I got phished, twice.

Getting phished, due to feature differences and habits

I’m cybersecurity-trained, so it’s a little embarrassing to admit, but I’ve been phished twice (that I can recall). Once a couple of years ago, and once just this week (through an internal phishing campaign).

A few years ago, I got my crypto wallet drained. It was an email that asked me to claim some free tokens within a limited time. I was rushing out, already late, and mindlessly clicked through approving transactions without really thinking. By the time I got a few transaction approvals in, I realised I had fallen for it, rather than getting free tokens, I was sending mine out.

This week, an event activity showed up in my Teams app. It was an event set for tomorrow, about a compensation review. I’ve only just started in the last two months, and the “External” email warning sign was there. But none of that stopped me, I went right ahead and clicked the links embedded in it without thinking. The moment the URL showed up in my browser, I knew.

I’ve mainly been using Google for personal emails and for work, and in July 2022, they added a feature to prevent spam, by adding invitations from known senders only to your calendar. Read about it here.

I remember this feature very clearly, because in 2025, a friend sent me an event invite to my personal email. Nearer to the date, I was asked if I was coming, as I had not yet RSVPed. A quick look at my calendar turned up nothing, the invite was buried amongst my emails! The feature was enabled on my account, and since I had never interacted with my friend’s email address before, it was treated as an unknown sender.

Unfortunately, Outlook doesn’t have an equivalent feature1. You can disable automatic processing, but that prevents internal invites from getting processed too, or you can set up mailbox rules, or get it set at an administrative level.

In both cases, it was driven by self-interest and some urgency (free tokens, and a compensation review set for the next day). But what really got me is my mental model of how things should work.

When things don’t work as you expect (and in my case I had direct experience with the Google anti-spam event feature), even with all the red flags, you might still fall for it.

To me, event invites only appeared when they were from known senders, but by default Outlook doesn’t work that way (it adds it all by default). The external warning banner was there, I saw it, but the fact that an invite was on my calendar? I took it as safe.

Footnotes

  1. As of 2026-03-27