Money Matters

Phishing: Why trusting your gut matters

Phishing remains the most prevalent cyber threat targeting businesses. Trusting your instincts and staying vigilant are key defenses. Education can help prevent falling victim to these scams, as we discuss in this blog

12 February, 20267 min read Share

You might think cyber security is a sophisticated cat and mouse game between criminals and IT professionals.

Hackers sit hunched in dark rooms, staring at screens of green text and trying to penetrate the latest defences.

But that’s no longer true for the vast majority of cybercrime.

At an epidemic level, criminals are targeting people. That means you, your colleagues, your family, and your friends.

95% of all successful cyberattacks have a human element involved.

What can be done? Put simply, you need to trust your gut so that, when phishing is attempted, you know instinctively something isn’t right.

Getting to that point involves understanding the threat, and how to respond.

That’s what this article is about.

Here’s what we’ll cover:

Businesses are ripe for phishing

Phishing is a priority risk highlighted by Ireland’s National Cyber Security Centre (NCSC) and the Garda National Cyber Crime Bureau, which run public campaigns focused on phishing and ransomware each year.

In Ireland, the Central Bank of Ireland’s Payment Fraud Statistics reported €160 million in fraudulent payments in 2024, with online transactions accounting for over three‑quarters (77.4%) of total fraud value.

While this dataset covers payment fraud overall (not just phishing), phishing and social‑engineering are recognised entry points for many of these losses.

Official guidance from the National Cyber Security Centre (NCSC) consistently identifies phishing as one of the most common threats facing organisations and the public, and provides specific anti‑phishing guidance.

The NCSC (CSIRT‑IE) provides incident response to government and critical‑infrastructure operators and offers public guidance and contact details, but the public should report crimes to Gardaí in the first instance.

Irish authorities emphasise prompt reporting to Gardaí and your bank to improve outcomes and disrupt scams.

What is phishing?

Phishing is best understood as social engineering: criminals manipulate you into doing something you wouldn’t choose to do otherwise.

This might be clicking a link, opening an attachment, sharing a password, providing a one-time authentication code, or moving money out of your account and into that of the scammer. Often it’s all of these!

Phishing attempts can arrive by text, social media messaging, emails, or even actual physical letters that arrive at your address.

You might think you would never fall for anything like this. After all, you’re nobody’s fool, right?

BPFI FraudSMART research (banking industry initiative) found 78% of Irish adults are targeted with scam texts/emails/calls at least monthly, underscoring the scale of social‑engineering.

Phishing relies on your belief that the message comes from someone you trust. That familiar branding is weaponised to lower your guard:

• A friend texting you having lost their mobile.
• Your boss messaging you on WhatsApp, having setup a new account.
• Your bank calling you out of the blue to say your account has been hacked.
• Microsoft emailing to say your computer needs a vital security update.

In other words, phishing is fundamentally an exercise in extremely effective deception, rather than code-breaking.

Therefore, the most effective defences are human ones:

• Slowing down.
• Noticing inconsistencies.
• Listening to that “this feels off” sensation.

Why phishing is so effective

Phishing isn’t new. It’s been around since the mid-1990s, when scams like AOHell targeted AOL users by impersonating staff.

That’s when it got its name – it took the ph- prefix from an earlier form of cybercrime known as phreaking, where hackers targeted the telephone infrastructure to get free calls.

The goal back in the mid-1990s was to harvest login passwords.

What’s changed since isn’t the psychology, but the scale and polish: spoofed websites involving flawless copycat branding, urgent pretexts, and – increasingly nowadays – AI-generated voice, text, images, or even video (including live video calls).

These are known as deepfakes, and scammers are always quick to exploit the very latest technologies.

The site they send you to will look exactly like your bank. The voicemail message you get will sound exactly like your colleague, family member or friend. The text message will seem to authentically have come from your bank, with the correct spoofed name or number.

Sometimes the scammers won’t request money directly but will request you buy online gift cards, and share the codes with them.

But the core pitch is the same, and has been since those AOL days: “Act now before something bad happens.” Recognising that pattern is half the battle.

What a phishing scam looks like

Here’s a real-world, worked through example of what a phishing attempt on a business looks like.

1. The phishing hook

You get a text claiming to be from your business banking: “We’ve detected a suspicious payment. To secure your account, confirm here.”

There’s a link that looks right at a glance (e.g. santander-secure-bank.net).

Moments later, your phone rings. Caller ID displays your bank’s name.

The caller calmly references the text and quotes a “case ID.” They may even tell you some personal details like your address or date of birth – all harvested from vast hacker databases that are easily accessible.

2. Applying the pressure

The caller says funds are moving right now, and they need to “secure” your account.

They may steer you to a very professional login page that’s a perfect clone of the bank.

Once you login, your phone pings – even though you’re still on the phone to the “bank” – and you find a one-time passcode has arrived.

You’re asked to read it out to them, “to verify security”.

Alternatively, you might be asked simply to login to your banking using your usual link or app, and transfer money to a special “holding account” where it’ll be “secure” until the bank can fix the issue.

3. The compromise

If you enter credentials on the fake site, they’re captured instantly. If you read out a passcode (or approve a push notification) the scammers use it in real time.

And just like that, they have control of your bank account. It’s that easy.

If you transfer money yourself from your bank account to the scammer’s account, that’s authorised push payment (APP) fraud.

This is where victims are manipulated into sending funds and it’s easily one of the Ireland’s most prevalent types of fraud.

4. The exit

The caller “ends the case” and thanks you for your vigilance.

You hang-up and wipe a little sweat from your brow. Wow, that was close. Glad it’s sorted, though.

Minutes or hours later you see unauthorised transactions, or find that the “safe” account was the criminal’s.

Needless to say, if this happens in real life then you should call your bank immediately. Keep reading to find out how to do so.

What you could’ve done

The right move at the first sign of doubt – that feeling in your gut that something isn’t quite right – is to disconnect and contact your bank.

Ideally, call from a separate phone from the one you were called on.

Scammers can keep the line open on landlines, for example, making you think you’ve hung up when you haven’t.

They even play fake dial tones to make you think the line is free.

In Ireland, suspicious emails or texts should be reported to your bank, email provider, or An Garda Síochána.

Although this won’t provide instant feedback, it can help authorities close down the scammer accounts.

Advice for avoiding phishing scams for business

Here’s some tips for keeping yourself and your business safe from phishing:

1. Pause for thought: Urgency is a red flag. If it’s really your bank, it’ll still be true after a five-minute pause while you verify through your app or by dialling 159.
2. Channel switch to verify: Don’t reply. Don’t click their link. To investigate, use a trusted route you ordinarily use, such as your banking app, your usual online baking bookmark, or the bank’s official phone number (e.g. the one on the back of debit and credit cards – but definitely not the one in the email you might’ve received!).
3. Never, ever share a one-time passcode: One-time passcodes you receive through text messages or retrieve from an authenticator app should never, ever be shared – or even spoken aloud! It’s a prime way scammers authorise their frauds. If someone’s asking for one, stop. Nobody legitimate would ever do so. Similarly, if you get an authentication request out of the blue then don’t approve it.

Ensure you and your colleagues are educated with guidance from Ireland’s National Cyber Security Centre (NCSC), including practical resources for organisations and SMEs.

It’s an excellent and accessible resource.

But above all, never forget: We are all equipped with gut feelings, and when we listen they are a powerful defence mechanism.

Final thoughts

The online world is an amazing place, but increasingly, it’s a wild-west frontier where scammers exploit victims on a minute-by-minute basis.

Staying vigilant is key and, while this shouldn’t get in the way of your online activities, it should always be present.