Phishing
Spot a phishing email before you click.
What Is Phishing?
Phishing is the single most common cyberattack vector, responsible for over 80% of reported security incidents according to multiple industry reports. In this interactive 3D simulation, you receive a suspicious email that closely mirrors real-world phishing campaigns targeting corporate employees. Your job is to analyze the message, identify red flags, and decide how to respond before damage is done. The scenario walks you through the anatomy of a phishing email in real time. You will examine sender addresses for subtle misspellings, hover over links to reveal mismatched URLs pointing to credential harvesting pages, and evaluate the emotional pressure tactics attackers rely on to bypass your critical thinking. The email uses urgency, authority cues, and familiar branding to make the message feel legitimate. Beyond identification, this exercise trains you in proper response protocols. You will practice forwarding suspicious messages to your security team through official reporting channels, learn why clicking 'unsubscribe' on a phishing email confirms your address to the attacker, and understand how stolen credentials escalate into full account takeovers and lateral movement across your organization's network. Every decision you make in the simulation triggers realistic consequences that show the downstream impact of one wrong click.
What You'll Learn in Phishing
- Identify mismatched URLs, spoofed sender addresses, and domain impersonation in email headers
- Recognize emotional manipulation tactics including fabricated urgency, authority impersonation, and fear-based language
- Report suspicious emails through your organization's designated security channels without interacting with malicious content
- Explain how a single compromised credential leads to account takeover, lateral movement, and data exfiltration
- Distinguish between legitimate business communications and socially engineered phishing attempts using a repeatable verification checklist
Phishing — Training Steps
-
Introduction
Today, you will learn about phishing attacks and how to protect yourself and the company from them.
-
Email Notification
While working from home, Alice receives a new email notification titled 'Urgent: Update Your Security Question'. Intrigued, she opens her mail inbox.
-
Reading the Email
Alice opens the email, which urges her to update her security questions via the employee portal. The email's professional tone and sense of urgency might compel her to act swiftly. Alice, trusting the source, decides to follow the email's instructions.
-
Enter Credentials
The login page requests Alice's company username and password to proceed with updating her security questions. The page's resemblance to the legitimate employee portal makes it easy for her to assume it is safe, so Alice continues with entering her credentials without a second thought.
-
Error Message
After 'logging in', the web browser displayed an error window instead of Alice's account dashboard, which left Alice worried.
-
Email Notifications
Soon, Alice receives two new emails and proceeds to read them.
-
Bob's Malicious Actions
Unbeknownst to Alice, Bob gains access to her credentials. Using her account, he performs malicious actions: he accesses the company's financial system and initiates a fraudulent transaction, transferring $10,000 to a fake vendor, 'Shadow Corp.' Additionally, he downloads sensitive files, including vendor contracts and payment details, from Alice's account.
-
Report Phishing Email
To mitigate the damage, Alice decides to follow the steps proposed by the IT Department's email. First, she uses her mailing client to report the malicious email.
-
Login to Web Portal
Alice opens her web browser and navigates to the company's internal security incident reporting portal: https://securetech.com/report-incident
-
Reporting the Incident
After successfully entering the internal IT support ticketing system, Alice fills out a ticket form, detailing the suspicious email and unauthorized transaction.