The following are fictional but realistic examples based on common phishing patterns. Read each story and consider what the individual should have done differently.
Sarah received an email that appeared to come from the company's CEO, Marcus. The email explained that the company was in final negotiations on a sensitive acquisition and required an immediate wire transfer of $47,000 to a third-party account. The CEO stressed that this was strictly confidential and should not be discussed with colleagues.
Trusting the apparent sender and feeling pressure from the perceived authority, Sarah initiated the transfer. It was only when she mentioned it to a colleague the next morning that she discovered the CEO had sent no such request. The email domain had read m4rcus.ceo@companynamе.com — not the real company address.
Lesson: Always verify wire transfer or payment requests through a second channel — call the requester directly using a known phone number, never one provided in the email. Urgency and demands for secrecy are the clearest red flags in Business Email Compromise attacks.
James received a message from what appeared to be his organization's external IT support vendor. The email included his full name, job title, and a reference to a recent system upgrade — all readily available on the company's public website. It asked him to log in to a "new admin portal" to revalidate his credentials before midnight or face losing access to key systems.
James clicked the link and entered his username and password. The page looked identical to the real portal. Within hours, the attackers used his credentials to move laterally across the network and exfiltrate client project data.
Lesson: Never log in through a link in an email, regardless of how credible the message appears. Navigate directly to portals by typing the known URL into your browser. Information publicly available on LinkedIn and company websites can and will be weaponized against you.
Priya was expecting a report from an industry contact. An email arrived with the subject line "Q3 Industry Report — For Your Review" and a .xlsx attachment. The sender's name looked familiar, though the email address was slightly different from the one she had on file. Assuming it was a new address, she opened the file.
The spreadsheet opened briefly before closing. In fact, it had executed a macro that installed ransomware on her machine. Within hours, her files — and those of several connected colleagues — were encrypted and held for ransom.
Lesson: Do not open attachments from unexpected emails, even when the sender's name looks familiar — their account may have been compromised. Always verify the full email address, and never enable macros on Office documents unless you have explicitly requested them from IT.
David received a text message from "USPS" informing him that a package had been held due to an outstanding delivery fee of $1.99. The link took him to a convincing USPS-branded page that requested his name, address, and card details to release the shipment. The fee seemed trivial, and David entered his payment details without hesitation.
He soon discovered that his card details had been used to make several large unauthorized purchases. The page had been a clone site. USPS never requests payment or card details through SMS links.
Lesson: Be cautious of any SMS requesting payment from a delivery carrier, bank, or government agency. Navigate directly to the carrier's official website to check package status. Legitimate organizations — including USPS, FedEx, and UPS — will never request your card details through a text message link.
