Even the Watchful Can Blink: Lessons from a Phishing Attempt

Recently, I encountered a phishing attempt. The good news is that thanks to layered protections, no sensitive data was compromised. All systems and accounts were secured within minutes, the right parties were notified, and the gap was closed.

Here is the part that is hard to admit: I fell for a phishing link.

I have spent years writing about how phishing works. I know the warning signs, the tricks, and the bait. I know how to avoid them. Yet at the wrong moment, I fell for one. That is how phishing works. It does not just attack systems. It attacks people. Even the vigilant can be caught off guard.

Could it have been avoided? Absolutely! I had always relied on my IDmelon security key for login protection. But after switching smartphones, I delayed setting it up on the new device and temporarily relied on legacy MFA instead. That day, the fake login page looked like a simple expired session. If my passkey had been active on my new smartphone, the attempt would have failed instantly.

That is the real lesson. Tools that are resistant to phishing, such as passkeys and FIDO security keys, stop these attacks before they even begin. It is why we build IDmelon the way we do: to give people protection that does not rely on perfect vigilance.

I am sharing this because sweeping it under the rug helps no one. Phishing can happen to anyone, including even those of us who write and talk about it every day and build tools to prevent it. Security is not a one-time checkbox. It is a daily practice and sometimes a humbling reminder that none of us are immune and why IDmelon builds the tools it does.

We have reinforced safeguards, updated processes, and sharpened training. Most importantly, we are choosing transparency.

If you have ever clicked on the wrong link and felt embarrassed, you are not alone. Even the watchful can blink. What matters is what happens after. For us, it means moving forward stronger, sharper, and more committed to protecting against phishing. And if this experience prompts even one person to turn on a passkey or dust off their security key, it will have served a purpose.