A true story about clicking a phishing link, what defense in depth actually looks like, and why no single layer is enough.

New Blog Post

July 01, 20265 min read

I Clicked a Phishing Email That Morning
A true story about clicking a phishing link, what defense in depth actually looks like, and why no single layer is enough.
Author: Debbie Elam

A few days ago, I clicked on a phishing email.
I have something embarrassing to admit.
A few days ago, on an otherwise normal morning, I clicked on a phishing email. It was a very good phishing email. The signs were there — I just didn't look for them, and that's on me.
The email came from a trusted source. It appeared to reference a real conversation I'd had with a real person, and it asked for something small and reasonable. Within minutes of my click, a set of Russian hackers had access to my email.
I tell this story because I'm the co-founder of a managed IT and cybersecurity company. If I can fall for it, anyone in your office can fall for it. That's not a sales pitch — that's just the truth.

Defense in depth isn't a product. It's a stack.
At Nerdworks Services, we believe in a concept called defense in depth. The idea is simple: don't rely on any one layer to keep you safe. Stack the layers, because any single one of them can — and will — fail eventually.
Here's how the stack works in real life, using my own morning as the example.

Layer 1 — Email security filters. Most phishing emails get stopped at the door — including many that never reach me, that I would absolutely have clicked if they'd landed. The one I clicked on got past our filters, because it came from a legitimate, trusted email account that had been compromised upstream. When the bad guys send from a real person's real address, our filters see a real person's real email. This layer failed.

Layer 2 — User awareness. That's me. I keep up with regular cybersecurity training for myself, and I talk with other business owners about the signs of a malicious email — the urgency, the familiar name, the reasonable ask, the tiny URL mismatch. The signs in this one were all there. I clicked anyway. This layer failed too.

Layer 3 — Login anomaly detection. This is the layer that saved us. Within thirty minutes of my mistake, one of our security tools flagged a login to my mailbox from Russia. Not a country I'd ever signed in from. Not a country I'd ever want to sign in from.

That's the alert.

What we did in the next 30 minutes.
When that alert fired, we moved fast.
We logged the attackers out of my mailbox and changed the password. We checked the message trace — no new mail had gone out from my account under their control. We confirmed the original phishing email had come from a real contact whose own system was infected, so we notified them too. And we cleaned up the workstation where I'd clicked, to make sure nothing else had taken root.
The whole thing was contained inside an hour.
None of this happened because I'm especially smart or fast. It happened because the layers behind me caught what I missed.

Why one layer is never enough.
Here's the part I want every business owner reading this to actually take in.
No single layer of cybersecurity is perfect. Not email filters. Not user awareness. Not antivirus. Not multi-factor authentication. Not a fancy firewall. Any one of them, on its own, will eventually let the wrong thing through.

Defense in depth is the idea that you don't need any single layer to be perfect. You need the combination to be hard to get through. A phish that beats the filter still has to beat the user. A user who gets fooled still trips the anomaly alert. An attacker who lands on a workstation still has to bypass endpoint protection.

The bad guys have to beat every layer. You only need to catch them at one. So you stack them — because every layer that fails is one more chance the next layer has to stop them. That's the whole strategy.

What this looked like in real numbers.
For the record, the timeline:

  • A few days ago, on a normal morning — I clicked the link. Bad decision.

  • Within 30 minutes — login anomaly from Russia flagged and responded to.

  • Within the hour — account secured, password changed, workstation cleaned, source contact notified.

  • No data left the mailbox. No malicious emails went out under my name. No client was exposed.

The only lasting consequence is that I'm telling this story in public instead of pretending it didn't happen. I think that's a better outcome.

The lesson I actually learned.
I'm not going to end this with a pitch about which tool saved the day. The truth is, the tool that fired the alert was doing its job, but the real win was that we had already built the layers and practiced the response before anything went wrong.

If you only do one thing after reading this, do this: ask whoever runs your IT and cybersecurity what your layers look like. Ask what happens when the filter layer fails — because one day, it will. Ask what happens when the user-awareness layer fails right behind it — because the same morning will probably test both. Ask how long it would take for someone to notice an impossible login, and what they'd do next.

If the answer is "we don't really have that," you don't have a defense problem. You have a defense-in-depth problem, and that's fixable.

That's the part I get up every morning to help with. Reach out to Nerdworks Services if you want a second set of eyes on your stack — no pitch, just a conversation.

— Debbie Elam, co-founder of Nerdworks Services

Back to Blog

1901 Central Drive Suite 401 Bedford, TX 76021

Follow Us on Social

Download IT Security Guide

Nerdworks offers friendly, responsive, and proactive IT support services to small businesses in Dallas. 

Quick Links

© 2026 Nerdworks. All rights reserved.

Website crafted by