Gap-it

Forget trust. Dismiss instinct. Gap it instead.

This is a crucial message for anyone navigating today’s high-risk digital world – not just yourself and co-workers, but your family too: Don’t trust. Gap It instead. With phishing attacks, social engineering scams, and emotional manipulation on the rise, your best defense isn’t a new antivirus software, it’s your brain. Or more precisely, your ability to teach your brain to overrule instinct and pause and think before reacting.

If you would rather watch a video than listen to the podcast episode (above), here it is:

Transcript

“Hi, Grandma, it’s me! I’m calling you from a different phone because I lost mine. I’ve been arrested. I’m scared! I need money to get bail. Please help me, grandma. I’m so scared…”

“Hello. This is your Chief Financial Officer sending you a quick video message to request that you do me a favor – and do our customers a favor by wiring $25 million to this account in the Cayman Islands. I know this is not the normal way we do things but consider a special favor for me.”

“Warning! Your PC is infected with 5 viruses! Immediate action required! Click here to fix the issue and protect your data. “

All three of these are, of course, messages that are intended to get you to act. To do something out of fear for your own safety or for that of someone you care about. A family member in trouble? Your computer apparently infected? Your boss asking you to do something. How can you say no to any of these?

Every day, messages like these pour into the inboxes, browsers and phones of millions of people. And many of us have learned to identify them and block them. At least until a new type comes along, and we fall for it. The bad actors know this fact: sooner or later people will all slip up.

Welcome to CoolTimeLife. I’m Steve Prentice. Each of my CoolTimeLife podcasts focuses on a topic dealing with people, productivity, technology, and life, and each offers ideas and facts you might need to know about to thrive in today’s busy world. An index of our podcasts is available at cooltimelife under the episodes tab.

The interesting thing about cybercriminals, just like rats, cockroaches and viruses, is that once you build an impenetrable fortress, they simply look for a different entry point. They don’t go away – they just change tack. Evolve. Mutate. We have fortified our computer networks, our communication systems and even our password systems so that it is very difficult for most bad actors to break into a business or a home that way. But they know there’s another option. One that is far more vulnerable and likely to fail than any new technology, because it has been around as long as humanity itself. And that’s because that weakness is us.

Fear, overload, distraction or trust. Take your pick. Each of these is a human reaction to what we see in front of us, and each guides our next step. Unfortunately, each of these robs us of the most vital self-protection element of all: our own ability to think about what we are facing. In other words, critical thinking.

This is natural. We have a nervous system dedicated to self-preservation, and its primary response, often called fight-or-flight doesn’t want to consider critical thinking. If there’s a danger facing us, your fight-or-flight response only has two options: stand and fight or get out of there. There is no other option called “let’s think this through.” That feature came to us many millennia after fight-or-flight was hard-coded into our DNA.

This is not all about dealing with large carnivorous animals. When you receive a message, in your email inbox or on your phone, the presence of that message stimulates the same instinct: it’s something new in our environment. Find out what it is. We must know. We doomscroll through social media feeds because we must know what’s coming next. That desire is not a conscious thought. It’s a reflex.

You receive an attachment in an email. You click on it to download without thinking whether it’s a legitimate document or a piece of malware. You’re too busy for that.

That’s why, when someone receives a text message on their phone supposedly from the tax authorities, announcing a refund or collecting on an outstanding account, it is easy for most of them, especially older people who grew up in the pre internet era, to have no reason to doubt the message and therefore to react to its urgency OR trust its validity by default.

This is also why robocalls still work so well. Even though they are annoying, there is implicit trust in the system, paired with a desire to be polite, that forces people to answer the phone regardless of who is calling. Even those who answer the robocall or spam text message simply to demand a stop to the messaging are trusting that people at the other end will honor that request. Spoiler alert: they won’t. They will simply re-sell your number to other gangs for a higher price now that you have proven it’s a live line with a willing victim at the end.

Even that seemingly random “wrong number text,” where the sender says, “Hi, Amanda. It’s been too long. How about dinner this weekend?” The odds are this is not an innocent wrong number text message. It’s a trick to get you to reply with something like “Sorry, wrong number.” As nice a gesture as that is, it simply confirms to the cybercrime gang at the other end that your number is a live number with a live person at the end of it. They can – and will – now sell your number on the dark market. So even saying sorry to them actually makes them money.

Too many people still click links, even unsubscribe links, out of reflex or misplaced trust, not realizing they’re handing something over.

A helpful guideline is this: if a message makes you feel something strongly — fear, anger, urgency, guilt — that’s a red flag. If a message makes you feel, rather than think, it’s probably a trick.”

It is time to pull all of this back in a little. Reacting without thinking too much still has its place in situations where injury or death are possible. It would be helpful and much safer, for example if people who had to exit a crashed plane in a hurry simply followed the instructions of the flight crew rather than pausing to retrieve their laptop from the overhead bins. Trust, too, belongs where it always has been, as a bond between two people who know each other well, and who have been able to build that trust relationship over a period of time, and as a result of many interactions, each of which has helped build trust, essentially brick by brick.

Trust used to be the default. Now it must be earned, and re-earned, every time. It’s an issue of ongoing vigilance, even with familiar contacts.

But neither trust nor reaction have a welcome place in the connected, instantaneous and contagious world of the internet.

To this end, I have a two-word mantra that I like to teach to everyone who listens; one that hopefully will put an end to much of the cybercrime and victimization that comes from clicking too quickly or willingly on a link.

That phrase is “Gap it.” It stands for Give it A Pause. That tiny pause can break the emotional spell and restore your ability to think clearly.”

GAP IT simply means: if you receive a message on any device that alerts you to a problem such as:

your bank account is frozen
a missed delivery
you’re in trouble with the tax authorities
your utilities are about to be cut off
that annoying Captcha thing isn’t working right
a video or voice message from someone asks you to do something
a video on streaming media shocks you into responding to their “click here” link
you get a message appearing to be from a grandchild or cousin who is in jail and needs bail money

…or any other message that strikes fear, outrage or urgency into you, place a gap between that message and your next actions. Make your next action just that – an action, not a reaction. For example, if the message is about a frozen bank account, then log in to your bank account through your computer the way you normally do. Not by way of the link provided by the message. If the message seems to be from the government tax authority, then call them, using their regular number. Whatever utility or authority is involved, if there is a genuine problem, you will be able to find out about it through your regular account access point. The idea here is to place a gap between this provocative message letter and your reaction. Not everyone is aware that most threatening letter links back to a criminal organization staffed with people who are skilled in techniques of further persuasion. They will call. They will pretend to be whoever they need to be. And they are well trained in all elements of objection handling. No matter what you say to them, they’ll have an answer that will eventually lead to your bank account number or something of similar value.

To help people remember what to do in that critical moment, remember the acronym: Give it A Pause. That’s all it takes to disrupt the reflex and choose a safer response.

Promote “Cognitive 2FA”

Teach people to GAP IT. If an email-based invoice appears in an employee’s email, teach them to follow through with that supplier by using the connections they already have on file. Call the supplier company directly through the number you always use. Set up a confidential verbal password with them. That’s what two factor authentication is, after all. The exchange of a secondary and unique authorization. It’s what we have to do.

So, use a second brain – someone you trust – as a human second factor. Talk to someone before reacting. Even a 10-second chat can defuse emotion and activate critical thinking. It can break the emotional spell.”

Practice a micro-habit or “cool-down ritual” to pair with the GAP IT technique. For example:

Count to five before clicking
Take one deep breath
Say out loud, “What’s really going on here?”

Before you click or reply, take a breath and ask: Is this how I normally handle this kind of issue? If the answer is no — gap it.

Social engineering

It is becoming more important than ever to be extremely vigilant and to use the Gap It method consistently – because thieves – the organized ones anyway – are not stupid. They know that first line cyber defense works, and they also know that employees, whether they work in an office or at home, are too busy to keep up to speed with online safety practices. So, they abuse our natural desires to react and to trust.

Social engineering brings the confidence game online. We have likely all heard the old term confidence trickster – someone who wheedles their way into your world by building confidence and trust in their victims. Ponzi schemes are probably the biggest and most notorious of these. They are building trust among investors by fraudulently demonstrating great returns.

Social engineering often involves a person who takes the time to get to know someone on the inside of an organization. Other criminals go the bureaucratic route, setting up invoices that look like they are from actual suppliers that companies deal with. Maybe FedEx or UPS, or an HVAC company that takes care of the heating and air conditioning.

Social engineering depends a great deal on stolen passwords and other forms of ID. When you as a consumer hear about a data breach at a large company, you might shrug your shoulders, and say, “it’s not my problem.” Even if you are an employee of the company that was breached, you might change your account password and move on.

But that’s not enough. When cybercriminals get access to emails, they can also get access to transaction records and other data that allows them access to names and purchase activity of the company they wish to target. They can then craft invoices, collection letters or other types of correspondence that have specific and correct names and purchase records included. ChatGPT can ensure the correspondence reads perfectly – no grammar mistakes. These then get sent to a manager, who must hurry to deal with them. This is how corporate social engineering works. It’s a confidence game that often gets a leg up from another breach that is already forgotten about.

The rule, in business and in personal life has to be trust no one, and pro-act rather than react. In IT and cybersecurity, this is actually called Zero Trust, and it’s a practice of exactly that – trusting no one – but it, too, must be carefully monitored to ensure that oversights do not happen.

For individuals, there has to be a zero-trust policy, even among friends and family members. This doesn’t mean that you stop trusting them as individuals, but that you definitely stop trusting all communications as being from them.

For example, if I was a friend or family member of yours, I could easily send you an email or text along the lines of, “About that thing we talked about, here’s a video that shows more about it,” or “Don’t worry about the money. All the details are here,” with a link to something that turns out to be malware. In this instance, because I am part of your life, it is quite possible that we recently had a conversation which would make this type of message seem a perfect fit. Even though the topic of the message is generic and contains no personal facts or unique identifying information, your mind and memory will easily fill in the blanks and connect it back to an earlier conversation, thus making the message appear genuine.

This is why when I communicate with family members, friends and clients , I will always make the email subject line and the message body highly specific. With elder relatives who are more prone to being trusting and also to being less sophisticated with their technologies, I always address them using a pre-arranged nickname and tell them to never respond to a message from me that does not have that nickname in it.

Gap It

If you are a parent or if you have children in your family, you know how important it is to street smart kids. You teach them about stranger danger and about watching for cars – not playing in the street. All that kind of thing. In doing this we are trying to teach kids to put a gap between what they are doing and what they might do next: to question their motives for talking to a stranger or to cross a busy street.

As adults we need to do the same thing. Businesses and organizations need to adjust their culture to allow the time needed to think critically like this, because in many cases people fall for these confidence tricks because they do not give themselves the time to question what is happening, or their employers do not allow the time for these things. It’s difficult to think about putting in a gap, when there are ten more unread emails in your inbox and another meeting to join.

Leaders can make this possible

One of the key reasons people fall for these techniques is because they feel they have neither the time nor permission to process them. There are too many emails, meetings and deadlines crowding the calendar to make such a practice seem feasible. This is where managers and leaders can step up. Organizations must create space to allow employees to think critically. That means reducing pressure to respond instantly to every message. It means encouraging validation and not punishing delay. This positions critical thinking as part of a company culture and thus reduce or eliminate the blame when people pause for safety.

Despite the fact that this truly is part of a safer and more productive workspace – which should be enough – it is also a form of cybersecurity that costs nothing to implement. Given that most data breaches and ransomware events start with a human who did not have the time or inclination to think critically about the email attachment or urgent message in front of them – it makes enormous financial and strategic sense to factor a GAP IT program into the culture.

Leadership and business school programs of all kinds talk about continuous improvement, kaizen, gemba and similar concepts around leadership and quality control. I know because I teach them at the business school of a Toronto area university. Gemba is, in part based on the idea of thanking employees for taking the brave step of thinking critically while on the job, because halting an assembly line for an hour is still cheaper than issuing a recall on a world full of cars.

Teach Someone Else

At the very least, on an individual level, I would recommend you go out there and teach someone else the “GAP IT” principle. Especially an older relative or a colleague. Just tell them, “If you remember just one thing, remember this: GAP IT.” It could literally change their lives simply by preventing an awful thing from happening. Mention it in a meeting. Embed it into your workflow. Every time someone chooses action over reaction, they win. Actually we all win.

If you have a comment about this podcast or a suggestion for a topic you would like me to discuss, join the conversation on LinkedIn. My ID there is stevenprentice. Or feel free to drop me a line through the contact form at cooltimelife.com, where you’ll find a full listing of our evergreen CoolTimeLife episodes.

You can also check out my YouTube video that supports this episode as well as others by visiting my new YouTube channel.

If you feel you are getting value from this series, please leave a review, and tell just one person about us, or mention us on social media. And if you want, you can support us on Patreon. Contributions from our listeners allow me and my team to spend more time researching, preparing, and updating our podcast series, as well as delivering the episodes more frequently. Members get all kinds of useful bonus content, including email Q&As with me as well as resources that I use to teach at universities and organizations around the world. If that feels fair to you, please visit patreon.com/cooltimelife.

Episode keywords

how to avoid online scams in 2025
best ways to prevent phishing attacks
what is social engineering in cybersecurity
email scams targeting seniors and employees
everyday cybersecurity tips for individuals
how to protect yourself from phone scams
cyber hygiene tips for remote workers
how to stop robocalls and phishing texts

using critical thinking to avoid scams
emotional manipulation in online fraud
how to recognize scam red flags
importance of pausing before clicking links
teaching digital critical thinking to employees
scam prevention through emotional awareness
fight or flight response in phishing attacks

free cybersecurity practices for small businesses
building a zero trust culture at work
how to train employees to spot phishing
cybersecurity awareness training techniques
workplace strategies for digital safety
how leaders can reduce cybersecurity risks
embedding digital safety in company culture

safe texting habits to avoid fraud
protect aging parents from online scams
how to talk to family about digital safety
how scammers trick you with urgency
common signs of phishing emails and texts
avoid clicking suspicious links on your phone

GAP IT scam prevention method
give it a Pause cyber tip
CoolTimeLife podcast on cybersecurity
Steve Prentice online safety podcast
teach others the GAP IT technique
how to GAP IT when you get suspicious messages