Recognizing and defending against psychological manipulation.
What Is Phishing
Phishing is tricking someone into revealing sensitive information or taking harmful actions. It exploits human psychology, not technical vulnerabilities.
| Phishing Type | Method | Goal |
|---|
| Email phishing | Deceptive emails | Steal credentials, deliver malware |
| Spear phishing | Targeted emails | Compromise specific person |
| Smishing | SMS text messages | Steal info, install malware |
| Vishing | Voice calls | Steal info, authorize transactions |
| Whaling | Target executives | Large financial transfers |
| Clone phishing | Copy legitimate emails | Replace links with malicious ones |
How to Spot Phishing
Red Flags in Messages
| Red Flag | Example |
|---|
| Urgency | "Your account will be closed in 24 hours!" |
| Threats | "Pay now or face legal action" |
| Generic greeting | "Dear Customer" or "Dear User" |
| Suspicious sender | amazon-support@gmail.com |
| Misspellings | "Amaz0n" or "Pavpal" |
| Grammar errors | Awkward phrasing, broken English |
| Too good to be true | "You've won $1,000,000!" |
| Unusual requests | "Send gift cards" or "wire money" |
Examining Email Senders
| What to Check | How to Check |
|---|
| Display name vs. actual address | Hover over or click on sender name |
| Domain spelling | @amazon.com vs @amaz0n.com |
| Subdomain tricks | amazon.evil.com vs evil.amazon.com |
| Free email for business | Real companies don't use @gmail.com |
Examples of spoofed vs. legitimate:
| Legitimate | Phishing Attempt |
|---|
| support@amazon.com | support@amazon-help.com |
| noreply@chase.com | chase-security@gmail.com |
| alerts@paypal.com | paypal.alert@secure-verify.com |
| security@apple.com | apple@security-team.net |
Examining Links
Before clicking any link:
| Step | How to Do It |
|---|
| Hover over link | See actual destination URL |
| Check domain carefully | Is it the real company's domain? |
| Look for HTTPS | Legitimate sites use encryption |
| Watch for lookalikes | paypa1.com, arnazon.com |
URL red flags:
| Suspicious URL | Problem |
|---|
| http://amazon.com.verify.xyz/... | amazon.com isn't the actual domain |
| https://amaz0n.com | Letter 'o' replaced with zero |
| https://amazon-secure.com | Not amazon.com |
| https://bit.ly/abc123 | Shortened URL hides destination |
Examining Attachments
| Dangerous | Usually Safe |
|---|
| .exe, .scr, .bat | PDF (from known sender) |
| .zip, .rar (unexpected) | .docx, .xlsx (from known sender) |
| .js, .vbs | Images (.jpg, .png) |
| .pdf.exe (double extension) | Calendar invites (.ics) |
Rule of thumb: If you weren't expecting an attachment, verify with the sender through another channel before opening.
Common Phishing Scenarios
Package Delivery Scams
| Pattern | What It Says | Reality |
|---|
| Fake tracking notification | "Package delivery failed" | Link leads to credential theft |
| Customs fee required | "Pay $3.50 to release package" | Steals credit card info |
| Schedule redelivery | "Update delivery preferences" | Collects personal information |
Defense: Go directly to the carrier's website to check tracking.
Financial Institution Scams
| Pattern | What It Says | Reality |
|---|
| Suspicious activity alert | "Unusual login detected" | Fake login page steals credentials |
| Account locked | "Verify your identity" | Collects SSN, account numbers |
| Security update required | "Update your information" | Steals banking credentials |
Defense: Call your bank directly using the number on your card.
Tech Support Scams
| Pattern | How It Works |
|---|
| Popup warning | "Your computer is infected! Call now!" |
| Cold call | "We detected viruses on your computer" |
| Fake Windows alert | Screen freeze with "support" number |
| Remote access request | "Let us fix your computer" |
Defense: Microsoft, Apple, and legitimate companies never call you unsolicited.
Government Impersonation
| Pattern | What It Says | Reality |
|---|
| IRS threat | "Pay now or be arrested" | IRS doesn't threaten via phone/email |
| Social Security suspension | "Your SSN is suspended" | SSN cannot be "suspended" |
| Jury duty warrant | "Pay fine to avoid arrest" | Courts don't demand payment by phone |
Defense: Government agencies send official mail first, don't demand immediate payment.
Romance and Relationship Scams
| Warning Sign | What's Happening |
|---|
| Met online, never video calls | Using fake photos |
| Quick emotional attachment | Building trust to exploit |
| Financial hardship story | Setup for asking for money |
| Can't meet in person | "Deployed," "overseas," "working abroad" |
| Requests money or gift cards | The actual scam |
Defense: Never send money to someone you haven't met in person. Reverse image search photos.
AI-Enhanced Phishing
Modern phishing is becoming more sophisticated with AI:
| AI Capability | Impact on Phishing |
|---|
| Better grammar | Fewer spelling/grammar red flags |
| Personalization | Uses your real information from breaches |
| Voice cloning | Fake calls sounding like family members |
| Deepfake video | Fake video calls |
| Automated at scale | More targeted attacks on more people |
Defending Against AI Phishing
| Old Advice | New Advice |
|---|
| Look for bad grammar | Grammar may be perfect |
| Verify voice is real | Establish family code words |
| Trust video calls | Video can be faked |
| Trust caller ID | Easily spoofed |
| Generic emails are suspicious | Targeted emails are also suspicious |
The Phishing Verification Process
When you receive any unexpected request:
Step 1: Stop
| Don't | Do |
|---|
| Click immediately | Pause and think |
| Call number in message | Find official number independently |
| Reply to sender | Verify through other channels |
| Open attachments | Ask yourself if you expected this |
Step 2: Verify
| Verification Method | How to Do It |
|---|
| Direct website | Type URL manually in browser |
| Known phone number | Use number from official source |
| Separate email | Contact through known good address |
| In person | Ask face-to-face if possible |
Step 3: Report
| To Report | Where |
|---|
| Phishing emails | Forward to reportphishing@apwg.org |
| Suspected scam calls | FTC at reportfraud.ftc.gov |
| IRS impersonation | Treasury at phishing@irs.gov |
| Smishing | Forward to 7726 (SPAM) |
| Work-related phishing | Your IT security team |
Business Email Compromise (BEC)
A sophisticated attack where criminals impersonate executives or vendors:
| Attack Pattern | How It Works |
|---|
| CEO fraud | Fake email from CEO requests wire transfer |
| Invoice manipulation | Attacker modifies vendor invoice with new bank details |
| Account takeover | Compromised email sends real-looking requests |
| Attorney impersonation | Fake lawyer requests confidential payment |
BEC Red Flags
| Warning Sign | Example |
|---|
| Unusual payment request | "Wire money to this new account" |
| Urgency and secrecy | "Don't tell anyone, handle this privately" |
| Changed payment details | "Use these new banking instructions" |
| Slight email differences | john.smith@company.com vs john.srnith@company.com |
Defense: Always verify payment changes by phone using known numbers.
Protecting Yourself from Phishing
Technical Defenses
| Defense | How It Helps |
|---|
| Email filtering | Blocks known phishing |
| Browser protection | Warns about suspicious sites |
| 2FA on all accounts | Limits damage if credentials stolen |
| Password manager | Won't auto-fill on fake sites |
| Updated software | Blocks known exploits |
Behavioral Defenses
| Practice | Why It Works |
|---|
| Never click email links for sensitive sites | Go directly to site instead |
| Verify unexpected requests | Call using known number |
| Check sender carefully | Catch spoofed addresses |
| Distrust urgency | Scammers want you to act fast |
| Keep personal info private | Less info for targeted attacks |
When You Think You've Been Phished
| If You | Do This |
|---|
| Clicked a suspicious link | Run antimalware scan |
| Entered credentials | Change password immediately, enable 2FA |
| Gave financial info | Contact bank, freeze accounts |
| Installed software | Disconnect from internet, professional help |
| Sent money | Contact bank immediately, file police report |
Phishing Simulations and Training
Recognizing Real vs. Test
If your employer runs phishing tests:
| Purpose | Benefit |
|---|
| Identify vulnerable users | Get additional training |
| Measure security awareness | Track improvement |
| Reinforce good habits | Practice skepticism |
| Test security controls | Verify protections work |
Training Your Family
| For | Teach |
|---|
| Children | Never give information to strangers online |
| Teens | Verify unexpected messages, even from friends |
| Parents/elderly | Scammers impersonate family, call to verify |
| Everyone | Establish family code word for emergencies |
Family Code Word
Establish a secret word for verifying real emergencies:
| Situation | Use |
|---|
| Call claiming family emergency | Ask for code word |
| Message asking for money | Verify with code word |
| Video call seems off | Request code word |
Make it: Memorable, secret, not guessable from social media.
Evolving Phishing Tactics
QR Code Phishing (Quishing)
| Attack | How It Works |
|---|
| Fake parking meters | QR code leads to payment theft site |
| Restaurant menus | Malicious code mixed with legitimate |
| Package deliveries | QR "for tracking" leads to phishing |
| Email attachments | QR image bypasses link scanning |
Defense: Be cautious of QR codes from unknown sources. Verify destination URL before entering information.
Calendar Invite Phishing
| Attack | How It Works |
|---|
| Spam meeting invites | Links in invite lead to phishing sites |
| Auto-accept exploitation | Invite appears on your calendar automatically |
| Fake event reminders | "Click to join meeting" link is malicious |
Defense: Don't click links in unexpected calendar invites. Delete suspicious invites.
Key Takeaways
- Phishing exploits psychology - Technical skills don't protect you
- Verify everything unexpected - Use separate channels to confirm
- Never click email links for sensitive accounts - Go directly to websites
- Urgency is a red flag - Scammers want you to act before thinking
- Check sender addresses carefully - Look beyond display names
- AI makes phishing better - Grammar and personalization aren't reliable indicators
- Establish family code words - Verify emergency requests from "family"
- 2FA limits damage - Even if credentials stolen, accounts protected
- Report phishing attempts - Help protect others
- When in doubt, verify - Take 5 minutes to confirm rather than risk compromise