Phishing IQ Quiz

Red Flags:

• Lookalike domain (acme-financials vs acme-finance)
• Urgency + secrecy combined — the two BEC invariants
• CEO directing a wire via email only, no prior conversation

Any wire request by email only — especially with urgency and secrecy — is the BEC playbook. Call the sender on a known number. Never use the phone number in the suspicious email.

Red Flags:

• microsoft-alert365.com is not microsoft.com — typosquatted domain
• Artificial urgency: "24 hours"
• No personalization (no name, no account reference number)

Hover over any link before clicking. The domain should be microsoft.com — anything else is a lookalike. Microsoft never emails you to "verify" from a third-party domain.

Red Flags:

• Display name says DocuSign but domain is legaldocuments-esign.net
• Legitimate DocuSign uses @docusign.com or @docusign.net
• Unexpected document — you're not expecting any contract

Check the actual From domain, not the display name. Legitimate DocuSign emails come from @docusign.com or @docusign.net. Always log into DocuSign.com directly to see pending documents.

Red Flags:

• You didn't initiate any login — any push you didn't request is an attack
• MFA fatigue: flooding notifications to get you to approve in frustration
• Vishing paired with MFA fatigue is the Scattered Spider signature tactic

Never approve an MFA push you didn't initiate. Hang up on any caller asking you to approve a notification. Report the push flood to IT immediately — someone has your password.

Red Flags:

• Legitimate UPS uses ups.com, not ups-delivery-confirm.com
• SMS link pressure — "or it will be returned"
• Tracking numbers in phishing SMS are usually fake or stolen

Go directly to ups.com and enter the tracking number there. Never click SMS links for package tracking — always go to the carrier's official site directly.

Red Flags:

• You didn't open a ticket — legitimate IT doesn't cold-call for diagnostics
• Request for remote access to your machine = potential RAT installation
• Internal extension numbers can be spoofed trivially

Hang up. Call IT helpdesk back on the number from the internal directory (not the number that called you). Legitimate IT never cold-calls asking you to download remote tools.

Red Flags:

• You don't have a Norton subscription
• Refund bait — creates urgency to call
• The phone number leads to a call center that will try to get remote access to "process the refund"

This is callback phishing — no malicious link, just a phone number. The call center will ask for remote access to "process the refund." Never call back unrecognized charges. Check your actual billing statements.

Red Flags:

• QR codes bypass email URL scanning — most security tools don't inspect them
• Work credentials have no role in a parking survey
• Physical delivery bypasses email filters entirely

QR codes in unexpected physical materials are a growing attack vector. Never enter work credentials on a site reached via an unverified QR code. Inspect the URL after scanning before entering any information.

Red Flags:

• Personal Gmail for a sensitive document request — no company email
• W-2s contain SSN + full financial data — prime identity theft material
• Urgency framing: mortgage application deadline

Never send W-2s or payroll data to personal email addresses. Always verify the employee via internal HR systems and call the employee at their known work number before releasing any sensitive documents.

Red Flags:

• .net vs .com — domain substitution
• Banking detail change in an email attachment
• Timed to coincide with normal invoice cycle

Any banking detail change request via email — even from a known vendor — requires a verification call to their known phone number. Never update vendor banking details based on email alone.

Red Flags:

• calendIy-app.com uses capital I to mimic lowercase l — classic homoglyph attack
• Legitimate Calendly uses calendly.com
• Meeting link domain doesn't match Calendly

Homoglyph attacks replace look-alike characters (capital I for lowercase l). Hover over links and inspect the full URL before clicking. Legitimate Calendly uses calendly.com, not any variation.

Red Flags:

• External Teams user claiming to be IT Support — internal IT wouldn't be external
• Shortened URL (bit.ly) hides destination — legitimate sharing uses SharePoint or OneDrive
• IT Support reaching you via external Teams message is a social engineering tell

Internal IT would never contact you from an external Teams account. Never click shortened URLs from unexpected external sources. Report external Teams messages claiming to be IT to your real IT team.

Red Flags:

• Deepfake voice cloning is now accessible to threat actors for under $100
• CFO unable to take calls + wire request = BEC pattern even via voice
• No prior discussion of an acquisition through normal channels

AI voice cloning can replicate any voice from 3 seconds of audio (LinkedIn videos, YouTube, podcasts). Establish a codeword protocol for large wire requests. Always call back on a known number for any payment instruction received via voicemail.

Red Flags:

• OAuth consent for a third-party app you've never heard of
• Permissions far exceed what a document share requires
• Google Docs sharing doesn't require installing a third-party app

OAuth consent grant attacks give attackers persistent access to your accounts without your password. Never grant third-party apps excessive permissions. Legitimate Google Doc sharing doesn't require app installation.

This email has no red flags — it's a genuine IT notification from your company's own domain. Not every email is a threat, which is why situational awareness matters.

This email is legitimate. It comes from your company's own domain, requires no action, provides no links to click, and directs you to your known internal helpdesk URL. No red flags.