3/8

Lesson 3 15 min

Spotting Phishing and Social Engineering

Recognize phishing emails, fake websites, and social engineering attacks before you become a victim. Learn the red flags and defense habits.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skills included
New content added weekly

← Back to course overview

The Human Vulnerability

You can have the strongest passwords in the world. Two-factor authentication on every account. The latest security software. And still get compromised, because an attacker convinced you to hand over your credentials willingly.

By the end of this lesson, you will recognize phishing attacks, social engineering tactics, and online scams before they succeed.

Quick Recall: In the previous lesson, we set up a password manager and two-factor authentication. These protect against automated attacks. Phishing targets something no technology can fully protect: human psychology.

How Phishing Works

Phishing is deception. An attacker pretends to be someone you trust (your bank, a coworker, a delivery service) and tricks you into taking a dangerous action: clicking a link, downloading a file, or entering your password on a fake website.

The anatomy of a phishing attack:

The bait: An email, text, or message that appears legitimate
The hook: Urgency, fear, or curiosity that makes you act quickly
The trap: A fake website, malicious attachment, or information request
The catch: Your credentials, personal data, or device access

Why it works: Phishing exploits emotion, not technical vulnerability. When you are worried about your account being locked or a package not arriving, you click first and think later.

Recognizing Phishing Emails

Red flags in phishing emails:

Red Flag	What to Check	Example
Sender address mismatch	The display name says “Amazon” but the email is from random@mail-service.com	“Amazon Support support@amaz0n-security.net”
Urgency language	“Act immediately” or “Your account will be closed”	“URGENT: Verify your identity within 24 hours”
Generic greeting	“Dear Customer” instead of your actual name	“Dear Valued Member”
Suspicious links	Hover over links to see the actual URL before clicking	Link text says “amazon.com” but URL goes to “am4zon-verify.com”
Unexpected attachments	Files you did not request, especially .exe, .zip, or macro-enabled docs	“Invoice_12345.exe”
Poor grammar and formatting	Major companies do not send emails with obvious errors	“Your account have been temporary suspended”
Request for sensitive info	Legitimate companies never ask for passwords via email	“Please reply with your password to verify”

Quick Check: Name three red flags in a phishing email. What should you do if you spot even one of them?

Spotting Fake Websites

Phishing links lead to websites that look identical to the real thing. Here is how to tell the difference:

Check the URL carefully:

Real: https://www.amazon.com/login
Fake: https://www.amaz0n-login.com/verify
Fake: https://amazon.com.suspicious-site.com/login

The subdomain trick: In amazon.com.evil-site.com, the actual domain is evil-site.com. Everything before it is a subdomain the attacker controls. The real domain is always right before the first single slash.

Security indicators:

Look for HTTPS (the lock icon), but note that phishing sites now use HTTPS too
Check the full domain name letter by letter
If in doubt, close the tab and navigate to the site directly

Phishing is one type of social engineering. Others include:

Vishing (voice phishing): Scammers call pretending to be your bank, the IRS, or tech support. They create urgency: “Your account has been compromised. We need to verify your identity.”

Defense: Hang up. Call the company directly using the number on their official website or your bank card.

Smishing (SMS phishing): Text messages with malicious links: “Your package could not be delivered. Click to reschedule: [suspicious link]”

Defense: Never click links in unexpected text messages. Go to the delivery service’s app or website directly.

Pretexting: Someone creates a fabricated scenario to get information. “Hi, I’m from IT. We need your password to fix a network issue.”

Defense: No legitimate IT department asks for your password. Ever.

Quick Check: What is the difference between phishing, vishing, and smishing? What defense applies to all three?

The Verification Habit

Build one habit that stops nearly all social engineering attacks:

Never act on information you received. Always act on information you seek.

If you get an email saying your bank account has a problem, do not click the link. Open your browser, type your bank’s URL, and log in directly. If there is a real problem, you will see it.

If someone calls claiming to be from your credit card company, hang up and call the number on the back of your card.

If a text says your package is delayed, open the delivery app directly.

This one habit, verifying through independent channels, neutralizes almost every social engineering attack.

AI-Powered Scam Evolution

Modern phishing is getting harder to spot because AI generates more convincing messages:

AI-generated phishing signs:

Perfect grammar (old phishing had typos; AI phishing does not)
Personalized content (AI can use data breaches to reference your real information)
Conversational tone that matches the real company

Your defense does not change: The verification habit works regardless of how convincing the message is. If it asks you to click, log in, or provide information, verify independently.

The Phishing Response Procedure

When you receive a suspicious message:

Stop. Do not click anything.
Check the sender. Is the email address legitimate?
Evaluate the request. Is it asking for sensitive information or immediate action?
Verify independently. Go directly to the company’s website or call them.
Report. Forward phishing emails to your email provider’s phishing address and the company being impersonated.
Delete. Remove the message after reporting.

Try It Yourself

Practice your phishing detection skills:

Open your email inbox right now
Find 3-5 emails from companies (shipping notifications, account updates, promotions)
For each one, check: sender address, links (hover, do not click), urgency level, greeting
Can you identify any that could be phishing attempts?
Go to Google’s Phishing Quiz (search “Google phishing quiz”) for interactive practice

Key Takeaways

Phishing exploits urgency and fear to make you act before thinking; slow down whenever an email demands immediate action
Check the sender address, hover over links, and look for generic greetings to spot phishing attempts
Build the verification habit: never act on information received; always verify independently through official channels
Social engineering attacks come through email, phone, text, and even in person; the same defense applies to all
AI is making phishing messages more convincing, but the verification habit remains effective regardless

Up Next

In Lesson 4: Securing Your Devices, we will protect the hardware you use every day: phones, laptops, and tablets.

Knowledge Check

1. What is the most reliable way to verify a suspicious email from a company?

Click the link in the email to check Ignore the email entirely and go directly to the company's website by typing the address manually in your browser Reply to the email asking if it is real Forward it to a friend for their opinion

2. What emotion do phishing attacks most commonly exploit?

Curiosity Urgency and fear: 'Act now or lose access,' 'Your account has been compromised,' 'Payment failed' Happiness Boredom

Answer all questions to check

Complete the quiz above first

Related Skills

Security Hardening Guide