I'm Sammy Lackey, and I run SammIT out of Arlington (22202). I do IT support on-site and remote across Northern Virginia, and I'll tell you straight: the calls that hurt the most aren't the dead hard drives. They're the ones where a real person, on a normal Tuesday, clicked one email and wired money to a stranger. Phishing rarely breaks down the door — it gets buzzed in by someone just trying to do their job. So let's talk about how to spot one before it costs you.
Phishing in plain English
Phishing is a message — email, text, sometimes a phone call — built to make you act fast and stop thinking. The goal is your password, your money, or a quiet foothold in your systems. It works because it impersonates someone you trust: your bank, a vendor you pay every month, Microsoft, or your own boss. The Nigerian-prince era is over. Today's phishing copies a real invoice or a real login page well enough that nothing looks wrong until the money's gone.
The concrete tells
Here's what I check, in order, every single time.
The sender address, not the sender name. Anybody can type "Dominion Energy" or your bookkeeper's name into the "From" field. Click or tap the actual address. `billing@dominion-energy-secure.com` is not Dominion. A Gmail address signed as your CPA is not your CPA. The display name lies; the address usually doesn't.
Manufactured urgency. "Your account will be suspended in 24 hours." "Pay this today or service stops." "I need this handled before my flight boards." Real vendors and real bosses give you room to breathe. Pressure to act right now is the single most reliable phishing tell there is.
Links that don't go where they say. Hover over a link before you click (on a phone, press and hold to preview the destination). The blue text might read "Microsoft365.com" while the real address is a jumble of characters on a domain you've never seen. If the domain doesn't match the company, don't click — type the real address into your browser yourself.
Unexpected attachments. A .zip, a loose .html file, or an Office doc that nags you to "Enable Editing" or "Enable Content" before it'll show anything — that prompt exists to switch off the protection that's blocking the malware. If you weren't expecting a file, don't open it.
Any change to payment details. This is the big one for businesses. An email saying a vendor's bank info or account number has "updated" — treat it as fraud until you've confirmed it by phone. Same with a sudden request to pay by gift card, wire, or crypto. Legitimate businesses do not get paid in Apple gift cards.
Tone that's almost right. A greeting that's a touch too generic ("Dear Customer"), grammar that's slightly off, or a request that's a little out of character for the person sending it. Trust the hunch. If something feels off, it usually is.
What this actually looks like around here
The fake invoice. A small contractor in Falls Church gets a PDF invoice that matches a supplier they really use — right logo, right layout, right amount. The only change is the "remit to" account number. Pay it once and the money's gone, and the real supplier still wants paying. The tells were the new banking info and a sender domain one letter off from the real vendor's.
The "boss" gift-card ask. You're at a small office near the Ballston Metro and a text lands: "You in the office? Stuck in a meeting — grab five $100 Amazon gift cards for client gifts and send me the codes, I'll pay you back." It's signed by the owner. It is never the owner. Real bosses don't run errands by gift-card code over text. The move is to call them on the number you already have — never reply to the message.
The "Microsoft" login. An email or pop-up says your Microsoft 365 mailbox is full or your password expired, with a tidy sign-in page waiting. You type your password into the fake page, and within hours someone is reading your mail and emailing your clients fake invoices from your own address. That's how one compromise becomes ten.
What to do when one lands
Don't click, don't reply, don't open the attachment.
Verify on a channel you already trust. Bank info changed? Payment requested? Call the vendor or the person at a number you already have on file — never the number or link in the suspicious message.
If you already clicked or entered a password, move fast: change that password from a different device, turn on two-factor authentication, and call your bank if money or payment details were involved. Speed matters more than embarrassment. Nobody's judging — these are well-built traps that catch sharp people every day.
Report and delete. In Outlook or Gmail, use "Report phishing" so the next one in your inbox gets filtered. Then delete it.
The best defense isn't a single gadget — it's a habit, plus a few settings done right. If you want the whole picture, my small business cybersecurity checklist for NoVA walks through the basics, and if you'd rather have a second set of eyes on your actual setup, that's exactly what a cybersecurity audit is for.
And if one of these landed and you're not sure what you touched — call me at 571-680-5334. I'll tell you straight whether you're fine or whether we've got work to do. No fear-mongering, no upsell. Just a neighbor who does this for a living.
— Sammy