You receive an email that appears to come from your bank's official address, saying 'Your account will be suspended in 24 hours — click here immediately to verify your identity.' What is the best first response?
AClick the link immediately — it came from the bank's official email address, so it must be legitimate
BReply to the email asking for more details before deciding
CDo not click; hover over the link to inspect the actual destination URL, then call the bank directly using a number from their official website — not one in the email
DIgnore it entirely — banks never send urgent emails
This message uses two classic phishing tactics: a spoofed sender identity and urgency ('24 hours'). Display names and even sender addresses can be faked. The correct defense is to not click any links, inspect the actual URL by hovering, and verify through a separate trusted channel (calling the bank's official number). Option A is the trap the attackers designed; option D is too dismissive since some urgent bank communications are legitimate.
Question 2 Multiple Choice
A professional receives an email that correctly references their employer, their current project, and their manager's name, then urgently asks them to wire money. Why is this more dangerous than a generic phishing email?
AIt isn't — generic phishing is more dangerous because it reaches millions of people at once
BBecause it uses personal information to seem credible, making the psychological pressure to comply much harder to resist and the red flags much harder to spot
CBecause it arrived by email rather than text, which is a more trusted channel
DBecause it mentions money, which triggers security filters
This is a spear-phishing attack — targeted at a specific individual using harvested personal data. The personal details defeat the 'I'd recognize a scam' confidence, because the email seems to come from someone who already knows you. The urgency further suppresses skepticism. This is why 'I'm too smart to fall for phishing' is a dangerous belief — the most convincing attacks are designed to fool exactly that person.
Question 3 True / False
Phishing emails are easy to spot because they typically contain obvious spelling errors and come from clearly suspicious email addresses.
TTrue
FFalse
Answer: False
This describes generic, mass-sent phishing — but sophisticated attacks, especially spear-phishing targeted at specific individuals, may have flawless grammar, no spelling errors, and spoofed sender addresses that look identical to legitimate ones. Relying on spelling errors as your filter will cause you to miss the most dangerous attacks.
Question 4 True / False
The urgency tactics in phishing messages — such as 'your account will be locked in 24 hours' — are deliberately designed to suppress your skepticism and push you into acting without careful thought.
TTrue
FFalse
Answer: True
Urgency is the most powerful psychological lever in social engineering. When people feel rushed or threatened, they bypass careful evaluation and focus on taking the prescribed action. Phishers engineer this state intentionally. Recognizing urgency as a manipulation tactic — and treating it as a reason to slow down rather than speed up — is one of the most important defensive habits.
Question 5 Short Answer
Why does phishing work on intelligent, tech-savvy people, not just those who are new to technology? What does this tell you about the right defense strategy?
Think about your answer, then reveal below.
Model answer: Phishing exploits human psychology — trust, urgency, fear — not technical ignorance. Even experts can be rushed or deceived by a well-crafted, personalized message that looks exactly like a communication they would normally receive. The right defense is behavioral, not just technical: slow down when you feel pressured, verify through a separate trusted channel (call the institution directly using a number you find independently), and remember that any legitimate organization will wait for you to verify before taking action.
The common assumption that 'smart people don't fall for scams' is exactly the confidence phishers count on. Spear-phishing attacks are designed with research — they reference real people, real projects, real relationships. No amount of general intelligence fully protects against a message specifically crafted to seem legitimate to you. The defense must be habitual and procedural, not IQ-dependent.