Phishing Happens: What I Learned the Hard Way About Cybersecurity

Written By Gary Hoffner

I’ve spent decades in security, physical and cyber and I know what a phishing email looks like. Or at least, I thought I did.

A couple of weeks ago, I made a mistake. I clicked. I entered credentials. I got phished.

Now, before anyone panics… yes, we caught it quickly. Yes, we shut it down. No, nothing bad happened. But let me tell you why this incident has stuck with me and why I think it’s a wake-up call for every business, regardless of size or industry.

Because if I can fall for it? Anyone can.

The Setup Felt Real… Because It Almost Was

The email came from a project manager we’ve worked with many times before. We were actively engaged in a couple of jobs with their team, so getting a message from them wasn’t surprising. The branding was right. The sender name, domain and even the message style all checked out.

The email asked me to review a shared file – standard stuff. Click the link. Enter credentials to view the file.

And I did.

But something was off. Not immediately, but just enough to raise a flag. Thankfully, our internal systems and cybersecurity monitoring kicked in fast. We caught the breach attempt, reset everything immediately and confirmed that no data or systems were compromised.

Still, it got me. And that’s the point.

Trust Is the New Threat Vector

That’s the phrase that’s I keep reminding myself of since this happened:
 Trust is the new threat vector.

Cybercriminals are smart. They don’t just play the odds anymore—they’re playing the people. And when they can spoof a message from a vendor you know and trust, use legitimate URLs and time it perfectly to coincide with ongoing work… well, your guard can drop for just a second.

And that’s all it takes.

We rely on relationships in business. On trust. But in the digital world, that trust has to be earned every time. Just because you recognize the name, or the email address, or the logo doesn’t mean it’s safe.

Validate Before You Trust

Here’s what I should’ve done and what I’ve been doing every time since:

  • Double-check the context. Was I expecting a file from this person? If not, I should’ve confirmed with a quick call or separate email.

  • Hover over links. Does the URL look slightly off? Even one character can signal a spoofed domain.

  • Use multi-factor authentication. Even if credentials are compromised, a second layer of protection can stop the breach in its tracks.

  • Report it. Every phishing attempt should be flagged and shared internally so your team knows what to watch for.

It’s not about shame or blame. It’s about improving awareness. Mistakes happen—but how you respond matters more than pretending you’re immune.

Cybersecurity Can’t Be One Person’s Job

This experience reminded me that cybersecurity isn’t just the IT department’s job. It’s not just something your MSP (Managed Service Provider) handles. It’s not just a line item or a compliance checkbox.

It’s a culture.

At PSLA, we treat cybersecurity the same way we treat physical security: it’s everyone’s job. Whether you're in operations, sales, marketing, or leadership, regardless of your role you’re part of the defense strategy.

We also make sure our clients know that cybersecurity is an ecosystem. It’s not enough to have strong internal systems. If your partners, vendors, or third-party tools have weak links, you inherit those vulnerabilities too.

Why Small and Midsize Businesses Are Big Targets

One of the myths I hear all the time is that “we’re too small to be a target and I have nothing to steal.” Let me tell you – you’re not and you do.

Cybercriminals aren’t going after only Fortune 500 companies. They’re targeting the small and midsize businesses who:

  • Use cloud-based tools without proper configuration

  • Don’t have formal cybersecurity training

  • Can’t afford a full-time security team

Sound familiar?

That’s why we created Cyber Covenant. To give small businesses a way to access enterprise-level protection without enterprise-level cost or complexity. It’s proactive monitoring, staff education and vulnerability management designed for real-world environments like yours.

My Mistake, Your Takeaway

I’m sharing this story not because I’m proud of it, but because it’s real. This is what phishing looks like now. It’s clean. It’s clever. And it’s personal.

So what can you do today?

  • Review your anti-spoofing settings and email filters.

  • Make sure your employees know how to spot suspicious messages.

  • Encourage a culture where it’s okay to slow down, double-check and report things that feel off.

  • Have a response plan. Not “if,” but when something slips through.

And most importantly, remember: It can happen to anyone. So don’t let shame keep you from staying vigilant. Let it motivate you to build stronger habits and better systems.

Gary Hoffner

Gary Hoffner is the Vice President of PSLA Security, also known as Photo-Scan of Los Angeles.

https://www.linkedin.com/in/gary-hoffner-49a04b1a/
Next

Compliance Can’t Be Static: Why Modern Security Requires Active Management