Phishing Awareness

Phishing is the most common entry point for cyber attacks. Over 90% of data breaches start with a phishing email. This lesson will teach you how to spot the red flags, inspect suspicious messages, and respond appropriately.

What is Phishing?

Phishing is a type of social engineering attack where criminals pose as legitimate organizations or individuals to trick you into revealing sensitive information. This usually comes in the form of email, but can also arrive via text messages (smishing), phone calls (vishing), or fake websites.

Key Statistic

The average organization receives over 700 social engineering attacks per year, and 30% of phishing emails are opened by the intended target.

Common Phishing Red Flags

Training your eye to spot these indicators is your first line of defense. When reviewing an email, check for each of these warning signs:

Suspicious Sender

Email address doesn't match the company domain (e.g., support@gmaii.com)
Display name matches a real person but email address is suspicious
Message comes from a free email service (Gmail, Yahoo) pretending to be a business

Urgency & Fear Tactics

“Your account will be suspended in 24 hours”
“Unauthorized login detected — click here to secure your account”
Threatens legal action, fines, or service termination if you don't act immediately

Suspicious Links & Attachments

Hover over links before clicking — the visible text may say “paypal.com” but the actual URL goes somewhere else
Unexpected attachments, especially .zip, .exe, .docm, or .js files
URL shorteners (bit.ly, tinyurl) hiding the actual destination

Poor Grammar & Generic Greetings

“Dear Customer” or “Dear User” instead of your actual name
Awkward phrasing, spelling errors, or inconsistent formatting
Logos that look slightly off or low-resolution

Anatomy of a Phishing Email

Spoofed Sender

The “From” name says “IT Support” but the email address is it-support@secure-update-g43f.top

Urgent Subject Line

“Action Required: Your Email Password Will Expire Today” — creates panic to bypass critical thinking.

Generic Greeting

“Dear Valued User” — legitimate companies know your name.

Malicious Link

A button that says “Reset Password Now” but links to http://fake-login-page.xyz/

Consequences

“Failure to update within 24 hours will result in account termination.” — pure pressure tactic.

What to Do When You Suspect a Phish

Report it immediately

Most organizations have a “Report Phishing” button in their email client or a designated security inbox (e.g., security@company.com). Reporting helps protect everyone and lets the security team investigate.

Verify through a different channel

If an email claims to be from your bank, IT department, or a vendor, contact them using a phone number or website you know is legitimate — not the contact info in the suspicious email.

DON'T

Click links or download attachments

Even if the email looks convincing, do not click anything. Hover your mouse over links to preview the actual URL. When in doubt, navigate to the website directly by typing the address into your browser.

DON'T

Reply, forward, or engage

Replying confirms your email address is active, which makes you a bigger target. Do not call phone numbers listed in suspicious emails or respond to text messages from unknown senders.

Types of Phishing Attacks

Email Phishing

Mass emails sent to many targets, hoping someone takes the bait. Usually impersonates well-known brands like PayPal, Microsoft, or Amazon.

Spear Phishing

Targeted attacks aimed at specific individuals or organizations. The attacker researches their target and personalizes the message to increase credibility.

Whaling

Spear phishing aimed at senior executives or high-value targets. The stakes are higher and the messages are carefully crafted to exploit authority and urgency.

Smishing & Vishing

Phishing via SMS (smishing) or voice calls (vishing). Attackers may spoof caller IDs or send texts claiming to be from your bank or delivery service.

Quick Knowledge Check

Next time you receive an unexpected email, run through these five questions:

1.Do I know the sender? Is the email address legitimate?
2.Was I expecting this message? Does it match the context of our relationship?
3.Is there a sense of urgency designed to make me act without thinking?
4.Does the email ask me to click a link, open an attachment, or provide sensitive info?
5.Does anything feel “off” — grammar, tone, branding, or request?

If the answer to any of these raises a red flag, report it before clicking anything.

Next Steps

Next Lesson: Password Security Basics Back to All Lessons