Okay, so you clicked it. A random button on a stranger's GitHub page that said "CLICK ME" in big glowing text. And now you're here, reading this.
I want you to sit with that for a second. You had zero idea what was on the other end of that link. You didn't know if it was going to open a download, redirect you seventeen times, fire off a tracking pixel, or land you on a page that looked exactly like your bank's login screen.
You clicked anyway. And here's the thing — so would I. That's not me throwing shade at you. That's me pointing at one of the most underestimated problems in all of cybersecurity: humans are wired to click. The data backs this up in ways that should make all of us a little uncomfortable.
The Numbers Don't Lie
Before we get into the mechanics, let me show you the scale of the problem. I pulled this from four major annual reports — IBM's Cost of a Data Breach, Verizon's Data Breach Investigations Report (DBIR), the Anti-Phishing Working Group (APWG), and Proofpoint's State of the Phish. These are the gold standards for breach data.
97 seconds. That's the median time it takes for someone in an organization to click a phishing link after it arrives. Not because they're dumb. Because they're busy — and attackers time their sends to exploit exactly that.
Healthcare and finance consistently show the highest click rates in simulated phishing tests — not because those employees are less intelligent, but because their workflows involve constant urgency, high email volume, and time-sensitive actions that attackers mirror perfectly in their lures.
The volume of phishing sites more than quadrupled between 2019 and 2023. The brief dip in 2024 correlates with increased takedown cooperation between registrars and threat intelligence firms — but security researchers are cautious about reading it as a long-term trend. [2]
The Click Is the Whole Attack
People think hacking looks like someone in a dark room typing furiously into a terminal while a skull flashes on screen. Hollywood really did a number on all of us. In reality, the majority of successful cyberattacks begin with something stupidly simple: a link you clicked, an attachment you opened, or a form you filled out.
The technical term is social engineering — manipulating people instead of machines. And it's devastatingly effective because it bypasses every firewall, every antivirus, every zero-trust policy you've got. It goes straight for the one thing security software can't fully patch: your brain.
According to Verizon's 2024 DBIR, 74% of all breaches involve the human element — either through social engineering, errors, or misuse of privilege. The percentage has remained stubbornly consistent for over five years, suggesting that technology improvements alone aren't solving the problem. [3]
What's Actually in a Link
When you click a hyperlink, you're doing more than just "going somewhere." You're initiating an HTTP request that carries your IP address, browser type, operating system, screen resolution, language preferences, and a list of identifiers that together form a browser fingerprint. Without logging in to anything. Without a cookie. Just by showing up.
That terminal output is illustrative — but the data fields are real. That's what a server receives every single request. Most of the time it's used for boring ad targeting. In the wrong hands, it's reconnaissance: your rough location, your software stack, and in this case, the exact GitHub profile you came from.
The Anatomy of a Phishing Attack
Let me walk you through how a real phishing campaign works, because it's more deliberate and more patient than people imagine.
Step 1 — Reconnaissance
Before a targeted attacker sends you anything, they've already googled you. Your LinkedIn tells them where you work and who your boss is. Your GitHub tells them what technologies you use. Your Twitter/X tells them what you care about. Every public post is data they can use to craft a convincing lure.
Step 2 — Building the Pretext
A pretext is the fake story wrapped around the attack. Good pretexts don't feel like attacks — they feel like interruptions to your normal day. "Your invoice is attached." "Your package couldn't be delivered." "Someone tried to access your account." They're built around urgency, authority, or fear, because those emotions short-circuit your analytical brain.
In 2020, Twitter employees were targeted via phone calls from fake "IT support." The caller had enough internal knowledge to sound completely legitimate, and convinced employees to hand over credentials to Twitter's internal admin tools. Result: 130 high-profile accounts compromised including Barack Obama and Apple — from a single convincing phone call. [5]
Step 3 — The Hook (That's You, Right Now)
The link, the button, the attachment — this is the moment the trap closes. But here's what's interesting: the click itself often isn't even the most dangerous part. It's what the click leads to.
Landing pages for credential phishing are genuinely scary good now. Adversary-in-the-middle (AiTM) proxies create real-time mirrors of login pages — Office 365, Google, your bank — complete with valid SSL certificates. When you type in your password, it gets forwarded to the real site so you don't notice anything went wrong. You just logged in, same as always. Except now someone else has your credentials too. [6]
Step 4 — Dwell Time Is the Real Threat
Most people imagine getting hacked as a dramatic, immediate event. The reality is usually the opposite. Serious attackers do nothing visible for weeks.
194 days. Someone who gains access today — from a single credential harvest — may read your emails quietly for over six months before anyone knows. Not because they want to read your emails. Because they're mapping your organization, waiting for a wire transfer request that won't seem unusual, or looking for credentials to higher-privilege systems.
Why Smart People Fall for This
There's a narrative that security awareness training loves to push: people who get phished were careless or dumb. That's not just unhelpful — it's factually wrong, and the data bears this out.
Psychologists call this cognitive load exploitation. The more mentally occupied you are, the more you rely on automatic "System 1" thinking rather than deliberate "System 2" analysis. Sending phishing emails on Monday mornings or right before holidays isn't accidental — those are peak cognitive load moments. This framework comes from Kahneman's Thinking, Fast and Slow, and attackers operationalize it daily. [7]
Security researchers get phished. Employees at cybersecurity companies get phished. The common factor isn't intelligence — it's context and timing. When you're juggling twelve tabs and a message arrives that fits perfectly into your current mental model of your day, your brain pattern-matches and acts. That's not a flaw. That's your brain doing exactly what it evolved to do.
What You Can Actually Do About It
Enough doom. Here's the practical part. I'm not going to tell you to "be more careful" because that's useless advice. I'm going to give you actual habits that make a measurable difference.
- Use a password manager. 1Password, Bitwarden, Dashlane — pick one. If every account has a unique random password, a single credential theft can't cascade into everything you own.
- Enable hardware MFA where possible. A YubiKey or passkey is phishing-resistant in a way SMS and TOTP codes are not. AiTM attacks can intercept a 6-digit code in real time. Hardware keys use a challenge-response protocol that cannot be replayed. [6]
- Hover before you click. In desktop browsers, hovering over a link shows the actual destination URL in the status bar. Takes one second. Becomes automatic with practice.
- Treat urgency as a red flag, not a prompt. Legitimate systems give you time. "Your account will be deleted in 24 hours unless you verify NOW" is almost always a manipulation designed to stop you from thinking.
- Go direct, not through the link. If an email claims to be from your bank, open a new tab and type the URL yourself. Takes 15 seconds. Bypasses the entire attack vector.
- Check suspicious links before clicking. Paste any URL into urlscan.io or VirusTotal first. Both are free and extremely accurate.
If your organization hasn't done a simulated phishing test, advocate for one. Research from Proofpoint shows that organizations that run regular simulated phishing campaigns reduce click rates by up to 64% within 12 months. You can't fix a behavior you can't measure. [1]
The Bigger Point
You came here because you clicked a random button on the internet. And I don't say that to make you feel bad — I say it because it's the perfect illustration of something the security industry consistently gets wrong.
We've spent decades building better walls, better locks, better detection systems. And attackers just knocked on the front door and asked nicely. The human layer is the most attacked layer precisely because it gets invested in the least.
Knowing this doesn't make you bulletproof. But it makes you significantly harder to hit. You'll notice the urgency manipulation. You'll pause before entering credentials somewhere unfamiliar. You'll hover over that link.
And occasionally, when you see a giant button that says "CLICK ME" — you might just stop and think for half a second before you do it.
Or you'll click it anyway and end up reading a security blog. Which honestly, same result.