Phishing#

Objective#

Understanding and Defending Against Social Engineering Attacks.

What is Phishing?#

Phishing is a cyberattack that uses deceptive emails, messages, or websites to trick victims into revealing sensitive information such as
passwords, credit card numbers, or personal data.

Key Characteristics

✓

Exploits human psychology rather than technical vulnerabilities

✓

Impersonates trusted entities (banks, companies, colleagues)

✓

Creates false urgency to bypass critical thinking

⚠️ The Human Factor

95%

of successful cyberattacks involve
human error, not technical failures

The Psychology Behind Phishing#

How attackers exploit human cognitive biases and emotions

👤

Authority

People follow perceived leaders. Attackers
impersonate banks, government officials, or
executives to bypass skepticism.

Example: "This is your bank's security
department..."

⏰

Urgency

Time pressure forces quick decisions without
critical thinking. Creates fear of missing out or
negative consequences.

Example: "Your account will be suspended in
24 hours!"

🎁

Reciprocal

People feel obligated to return favors. Attackers
offer something valuable to create a sense of
indebtedness.

Example: "You've won a prize! Click here to
claim..."

✓

Consistency

People want to remain consistent with previous
actions. Small initial commitments lead to larger
ones.

Example: "Confirm your email to continue..."

👥

Social Proof

People follow what others do. Attackers claim
peers have already complied to normalize the
action.

Example: "90% of employees have already
verified..."

❤️

Liking

People say yes to those they like. Attackers
build rapport through friendly language and
compliments.

Example: "Hi friend! I thought you'd love this
offer..."

Red Flags: How to Identify Phishing Emails#

👤

Generic Greetings

Legitimate organizations use your name. Be suspicious of "Dear Customer" or "Hello
User" instead of personalized addresses.

🔒

Requests for Personal Info

Legitimate organizations NEVER ask for passwords, SSNs, or credit cards via email.

✉️

Suspicious Sender Address

Check for misspelled domains (microsoⱳt.com), public email services, or subtle
character substitutions.

🔗

Suspicious Links & Attachments

Hover over links to check URLs. Unexpected attachments may contain malware or
ransomware.

⚠️

Urgency & Threats

Phishing creates false time pressure: "Account will be suspended!" or "Immediate
action required!"

📝

Spelling & Grammar Errors

Professional organizations maintain high editorial standards. Multiple errors suggest
unprofessional or foreign attackers.

Remember: When in doubt, don't click! Contact the organization directly to verify.

Types of Phishing Attacks#

✉️

Email Phishing

Mass-distributed deceptive emails
impersonating legitimate organizations
to steal credentials.

Most Common

👤

Spear Phishing

Highly targeted attacks on specific
individuals using personalized
information from social media.

High Risk

👑

Whaling

Targets C-suite executives and
high-level management for maximum
financial gain.

Executive Target

📱

Smishing

SMS-based phishing attacks that deliver
malicious links via text messages.

Mobile Threat

📞

Vishing

Voice call phishing where attackers
impersonate banks, tech support, or
government agencies.

Voice Scam

📱

Quishing

QR code phishing where malicious
codes redirect to fake login pages
or malware.

Emerging Threat

💼

BEC

Business Email Compromise:
impersonating executives to trigger
fraudulent wire transfers.

Financial Focus

🎭

Deepfake Phishing

AI-generated audio/video impersonating
trusted figures to manipulate victims.

AI-Powered

Prevention & Defense Strategies#

👥

Individual Actions

✓

Don't Click Suspicious Links

Hover to verify URLs before clicking

✓

Verify Sender Identity

Contact organizations through official channels

✓

Use Strong, Unique Passwords

Implement password managers for security

✓

Enable Multi-Factor Authentication (MFA)

Adds critical second layer of protection

✓

Keep Software Updated

Patch vulnerabilities promptly

✓

Report Suspicious Emails

Inform organization’s management team

🏢

Organizational Measures

✓

Security Awareness Training

Regular education on evolving threats

✓

Email Authentication Protocols

Implement secure protocols

✓

Phishing Simulations

Test and improve employee readiness

✓

Incident Response Plans

Prepare for rapid threat containment

✓

Zero-Trust Architecture

Verify every access request

✓

AI-Powered Email Security

Advanced threat detection systems

Spot the Phish!#

Analyze these scenarios and identify why each scenario is phishing or legitimate

Bank Security Alert

From: security@bankofchina-secure.com

Subject: URGENT: Your Account Will Be Suspended

Dear Valued Customer,

We detected unusual activity on your account. Your account will be suspended within
24 hours if you don't verify your information immediately.

Click here to verify: http://bankofchina-secure-verify.com

Bank of China Security Team

Question: Is this a phishing attempt? What red flags do you see?

LinkedIn Connection

From: invitations@linkedin.com

Subject: Sarah Johnson wants to connect on LinkedIn

Hi Alex,

I'd like to add you to my professional network on LinkedIn.

- Sarah Johnson

Marketing Director at TechCorp

View invitation | Ignore

Question: Could this be phishing? What would you check?

Shipping Notification

From: noreply@amazon-delivery.net

Subject: Package Delivery Failed - Action Required

Hello,

We attempted to deliver your package but no one was available. Please reschedule
delivery within 48 hours or your package will be returned.

Reschedule Now

Amazon Logistics Team

Question: What indicators suggest this might be phishing?

IT Support Request

From: itsupport@university.edu

Subject: Password Expiration Notice

Dear Student,

Your university password will expire in 7 days. Please log in to the university portal to
update your password.

If you have any issues, contact the IT Help Desk at (555) 123-4567 or visit the Tech
Center in Building C.

University IT Services

Question: Is this legitimate? What features confirm or deny?

What Would You Do?#

Scenario-based decision making for real-world situations

The Failed Delivery

You receive a text message: "UPS: Your package delivery failed. Click here to
reschedule: bit.ly/2xKp9mL"

A. Click the link to reschedule delivery

B. Check UPS website directly by typing the URL

C. Reply to the text asking for more information

D. Call the number in the text message

The CEO Request

Your "CEO" emails you: "I'm in a meeting and need you to process an urgent wire
transfer immediately. Don't call me - just execute. Details attached."

A. Process the transfer immediately as requested

B. Open the attachment to review transfer details

C. Verify through a separate channel (call/text)

D. Forward to finance team for processing

The Tech Support Popup

A popup appears: "⚠️ CRITICAL ALERT: Your computer is infected with 12 viruses!
Call Microsoft Support immediately: 1-800-555-0199"

A. Call the number immediately for help

B. Close the popup and run antivirus scan

C. Download the suggested removal tool

D. Restart computer and check if it persists

The Accidental Click

You accidentally clicked a suspicious link in an email. The page loaded but you didn't
enter any information. What should you do?

A. Close the browser and forget about it

B. Report to IT security team immediately

C. Clear browser history and cookies

D. Run a full system antivirus scan

Key Takeaways#

Stay vigilant. Stay secure.

🎭

Phishing Exploits Psychology

Attackers target human emotions and cognitive biases, not just technology.
Understanding these tactics is your first defense.

🔍

Verify Everything

Always verify sender identity through official channels. Don't trust email addresses or
phone numbers provided in suspicious messages.

⏰

Urgency is a Red Flag

Legitimate organizations don't create false time pressure. Take time to verify before
acting on urgent requests.

🔒

Never Share Credentials

No legitimate organization will ask for passwords, SSNs, or credit card numbers via
email, text, or phone.

🚩

Report Suspicious Activity

When in doubt, report phishing attempts to your IT security team. Early reporting
prevents wider attacks.

🎓

Continuous Learning

Phishing tactics evolve constantly. Stay informed through security awareness training
and simulations.

"Think Before You Click"

You are the first line of defense against phishing attacks

音乐

音乐

Phishing#

Objective#

What is Phishing?#

The Psychology Behind Phishing#

Red Flags: How to Identify Phishing Emails#

Types of Phishing Attacks#

Prevention & Defense Strategies#

Spot the Phish!#

What Would You Do?#

Key Takeaways#

支持与分享

评论区

音乐

目录

音乐

音乐

Foundations of Security Week6 Seminar: Phishing

Phishing#

Objective#

What is Phishing?#

The Psychology Behind Phishing#

Red Flags: How to Identify Phishing Emails#

Types of Phishing Attacks#

Prevention & Defense Strategies#

Spot the Phish!#

What Would You Do?#

Key Takeaways#

支持与分享

评论区

音乐

目录