How to spot the bait and not bite.
What Is Phishing
Phishing is tricking someone into giving up information or doing something harmful. The attack target is the person, not the software. There's nothing to patch.
| Phishing Type | Method | Goal |
|---|
| Email phishing | Deceptive emails | Steal credentials, deliver malware |
| Spear phishing | Targeted emails | Compromise specific person |
| Smishing | SMS text messages | Steal info, install malware |
| Vishing | Voice calls | Steal info, authorize transactions |
| Whaling | Target executives | Large financial transfers |
| Clone phishing | Copy legitimate emails | Replace links with malicious ones |
How to Spot Phishing
Red Flags in Messages
| Red Flag | Example |
|---|
| Urgency | "Your account will be closed in 24 hours!" |
| Threats | "Pay now or face legal action" |
| Generic greeting | "Dear Customer" or "Dear User" |
| Suspicious sender | amazon-support@gmail.com |
| Misspellings | "Amaz0n" or "Pavpal" |
| Grammar errors | Awkward phrasing, broken English |
| Too good to be true | "You've won $1,000,000!" |
| Unusual requests | "Send gift cards" or "wire money" |
Examining Email Senders
| What to Check | How to Check |
|---|
| Display name vs. actual address | Hover over or click on sender name |
| Domain spelling | @amazon.com vs @amaz0n.com |
| Subdomain tricks | amazon.evil.com vs evil.amazon.com |
| Free email for business | Real companies don't use @gmail.com |
Examples of spoofed vs. legitimate:
| Legitimate | Phishing Attempt |
|---|
| support@amazon.com | support@amazon-help.com |
| noreply@chase.com | chase-security@gmail.com |
| alerts@paypal.com | paypal.alert@secure-verify.com |
| security@apple.com | apple@security-team.net |
Examining Links
Before clicking any link:
| Step | How to Do It |
|---|
| Hover over link | See actual destination URL |
| Check domain carefully | Is it the real company's domain? |
| Look for HTTPS | Legitimate sites use encryption |
| Watch for lookalikes | paypa1.com, arnazon.com |
URL red flags:
| Suspicious URL | Problem |
|---|
| http://amazon.com.verify.xyz/... | amazon.com isn't the actual domain |
| https://amaz0n.com | Letter 'o' replaced with zero |
| https://amazon-secure.com | Not amazon.com |
| https://bit.ly/abc123 | Shortened URL hides destination |
Examining Attachments
| Dangerous | Usually Safe |
|---|
| .exe, .scr, .bat | PDF (from known sender) |
| .zip, .rar (unexpected) | .docx, .xlsx (from known sender) |
| .js, .vbs | Images (.jpg, .png) |
| .pdf.exe (double extension) | Calendar invites (.ics) |
If you weren't expecting an attachment, verify with the sender through another channel before opening it. Email is easy to spoof. A 30-second phone call is not.
Common Phishing Scenarios
Package Delivery Scams
| Pattern | What It Says | Reality |
|---|
| Fake tracking notification | "Package delivery failed" | Link leads to credential theft |
| Customs fee required | "Pay $3.50 to release package" | Steals credit card info |
| Schedule redelivery | "Update delivery preferences" | Collects personal information |
Defense: go directly to the carrier's website (USPS, UPS, FedEx, your local post) and paste the tracking number there.
Financial Institution Scams
| Pattern | What It Says | Reality |
|---|
| Suspicious activity alert | "Unusual login detected" | Fake login page steals credentials |
| Account locked | "Verify your identity" | Collects SSN, account numbers |
| Security update required | "Update your information" | Steals banking credentials |
Defense: call the bank using the number printed on the back of your card.
Tech Support Scams
| Pattern | How It Works |
|---|
| Popup warning | "Your computer is infected! Call now!" |
| Cold call | "We detected viruses on your computer" |
| Fake Windows alert | Screen freeze with "support" number |
| Remote access request | "Let us fix your computer" |
Defense: Microsoft and Apple do not call you out of the blue about your computer. Hang up.
Government Impersonation
| Pattern | What It Says | Reality |
|---|
| IRS threat | "Pay now or be arrested" | IRS doesn't threaten via phone/email |
| Social Security suspension | "Your SSN is suspended" | SSN cannot be "suspended" |
| Jury duty warrant | "Pay fine to avoid arrest" | Courts don't demand payment by phone |
Defense: government agencies send physical mail first and never demand same-day payment in gift cards or crypto.
Romance and Relationship Scams
| Warning Sign | What's Happening |
|---|
| Met online, never video calls | Using fake photos |
| Quick emotional attachment | Building trust to exploit |
| Financial hardship story | Setup for asking for money |
| Can't meet in person | "Deployed," "overseas," "working abroad" |
| Requests money or gift cards | The actual scam |
Defense: never send money to someone you haven't met in person. Run a reverse image search on their photos.
AI-Enhanced Phishing
Generative AI made phishing meaningfully harder to spot. The old advice (look for bad grammar, watch for generic greetings) no longer holds:
| AI Capability | Impact on Phishing |
|---|
| Better grammar | Fewer spelling/grammar red flags |
| Personalization | Uses your real information from breaches |
| Voice cloning | Fake calls sounding like family members |
| Deepfake video | Fake video calls |
| Automated mass production | Many targeted attacks instead of one generic blast |
Defending Against AI Phishing
| Old Advice | New Advice |
|---|
| Look for bad grammar | Grammar may be perfect |
| Verify voice is real | Establish family code words |
| Trust video calls | Video can be faked |
| Trust caller ID | Easily spoofed |
| Generic emails are suspicious | Targeted emails are also suspicious |
The Verification Process
When something arrives unexpectedly and asks you to act, run this sequence:
Step 1: Stop
| Don't | Do |
|---|
| Click immediately | Pause and think |
| Call number in message | Find official number independently |
| Reply to sender | Verify through other channels |
| Open attachments | Ask yourself if you expected this |
Step 2: Verify
| Verification Method | How to Do It |
|---|
| Direct website | Type URL manually in browser |
| Known phone number | Use number from official source |
| Separate email | Contact through known good address |
| In person | Ask face-to-face if possible |
Step 3: Report
| To Report | Where |
|---|
| Phishing emails | Forward to reportphishing@apwg.org |
| Suspected scam calls | FTC at reportfraud.ftc.gov |
| IRS impersonation | Treasury at phishing@irs.gov |
| Smishing | Forward to 7726 (SPAM) |
| Work-related phishing | Your IT security team |
Business Email Compromise (BEC)
The FBI tracks BEC as one of the most expensive single categories of cybercrime, costing billions per year. Criminals impersonate executives or vendors and reroute payments:
| Attack Pattern | How It Works |
|---|
| CEO fraud | Fake email from CEO requests wire transfer |
| Invoice manipulation | Attacker modifies vendor invoice with new bank details |
| Account takeover | Compromised email sends real-looking requests |
| Attorney impersonation | Fake lawyer requests confidential payment |
BEC Red Flags
| Warning Sign | Example |
|---|
| Unusual payment request | "Wire money to this new account" |
| Urgency and secrecy | "Don't tell anyone, handle this privately" |
| Changed payment details | "Use these new banking instructions" |
| Slight email differences | john.smith@company.com vs john.srnith@company.com |
Defense: any change to payment details gets verified by phone, on a known number, every time.
Protecting Yourself from Phishing
Technical Defenses
| Defense | How It Helps |
|---|
| Email filtering | Blocks known phishing |
| Browser protection | Warns about suspicious sites |
| 2FA on all accounts | Limits damage if credentials stolen |
| Password manager | Won't auto-fill on fake sites |
| Updated software | Blocks known exploits |
Behavioral Defenses
| Practice | Why It Works |
|---|
| Never click email links for sensitive sites | Go directly to site instead |
| Verify unexpected requests | Call using known number |
| Check sender carefully | Catch spoofed addresses |
| Distrust urgency | Scammers want you to act fast |
| Keep personal info private | Less info for targeted attacks |
When You Think You've Been Phished
| If You | Do This |
|---|
| Clicked a suspicious link | Run antimalware scan |
| Entered credentials | Change password immediately, enable 2FA |
| Gave financial info | Contact bank, freeze accounts |
| Installed software | Disconnect from internet, professional help |
| Sent money | Contact bank immediately, file police report |
Phishing Simulations and Training
Recognizing Real vs. Test
If your employer runs phishing tests:
| Purpose | Benefit |
|---|
| Identify vulnerable users | Get additional training |
| Measure security awareness | Track improvement |
| Reinforce good habits | Practice skepticism |
| Test security controls | Verify protections work |
Training Your Family
| For | Teach |
|---|
| Children | Never give information to strangers online |
| Teens | Verify unexpected messages, even from friends |
| Parents/elderly | Scammers impersonate family, call to verify |
| Everyone | Establish family code word for emergencies |
Family Code Word
Establish a secret word for verifying real emergencies:
| Situation | Use |
|---|
| Call claiming family emergency | Ask for code word |
| Message asking for money | Verify with code word |
| Video call seems off | Request code word |
Make it memorable, secret, and not guessable from anyone's social media.
Evolving Phishing Tactics
QR Code Phishing (Quishing)
| Attack | How It Works |
|---|
| Fake parking meters | QR code leads to payment theft site |
| Restaurant menus | Malicious code mixed with legitimate |
| Package deliveries | QR "for tracking" leads to phishing |
| Email attachments | QR image bypasses link scanning |
Defense: treat QR codes like links. Phone cameras usually preview the URL before opening. Read it.
Calendar Invite Phishing
| Attack | How It Works |
|---|
| Spam meeting invites | Links in invite lead to phishing sites |
| Auto-accept exploitation | Invite appears on your calendar automatically |
| Fake event reminders | "Click to join meeting" link is malicious |
Defense: do not click links inside unexpected calendar invites. Delete the invite.
Key Takeaways
- Phishing targets people, not software. Technical skill alone won't save you.
- Verify on a separate channel. Phone, in person, known address.
- Never use the link in the email for a sensitive account. Type the URL yourself.
- Urgency is the first red flag. Scammers want you to skip thinking.
- Read the sender address. Display names are easy to fake.
- AI removed the obvious tells. Grammar and personalization no longer save you.
- Pick a family code word. Use it for any emergency money request.
- 2FA limits the blast radius. Even with the password, the attacker gets stopped.
- Report what you see. Forward phishing to reportphishing@apwg.org or 7726.
- When in doubt, wait five minutes. Most attacks rely on you not.
Next Steps
Continue to 05-malware.md for the other side of the attack: what happens once a phishing link, dodgy download, or unpatched program lands code on your device.