If Troy Hunt Can Fall for Phishing, So Can You
Title: If Troy Hunt Can Fall for Phishing, So Can You
Let’s clear this up right away: falling for a phishing email doesn’t mean you’re clueless, lazy, or bad at your job.
Even Troy Hunt, yes, the guy behind Have I Been Pwned, recently clicked on a phishing link. And not just clicked… he entered his credentials and a multi-factor authentication code into a spoofed website.
This isn’t about dunking on Troy. In fact, it’s quite the opposite. I appreciate that he went public with the story, because it gives all of us, security folks, business users, and IT teams, a reality check.
What Happened
Here’s the quick version: Troy received an email that looked like it came from Mailchimp, his email marketing provider. The message claimed his account had been flagged for spam and that his ability to send emails was restricted.
It contained a link to a site at mailchimp-sso.com (which sounds just real enough), and when Troy followed the link, he was taken to what looked like Mailchimp’s login page. He entered his username, password, and a one-time passcode.
Then the page stalled out.
That’s the moment he realized something was wrong.
He immediately went to the real Mailchimp site, changed his password, and saw that his mailing list, about 16,000 email addresses, had already been exported by someone using an IP address in New York.
It was a well-crafted phishing email, sent at the perfect time (he was traveling, tired, and distracted), and it got him. You can read his account of the phish, here.
Wait… Who Is Troy Hunt?
If you’re not in the security industry, you might not recognize the name. Troy Hunt is the creator of Have I Been Pwned, a service that lets you check if your email or password has ever been exposed in a data breach. He’s a respected voice in the cybersecurity world, and he’s helped millions of people understand digital risk.
So yeah, he’s one of the last people you’d expect to fall for a phishing attack.
Why This Matters
We’re long past the days when phishing emails were filled with typos, fake Nigerian princes, or cartoonish grammar. Today’s attacks are:
Polished – Clean branding, real-sounding alerts, perfect English.
Timely – Triggering you when you’re most distracted.
Hyper-specific – Sometimes using scraped data, breached info, or even generative AI to add believable context.
What got Troy wasn’t a lack of knowledge. It was a moment of humanity, one all of us are susceptible to. A split-second decision made while multitasking. That’s all it takes.
What We Can Learn
Troy’s transparency gives us a chance to pause and revisit our own habits. Here are a few reminders that might help:
Slow down. The best phishing attacks create a sense of urgency. That’s intentional. Pause before clicking.
Hover and verify. Look at where a link really goes before clicking. mailchimp.com is legit. mailchimp-sso.com is not.
Use a password manager. They won’t auto-fill on fake sites. If you’re not using one yet, here’s why you should.
Enable MFA. It’s not bulletproof, but it helps. And if you’re still unsure what that means, check out my post on multi-factor authentication (MFA).
Normalize mistakes. The more shame we attach to “falling for it,” the fewer people will report incidents quickly.
Want to understand how attackers use leaked credentials? Take a minute to read about credential stuffing. It’s more common, and more dangerous, than most people realize.
And if you’ve ever wondered how phishing links might redirect you even when you type the right address, pharming is a threat worth learning about too.
Final Thoughts
The next time you start to say, “I would never fall for that,” remember Troy’s story. You might not fall for that one, but there’s always a more convincing phish right around the corner.
Phishing doesn’t care how smart you are. It cares how distracted you are.
And if it can fool someone who literally teaches the world how phishing works? It can fool any of us.
