Phishing & Social Engineering

What is Phishing?

Phishing is a type of social engineering attack where attackers impersonate trusted entities to trick you into revealing sensitive information — passwords, credit card numbers, or personal data.

Phishing attacks come in many forms:

Email phishing — The most common. Fake emails that look like they come from your bank, IT department, or a colleague.
Spear phishing — Targeted emails using personal details about you to seem more legitimate.
Smishing — Phishing via SMS text messages.
Vishing — Voice phishing over phone calls.

Spotting a Phishing Email

Look for these red flags in every email you receive:

Sender mismatch — The display name says "Microsoft" but the actual email is support@micr0soft-security.com
Urgency and threats — "Your account will be suspended in 24 hours!"
Suspicious links — Hover before you click. Does the URL match the claimed sender?
Generic greetings — "Dear Customer" instead of your actual name
Spelling and grammar errors — Legitimate companies proofread their emails
Unexpected attachments — Especially .exe, .zip, or Office files with macros

Quick Check

An email from your CEO asking you to urgently buy gift cards is a common phishing tactic.

Try It: Can You Spot the Phish?

Examine this email carefully. Click on every element you think is suspicious.

Phishing Simulator — EmailClick suspicious elements to flag them

From:IT-Support@c0mpany-secure.com

Subject:URGENT: Your Password Expires in 2 Hours

Date:Sunday, March 29, 2026

Dear Employee,\n\nYour company password will expire in 2 hours. To avoid losing access to all systems, click the link below immediately to reset your password:\n\nhttps://company-secure-reset.com/password\n\nFailure to act will result in account lockout.\n\nBest regards,\nIT Support Team

0 elements flagged

What to Do When You Suspect Phishing

Scenario Challenge

You receive an email from what appears to be your bank, asking you to verify your account details by clicking a link. The email looks professional but you weren't expecting it.

How would you respond? Choose the best option:

Social engineering isn't limited to email. Attackers also use:

Phone Calls (Vishing)

Someone calls claiming to be from IT support needing your password
A "vendor" calls asking for payment information
Rule: Never give credentials or sensitive data over the phone unless YOU initiated the call to a known number

In-Person

Tailgating through secure doors
Impersonating delivery workers or contractors
Leaving infected USB drives in parking lots

Quick Check

It's safe to plug in a USB drive you found in the company parking lot, as long as you scan it with antivirus first.

Key Takeaways

Think before you click — Hover over links, verify senders, question urgency
When in doubt, verify — Contact the sender through a separate, known channel
Report suspicious messages — Even if you're not sure, report it. Your security team would rather investigate a false alarm than miss a real attack
Never share credentials — No legitimate organization will ask for your password via email, phone, or text
Trust your instincts — If something feels off, it probably is

What is Phishing?

Phishing is a type of social engineering attack where attackers impersonate trusted entities to trick you into revealing sensitive information — passwords, credit card numbers, or personal data.

Phishing attacks come in many forms:

Email phishing — The most common. Fake emails that look like they come from your bank, IT department, or a colleague.
Spear phishing — Targeted emails using personal details about you to seem more legitimate.
Smishing — Phishing via SMS text messages.
Vishing — Voice phishing over phone calls.

Spotting a Phishing Email

Look for these red flags in every email you receive:

Sender mismatch — The display name says "Microsoft" but the actual email is support@micr0soft-security.com
Urgency and threats — "Your account will be suspended in 24 hours!"
Suspicious links — Hover before you click. Does the URL match the claimed sender?
Generic greetings — "Dear Customer" instead of your actual name
Spelling and grammar errors — Legitimate companies proofread their emails
Unexpected attachments — Especially .exe, .zip, or Office files with macros

Quick Check

An email from your CEO asking you to urgently buy gift cards is a common phishing tactic.

Try It: Can You Spot the Phish?

Examine this email carefully. Click on every element you think is suspicious.

Phishing Simulator — EmailClick suspicious elements to flag them

From:IT-Support@c0mpany-secure.com

Subject:URGENT: Your Password Expires in 2 Hours

Date:Sunday, March 29, 2026

0 elements flagged

What to Do When You Suspect Phishing

Scenario Challenge

You receive an email from what appears to be your bank, asking you to verify your account details by clicking a link. The email looks professional but you weren't expecting it.

How would you respond? Choose the best option:

Social engineering isn't limited to email. Attackers also use:

Phone Calls (Vishing)

Someone calls claiming to be from IT support needing your password
A "vendor" calls asking for payment information
Rule: Never give credentials or sensitive data over the phone unless YOU initiated the call to a known number

In-Person

Tailgating through secure doors
Impersonating delivery workers or contractors
Leaving infected USB drives in parking lots

Quick Check

It's safe to plug in a USB drive you found in the company parking lot, as long as you scan it with antivirus first.

Key Takeaways

Think before you click — Hover over links, verify senders, question urgency
When in doubt, verify — Contact the sender through a separate, known channel
Report suspicious messages — Even if you're not sure, report it. Your security team would rather investigate a false alarm than miss a real attack
Never share credentials — No legitimate organization will ask for your password via email, phone, or text
Trust your instincts — If something feels off, it probably is

Phishing & Social Engineering

What is Phishing?

Spotting a Phishing Email

Try It: Can You Spot the Phish?

What to Do When You Suspect Phishing

Phone Calls (Vishing)

In-Person

Key Takeaways

Ready to test your knowledge?

Phishing & Social Engineering

What is Phishing?

Spotting a Phishing Email

Try It: Can You Spot the Phish?

What to Do When You Suspect Phishing

Phone Calls (Vishing)

In-Person

Key Takeaways

Ready to test your knowledge?

What is Phishing?

Spotting a Phishing Email

Try It: Can You Spot the Phish?

What to Do When You Suspect Phishing

Social Engineering Beyond Email

Phone Calls (Vishing)

In-Person

Key Takeaways

Ready to test your knowledge?

What is Phishing?

Spotting a Phishing Email

Try It: Can You Spot the Phish?

What to Do When You Suspect Phishing

Social Engineering Beyond Email

Phone Calls (Vishing)

In-Person

Key Takeaways

Ready to test your knowledge?