The URL is the first place an attacker lies to you. Six seconds of looking saves a stolen password.
Fake websites are now indistinguishable from real ones at first glance — same logos, same fonts, same colours, same checkout flow. The only thing that can't be perfectly faked is the URL. Six seconds spent looking at the address bar catches almost every phishing site before any damage is done.
The most important part of any URL is the last word before the first single slash. whedo.it/login is real. whedo.it.account-secure.com/login is owned by account-secure.com — a completely different website pretending to be us. Always read right to left to find the real owner.
Attackers register domains one character off the real one: microsft.com, amaz0n.com, linkedln.com (lowercase L instead of I). On phones, the address bar is shrunk — single-character swaps are easy to miss. Bookmark the sites you visit often so you're not retyping them each time.
Every site with HTTPS has a padlock — including 84% of phishing sites in 2025. The padlock means the connection between you and the website is encrypted; it says nothing about who runs that website. Don't let the green padlock relax your guard.
A URL like login.microsoft.com.security-alert.io looks Microsoft-y because the words are there. The real owner is security-alert.io. Microsoft and Google never put their service names inside someone else's domain — the brand is always closest to the slash.
On desktop, hover any link without clicking — the destination appears bottom-left of the browser. On phones, long-press the link to reveal the URL. If the link text says one thing and the destination shows another, the email or page is hostile.
Never click a link in an email to log into anything important — bank, M365, payroll. Open a new tab, type the address you know is correct, and log in from there. Two extra seconds, and the phishing trap can't fire.
User-side awareness is half the answer. The other half is technical — turn the tenant into a hostile environment for phishing.
whedo.it runs quarterly phishing simulations and short awareness sessions for client teams. 20 minutes, six topics, the kind of attacks your industry is actually getting.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director