looks slightly off matters. We all know a message can say one thing and link somewhere completely different. Never type passwords from links that you were sent, right? Open a new tab, go to the real site and log in there. Don't simply click on a link and then log in once you get there. As always, I'll find everywhere I can to throw this in there, but use a password manager. Again, not for convenience, but for detection. If it won't autofill, that's a signal. So just keep that in mind. Use strong multi-factor authentication methods, pass keys or hardware keys when possible. Authenticare apps over SMS when you have the choice, but at least the bare minimum, do whatever is afforded to you by that account or service. At work require two-person approval for money movements. And I mentioned this previously: wire transfers, vendor changes, payroll updates. Look, no exceptions, right? I think for anything whatsoever, there should be a two-person approval for any important task, whatever you have. And always, always, always report phishing when you see it. Even if you didn't click it, your report might stop it for dozens of other people. A lot of people just delete the messages. Please report phishing if you think it is a phishing message. All right. Now the part though that everyone worries about, what if you already have clicked? First, hey, look, there's no shame. That's how this works. What matters is what happens next. All right. If it's a work device, tell security immediately. Don't try to hide it. Bad news doesn't get better with time. Here, speed beats silence. Change affected passwords, right, from a clean path, not the link, the real site. You want to check those MFA settings, make sure that the attackers didn't add their own inside of there. Look for email forwarding rules. That's usually a quiet persistence trick. If money was involved, make sure we escalate fast. Again, when it comes to money, minutes matter. Again, this isn't about perfection, it's about limiting damage and recovering quickly. As always, let's clear up a few myths really quick. Myth number one, phishing is obvious. The reality is bad phish is obvious. And we can all take a minute and think about all those emails we've seen over the years that want to, you know, change. They have millions of dollars in gold and they just need your assistance to get it out right. But nowadays, good phishing feels routine and it looks routine. Myth number two, I'd never fall for that. The reality is confidence is often the opening. Fatigue and time pressure do the rest. There's been plenty of times where I've been super busy and I'm just getting focused on work and my phone goes off and it's Amazon saying they can't deliver my package, right? Just always be aware. Myth number three, training solves fishing. The reality is training can help, but really processes and safeguards actually stop it more. Security works best when it assumes humans will be busy, distracted, and helpful. All right. So if we give this a big wrap-up in plain text, phishing is about persuasion, not technology. The strongest defense isn't being smarter, it's being slower and having a verification habit. If you remember one thing, remember this unexpected and urgent means pause and verify every single time. If there's a security topic that you want broken down in plain text, send it my way. Email, DM, in the comments, doesn't matter. However you reach me, I will respond and I will read it. If this episode helped, share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.