An updated 2026 version of Warren’s original whedo.it guide. Real client story, real five checks.
Cybercrime is now an estimated $10.5 trillion a year industry globally — bigger than the GDP of every country on earth except the US and China. Microsoft alone blocked 8.3 billion phishing emails in Q1 2026. The lures look better than they ever have: generative AI has killed the “watch for bad English” advice that anchored a decade of training. Five practical checks below, plus the real client story that prompted Warren to write the original version of this guide in 2017 — with a $7,500 lesson attached.
A client of the business received what looked like a routine email from a regular supplier — the supplier had “updated their bank details” for an upcoming invoice payment. The letterhead matched. The email address matched. The signature matched. The client transferred $7,500 to the new account. Two days later the real supplier called asking where the money was. The criminals had compromised the supplier’s email account, watched the conversation for weeks, picked the moment, and rerouted the payment to a mule account. Money gone. This is Business Email Compromise (BEC) — the most expensive type of phishing on the books, and the one the five checks below are specifically designed to catch.
The display name (the bit in big text) is just a label the sender chooses. The real giveaway is the email address in angle brackets. [email protected] is whedo.it. [email protected] with a hyphen, or [email protected] with a tacked-on suffix, are someone else. On a phone, tap the sender name to expand. On desktop, hover over it. If the address looks even slightly off, treat the whole email as hostile until you’ve verified through a separate channel.
On desktop, hover any link without clicking — the actual destination URL appears in the bottom-left of your browser. On a phone, long-press the link to see where it really goes. If the link text says microsoft.com but the actual URL is microsoft-365-billing.helpdesk-secure.ru, the email is phishing. This single habit catches about 80% of credential-stealing attempts before any damage is done.
“Your account will be suspended in 24 hours.” “Sign this NOW.” “The boss wants this transfer done before close of business.” Urgency is the manipulation, every time. Genuine business doesn’t need you to skip verification. If an email is pushing you to bypass a normal check (call to confirm, get a second sign-off, wait until tomorrow), that pressure IS the warning sign. Legitimate suppliers never mind a 60-second call to confirm a banking change. Criminals do.
If you weren’t expecting the attachment, don’t open it — even if it’s from someone you know (their account may be compromised). Microsoft Office files asking you to “Enable Content” or “Enable Macros” are an immediate red flag. PDFs with embedded forms asking for login credentials are phishing. ZIP files containing executables are almost always malware. When in doubt, call the sender on a known phone number (not one in the email) and ask if they meant to send it.
This is the rule that would have saved the $7,500. Any change to bank details, payment terms, or where money goes — verbal verification via a known phone number, always. Not the number in the email (the criminals control that). The number on the supplier’s actual website, or the number you’ve called for years. Two minutes on the phone catches the most expensive class of phishing every time. Whedo.it builds this into client training as standard: never change a payment instruction via email alone, ever.
The five checks above are user-side. The other half of the answer is technical — turn the tenant into a hostile environment for phishers before the email ever reaches an inbox.
Want the downloadable one-pager version? The original 2017 PDF is still hosted on the old site — download here — for distribution to your team. Updated 2026 PDF available on request.
30 minutes, your environment, no deck. whedo.it walks your email-security posture with you and tells you what it would take to lock it down properly. SPF, DKIM, DMARC, Safe Links, Safe Attachments, Conditional Access, and quarterly phishing-simulation training — the full stack, configured.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director