Inbox Simulation: Catch the Phish
Welcome to the 2026 Inbox
In 2026, phishing has evolved. Traditional red flags like broken grammar and typos are gone, replaced by Generative AI. This lesson puts you in a simulated inbox to practice spotting modern, sophisticated threats.
Welcome to the frontline of 2026 cybersecurity. In this unit, we move beyond theory and into a simulated inbox environment. Modern phishing is no longer about 'Nigerian Princes' or broken English; it is driven by Generative AI, making every message look and feel authentic. You will analyze three high-risk scenarios that represent the most common threats hitting corporate inboxes today.
- AI-driven phishing is grammatically perfect.
- Traditional 'typo hunting' is an outdated defense.
- Social engineering targets your urgency and respect for authority.
Scenario 1: The 'Urgent' CEO Request
You've received an urgent message from the CEO. Before you click anything, investigate the sender's details.
Imagine you receive an email from your CEO. The tone is perfectly professional, and the signature matches exactly. It asks you to urgently review a confidential document for a board meeting in 15 minutes. This exploits your desire to be helpful and your respect for authority. Look closely at the sender. Hover over the name to reveal the truth. Aha! While the name says 'Jane Doe,' the email address is jane.doe@company-inc.com. Your actual company domain is simply @company.com. AI can write the body, but it cannot legally own your corporate domain.
- Check the domain (@company.com vs @company-inc.com).
- High urgency is a psychological lure.
- Always hover over display names to see the true email address.
Scenario 2: The Security QR Code
IT Support is warning you about a password expiration. They've provided a QR Code for a 'quick' fix. Is this safe?
You receive an email from 'IT Support' stating your password will expire in 2 hours. To avoid a lockout, you are asked to scan a QR Code with your mobile phone to 'verify your identity.' This is Quishing. Attackers use QR codes because they often bypass traditional email security scanners that only check text and links. Once you scan it, you are taken to a fake login page outside the company's protected network.
- Quishing (QR Phishing) bypasses text-based email filters.
- QR codes take you outside the protected corporate network.
- IT will rarely use QR codes for credential verification.
Scenario 3: The Malicious Calendar Invite
An unexpected calendar invite for a 'Benefits Review' has appeared. Examine the .ics attachment before accepting.
An invite appears in your calendar for a 'Quarterly Benefits Review.' It includes an .ics attachment. You didn't expect this meeting, but it looks official. Malicious .ics files can be used to trigger automatic downloads or redirect your browser to a credential-harvesting site the moment you click 'Accept.' Always check if the organizer is an internal employee. If it's an external address for an internal topic, stay away.
- Malicious .ics files can trigger browser redirects.
- Check the organizer's email, not just their name.
- Unsolicited internal invites from external addresses are high-risk.
The 3-Step Protocol
If an email feels 'off,' follow this workflow immediately to protect yourself and the entire organization.
If an email feels 'off,' follow this three-step workflow. First, STOP. Do not click, scan, or download. High urgency is almost always a sign of a scam. Second, VERIFY Out-of-Band. If the CEO asks for something unusual, send them a quick message on Slack or Teams. Never use contact details from the email itself. Finally, REPORT. Use the 'Report Phishing' button. This alerts the Security Team to block the threat for everyone.
- Stop: Do not interact with links or attachments.
- Verify: Use an 'out-of-band' channel (Chat/Phone).
- Report: Use the official phishing button.
Practice: Handle the Threat
You've spotted a suspicious email from 'HR' about a bonus. It looks perfect, but the sender is hr-benefits@gmail.com. What is your next move?
You see a suspicious email. Read the prompt and describe your 3-step plan to handle this situation.
- Apply the 3-step protocol.
- Identify why the email is suspicious.
- Demonstrate reporting knowledge.