Blog

$50 billion. That’s what business email compromise (BEC) attacks have stolen since the FBI started tracking them. The average hit is $125,000, though some organizations lose millions in a single attack.

Here’s what makes BEC particularly frustrating to defend against: there’s no malware to scan, no suspicious attachment to sandbox, no sketchy link for your email gateway to flag. These attacks work by impersonating someone the target trusts, asking for something that sounds reasonable, and relying on normal business processes to deliver the money.

Your technical controls won’t catch them. Your employees have to.

BEC attackers study organizations before striking. They learn:

• Who authorizes payments
• Who processes wire transfers
• Vendor relationships and payment patterns
• Executive communication styles
• Organizational hierarchies

Armed with this intelligence, they craft emails that appear completely legitimate.

1. CEO Fraud

Attacker impersonates the CEO or another executive to request urgent wire transfers.

“Hi Sarah, I’m closing a confidential acquisition and need you to wire $47,000 to this account today. Time-sensitive, so don’t mention this to anyone until the deal is announced.”

The request comes from what appears to be the CEO’s email (either spoofed or from a compromised account). It creates urgency, invokes authority, and discourages verification through the confidentiality request.

2. Invoice Manipulation

Attacker compromises or impersonates a vendor to change payment details.

“Please update our banking information for future invoices. Our previous account is being migrated.”

The email arrives when a legitimate payment is expected. Everything looks correct except the routing numbers.

3. Account Compromise

Attacker compromises an employee’s email account and uses it to request payments from contacts.

Because emails come from the actual compromised account with full conversation history, recipients have no reason to suspect fraud.

4. Attorney Impersonation

Attacker poses as legal counsel during sensitive transactions: M&A deals, litigation settlements, real estate closings.

The legal context creates urgency and confidentiality that discourage normal verification.

5. Data Theft

Attacker requests W-2s, employee records, or other sensitive data rather than direct payment.

“HR, I need all employee W-2s for a tax compliance audit. Please send by end of day.”

This variant enables identity theft and tax fraud against employees.

BEC attacks are engineered to bypass security tools:

Email security catches obvious fraud. BEC attacks aren’t obvious. They’re crafted to appear completely normal.

Employees can’t stop what they don’t recognize. Training must cover:

Request characteristics:

• Unusual urgency (“must be done today”)
• Confidentiality demands (“keep this between us”)
• Authority pressure (“the CEO needs this”)
• Process bypass requests (“skip normal approval this once”)
• Changed payment details (“use this new account”)

Context indicators:

• First-time requests from executives
• Requests outside normal business hours
• Unusual vendors or payment amounts
• Timing aligned with executive travel or unavailability
• Email threads that don’t match previous conversation history

Training must include clear verification requirements:

For wire transfers:

• Verbal confirmation through known phone numbers (not numbers in the email)
• Dual authorization for transfers above threshold
• Cooling-off period for unexpected requests
• Standard process that cannot be bypassed by claimed urgency

For payment detail changes:

• Independent verification with vendor through established contacts
• Comparison against historical payment records
• Review of any recent correspondence for signs of compromise

For sensitive data requests:

• Verification of requestor identity through separate channel
• Manager approval regardless of apparent sender
• Confirmation that request matches legitimate business need

BEC training requires simulation exercises that test whether procedures are actually followed.

Effective simulations:

• Mimic real attack patterns employees might face
• Create time pressure without being unfair
• Test whether employees verify before acting
• Provide immediate education when procedures aren’t followed

What to measure:

• Percentage who attempt verification before acting
• Time between request and verification attempt
• Proper use of established verification procedures
• Willingness to question requests from apparent authority

Highest-risk group for direct financial loss.

Training focus:

• Wire transfer verification procedures (no exceptions)
• Vendor payment change protocols
• Recognition of urgency manipulation
• Authority to delay suspicious requests

Often targeted as gatekeepers with broad access and trust.

Training focus:

• Verifying executive identity on unusual requests
• Recognizing when executive accounts may be compromised
• Procedures when executives are traveling or unavailable
• Protection of executive schedules and travel information

Targets for W-2 fraud and payroll diversion.

Training focus:

• Verification requirements for bulk data requests
• Recognition of tax-season attack patterns
• Direct deposit change verification
• Sensitivity to “urgent compliance” pretexts

High-value transaction targets.

Training focus:

• Wire instruction verification for closings
• Recognition of last-minute change requests
• Independent confirmation of attorney identity
• Awareness of public transaction information attackers exploit

Training works best alongside process controls that create natural verification checkpoints.

Require two people to approve significant transactions. This creates a natural verification step. The second approver has no reason to feel urgency pressure from the original request.

Before processing wire transfers or payment changes, require phone verification using independently obtained contact information. Never use numbers provided in the request.

Establish minimum processing times for large or unusual transactions. A 24-hour hold on unexpected wire requests gives time for verification and reduces attacker leverage from manufactured urgency.

Any change to vendor payment information triggers independent verification through established contacts, not contacts provided in the change request.

• Reduction in successful social engineering attempts
• Increase in suspicious request reports
• Decrease in process bypass attempts
• Employee confidence in verification procedures

Run quarterly BEC simulations targeting different attack scenarios:

• CEO fraud wire requests
• Vendor payment change requests
• Sensitive data requests
• Last-minute transaction modifications

Track whether employees follow verification procedures, not just whether they “pass” or “fail.”

When BEC attacks occur, rapid response can sometimes recover funds.

1. Contact bank immediately - Request wire recall or hold
2. Preserve evidence - Don’t delete emails or modify anything
3. Identify scope - Determine what else may be compromised
4. Report to FBI IC3 - File complaint for law enforcement coordination

• Analyze attack vector (spoofed domain, compromised account, etc.)
• Review what information attackers had access to
• Identify other potential targets in the organization
• Assess whether accounts may still be compromised

• Implement additional controls to prevent similar attacks
• Update training based on lessons learned
• Communicate (sanitized) incident to organization for awareness
• Review and strengthen verification procedures

A CFO received an urgent email from what appeared to be the CEO during an overseas business trip:

“Need you to process a $180,000 wire transfer for equipment purchase. Confidential until we announce the expansion. Account details attached.”

The CFO prepared the transfer but called the CEO to confirm before submitting, using the CEO’s personal cell number, not a number from the email. The CEO knew nothing about it.

Investigation revealed:

• Attackers had compromised a vendor’s email account
• They had access to information about the CEO’s travel
• The email came from a lookalike domain (ceo@company-corp.com instead of ceo@companycorp.com)
• Request amount was deliberately below the CFO’s authorization threshold

What worked: Established callback verification procedure saved $180,000.

What needed improvement: Domain monitoring could have detected the lookalike registration. Travel information access needed review.

I’ve talked to dozens of CFOs and finance managers who stopped BEC attacks. Every single one of them describes the same thing: they almost didn’t make the verification call. The email looked right. The amount was reasonable. They were busy. Making a phone call to confirm felt like overkill.

They made the call anyway.

That’s what separates organizations that lose $125,000 from organizations that don’t. Not better email filters. Not smarter employees. Just a simple habit: when something involves money changing hands, you verify through a separate channel. Every time. No exceptions.

The attackers know you’re busy. They know that calling feels awkward. They’re counting on it.

Build verification reflexes that stop BEC attacks. Try our free security awareness exercises featuring realistic business email compromise scenarios.

KnowBe4 dominates the security awareness training market. But market dominance doesn’t mean every organization is best served by the leader.

Whether you’re evaluating options for the first time, outgrowing your current solution, or finding KnowBe4’s approach doesn’t fit your needs, alternatives exist across every price point and feature set.

This comparison examines what different platforms offer, where they excel, and which organizational contexts they serve best.

Before comparing platforms, understand why buyers look beyond the obvious choice:

Pricing concerns: KnowBe4’s per-user licensing creates significant costs at scale. Organizations with thousands of users or tight budgets explore alternatives with different pricing models.

Content approach: KnowBe4’s content library is extensive but some organizations find the style doesn’t resonate with their workforce. Training effectiveness depends on engagement, and engagement depends on content fit.

Feature requirements: Some organizations need capabilities KnowBe4 doesn’t prioritize: advanced simulations, specific compliance frameworks, or particular LMS integrations.

Vendor diversity: Mature security programs avoid single-vendor dependency. Evaluating alternatives ensures competitive pricing and informed decisions.

User experience: Platform interfaces vary significantly. Organizations switching from one platform often cite usability as a primary driver.

Full disclosure: this is our platform. We’ll describe what we offer honestly, including what we do well and where we’re building.

Interactive 3D simulations: Rather than video content followed by quizzes, RansomLeak exercises place employees in realistic scenarios where they must identify threats, make decisions, and experience consequences in simulated environments.

Engagement-first design: Exercises use gamification, branching narratives, and immediate feedback to maintain attention and drive completion. Our completion rates consistently exceed industry benchmarks.

SCORM compatibility: Export any content as SCORM packages for integration with existing LMS platforms. One-click export, tested compatibility across major systems.

Flexible deployment: Use our cloud platform for full analytics and campaign management, or deploy SCORM packages through your existing infrastructure.

• Organizations prioritizing engagement and behavior change over checkbox compliance
• Companies with existing LMS investments wanting SCORM-compatible content
• Teams that have tried video-based training and found it ineffective
• Organizations seeking interactive simulations without enterprise complexity

• Smaller content library than established market leaders (we’re growing)
• Newer platform means less market validation (we’re proving ourselves)
• Advanced enterprise features still in development

Competitive per-user pricing with volume discounts. Free trial available with no credit card required.

Explore RansomLeak exercises →

Proofpoint acquired Wombat Security and integrates awareness training with their email security platform.

Email security integration: Organizations using Proofpoint for email protection benefit from unified reporting and threat intelligence that informs training content.

Established content library: Years of development produced comprehensive training modules covering most security topics.

Enterprise scale: Proven deployment across large organizations with complex requirements.

Pricing: Enterprise-focused pricing may not suit smaller organizations.

Platform bundling: Highest value comes with full Proofpoint suite adoption, which may not align with your security architecture.

Content style: Traditional video-heavy approach may not maximize engagement for all audiences.

• Organizations already invested in Proofpoint email security
• Enterprise buyers seeking integrated security platforms
• Compliance-focused programs prioritizing completeness over engagement

Cofense focuses specifically on phishing simulation and response.

Phishing specialization: Deep focus on phishing simulation creates sophisticated testing capabilities.

Managed services: Options for fully-managed phishing programs reduce internal resource requirements.

Incident response integration: PhishMe’s origins created strong workflows for reporting and responding to real attacks.

Narrow focus: Less comprehensive general security awareness content compared to broader platforms.

Complexity: Advanced features create learning curves for program administrators.

Pricing model: Can become expensive for comprehensive programs.

• Organizations prioritizing phishing simulation over general awareness
• Security teams wanting managed simulation services
• Mature programs needing advanced simulation capabilities

Mimecast acquired Ataata to add awareness training to their email security platform.

Email security integration: Similar to Proofpoint, organizations using Mimecast for email benefit from integrated reporting.

Risk-based targeting: Training recommendations based on email security data and threat exposure.

Short-form content: Micro-learning approach suits organizations seeking minimal time commitment.

Platform dependency: Value proposition strongest within Mimecast ecosystem.

Acquisition integration: Ataata integration still maturing in some areas.

Limited customization: Less flexibility than some alternatives for custom content needs.

• Existing Mimecast email security customers
• Organizations preferring micro-learning formats
• Buyers seeking integrated email security and training

SANS brings their technical training reputation to security awareness.

Technical credibility: SANS brand recognition matters for technical audiences who value authoritative content.

Comprehensive content: Deep library covering topics beyond basic awareness.

Role-based training: Strong differentiation for technical vs. non-technical audiences.

Premium pricing: SANS quality commands premium pricing that may exceed budgets.

Technical orientation: Content may be more technical than general workforce needs.

Less modern UX: Platform interface reflects enterprise software more than modern SaaS.

• Organizations with technical workforces valuing SANS credibility
• Buyers prioritizing content depth over engagement features
• Companies with training budgets supporting premium solutions

Terranova focuses on human risk management with awareness training as a component.

Behavior-focused approach: Emphasis on behavior change beyond simple awareness metrics.

Multilingual content: Strong internationalization for global organizations.

Compliance alignment: Content mapped to specific regulatory requirements.

Complex positioning: Platform capabilities can be difficult to evaluate quickly.

Market presence: Lower visibility than market leaders may concern some buyers.

• Global organizations needing multilingual content
• Compliance-driven programs requiring specific regulatory mapping
• Buyers interested in behavior-focused approaches

Before comparing platforms, clarify what matters most:

Must-haves:

• What features are non-negotiable?
• What integrations are required?
• What compliance requirements must be met?
• What budget constraints exist?

Nice-to-haves:

• What features would improve the program?
• What future needs should you plan for?
• What would make administration easier?

Platform demos should address:

• Admin experience for program management
• User experience for employees
• Reporting and analytics capabilities
• Integration processes
• Content library breadth and quality

Before committing, test with real users:

• Deploy to a small group
• Measure completion rates and engagement
• Gather user feedback
• Evaluate admin effort required
• Confirm integration functionality

Consider costs beyond licensing:

• Implementation and configuration effort
• Ongoing administration time
• Content customization needs
• Training for program administrators
• Integration maintenance

About content:

• How frequently is content updated?
• Can we preview the full library before purchase?
• How do you handle content that doesn’t resonate with our users?
• What customization options exist?

About phishing simulation:

• How realistic are simulation templates?
• Can we create custom simulations?
• How do you handle false positives (mail security catching simulations)?
• What reporting is available at individual, department, and organizational levels?

About integration:

• Which LMS platforms have you tested with?
• What’s the SCORM export process?
• How do you integrate with our email system?
• What SSO options are supported?

About support:

• What’s included in base pricing vs. additional cost?
• What’s typical response time for issues?
• Is there a customer success resource assigned to our account?
• How do you help us succeed, not just use the platform?

KnowBe4 remains the right choice if:

• You’re satisfied with current results
• Budget isn’t a primary constraint
• Content style resonates with your workforce
• You value market leadership and ecosystem size

Consider alternatives when:

• Engagement and completion rates are disappointing
• Pricing creates budget pressure at scale
• Specific features are missing that you need
• Your organization outgrew the initial solution

We’re the right fit if:

• Interactive simulations matter more than content volume
• SCORM compatibility is required
• Engagement drives your training effectiveness
• You want to experience quality training before committing

KnowBe4’s market position doesn’t make it universally optimal. The right security awareness platform depends on your organizational context, priorities, and constraints.

Define requirements clearly. Evaluate multiple options. Test before committing. The platform that creates behavior change for your workforce, regardless of market share, is the one worth choosing.

Experience interactive security training that prioritizes engagement. Try our free exercises. No sales pitch, just quality training you can evaluate on your own terms.

Email remains the primary attack vector. Despite decades of security investment, 91% of cyber attacks still begin with an email. Your employees receive these attacks daily, and a single click can compromise your entire organization.

Email security training transforms employees from potential victims into active defenders. When your workforce recognizes phishing attempts, verifies suspicious requests, and reports threats quickly, email-based attacks fail regardless of their sophistication.

Technical email security has improved. Spam filters catch obvious threats. Secure email gateways block known malicious domains. AI-powered solutions detect anomalies. Yet attacks keep succeeding.

The reason is simple: attackers adapt faster than technology. When filters block one tactic, attackers develop another. When detection catches patterns, attackers change patterns. The arms race between attackers and technology never ends.

Trained employees provide a different kind of defense. They apply judgment, recognize context, and identify threats that evade technical controls. A well-crafted spear phishing email might bypass every filter, but an employee who knows to verify unexpected requests stops the attack anyway.

These costs don’t include reputation damage, customer loss, or regulatory penalties. A single successful email attack often causes cascading harm far beyond the initial compromise.

Mass phishing casts a wide net, hoping some percentage of recipients click. These attacks mimic:

• Account alerts (“Your password expires today”)
• Shipping notifications (“Your package couldn’t be delivered”)
• Financial warnings (“Unusual activity detected”)
• IT requests (“Verify your credentials”)

While less sophisticated than targeted attacks, volume ensures success. If 1% of employees click and you have 1,000 employees, that’s 10 compromised accounts from a single campaign.

Targeted phishing uses research to create convincing messages for specific individuals. Attackers study LinkedIn profiles, company announcements, and social media to craft relevant lures.

A spear phishing email might reference:

• Recent company news or projects
• Specific colleagues by name
• Actual vendors or partners
• Real business processes

This personalization dramatically increases success rates compared to mass phishing.

BEC attacks impersonate trusted parties to manipulate employees into taking harmful actions, typically involving money or data.

Common BEC scenarios:

• CEO fraud: Attacker poses as executive requesting urgent wire transfer
• Vendor impersonation: Fake invoice with changed payment details
• Attorney impersonation: Pressure for immediate action on “confidential” matter
• Data theft: Request for employee records or financial information

BEC attacks cost organizations billions annually and often bypass technical controls entirely because they contain no malware or malicious links.

These attacks aim to steal login credentials through:

• Fake login pages mimicking real services
• “Password reset” requests that capture current credentials
• “Account verification” forms requesting sensitive data

Stolen credentials enable further attacks, from email account takeover to network compromise.

Email delivers malware through:

• Malicious attachments (documents, archives, executables)
• Links to drive-by download sites
• Embedded content that exploits vulnerabilities

Once malware executes, attackers gain foothold for ransomware deployment, data theft, or persistent access.

Train employees to examine emails critically:

Sender verification

• Check actual email address, not just display name
• Verify domain spelling (paypa1.com vs paypal.com)
• Question unexpected emails from known contacts

Content red flags

• Urgency demanding immediate action
• Threats of negative consequences
• Requests for credentials or sensitive data
• Generic greetings instead of personal address
• Grammar and spelling errors (though sophisticated attacks avoid these)

Link safety

• Hover to preview destination before clicking
• Verify URLs match expected destinations
• Watch for misleading link text
• Never enter credentials after clicking email links

Attachment caution

• Question unexpected attachments
• Be wary of uncommon file types
• Enable protected view for Office documents
• Report suspicious attachments before opening

Help employees understand (at a basic level) how email authentication works:

• SPF, DKIM, DMARC: Technical standards that verify sender legitimacy
• Why spoofing still works: Attackers use lookalike domains that pass authentication
• What employees should do: Verify through independent channels, not email alone

Establish clear guidelines:

Never:

• Send passwords or credentials via email
• Click links in unexpected security alerts
• Open attachments from unknown senders
• Trust caller ID or sender names alone
• Bypass verification procedures due to urgency

Always:

• Verify unexpected requests through separate channels
• Report suspicious emails even if uncertain
• Use bookmarks or type URLs directly for sensitive sites
• Confirm wire transfer or payment changes by phone
• Check with IT security about questionable emails

Establish specific verification procedures:

Wire transfer requests:

1. Call requester using known number (not from email)
2. Verify authorization through documented approval chain
3. Confirm account details independently
4. Document verification steps

Vendor payment changes:

1. Contact vendor using existing relationship contact
2. Verify through multiple methods before implementing
3. Implement waiting period for payment changes
4. Flag and review all payment detail modifications

Credential requests:

1. Never provide passwords via email regardless of sender
2. Report all credential requests to IT security
3. Navigate to sites directly rather than through email links
4. Contact IT through known channels to verify legitimacy

Regular phishing simulations test employee recognition in realistic scenarios. Effective simulation programs:

• Use varied attack types (different lures, tactics, sophistication levels)
• Test all employees, including executives
• Provide immediate feedback when employees click
• Track progress over time
• Focus on education, not punishment

Simulations build practical recognition skills that passive training cannot develop.

Hands-on exercises where employees practice:

• Identifying phishing versus legitimate emails
• Analyzing headers and sender information
• Making decisions under realistic conditions
• Reporting suspicious messages

Interactive training creates stronger learning than videos or documents alone.

Examine actual attacks to understand:

• How sophisticated attacks unfold
• Why victims fell for schemes
• What warning signs existed
• How similar attacks can be prevented

Real examples make abstract threats concrete and memorable.

Deliver training at relevant moments:

• Education immediately after clicking simulation
• Reminders during high-risk periods
• Updates when new threats emerge
• Reinforcement tied to actual email activity

Timely training maximizes relevance and retention.

Establish baseline through:

• Initial phishing simulation to measure click rates
• Survey to assess current knowledge
• Review of past email security incidents
• Identification of highest-risk roles

Deploy core email security education:

• Email threat landscape overview
• Recognition skills for common attacks
• Reporting procedures and resources
• Verification process training

All employees complete baseline training before advanced modules.

Launch regular phishing simulations:

• Monthly simulations for all employees
• Varied difficulty and attack types
• Immediate feedback and education
• Progress tracking and reporting

Simulations should feel like real attacks, not obvious tests.

Provide deeper training for specific needs:

• Role-specific threat training (finance, executive, IT)
• Emerging threat updates
• Scenario-based exercises
• Refresher training for struggling employees

Embed email security into organizational culture:

• Recognition for reporting
• Regular security communications
• Leadership participation and messaging
• Continuous improvement based on metrics

• Training completion rates
• Assessment scores
• Employee confidence levels
• Incident reduction
• Near-miss reports

Track improvement over time:

• Click rate changes across simulations
• Reporting rate growth
• Response time improvements
• Risk reduction across the organization

Finance teams face the highest-value email attacks:

Focus areas:

• BEC and CEO fraud recognition
• Invoice fraud detection
• Payment change verification
• Wire transfer security procedures

Simulations should include:

• Fake executive requests
• Vendor impersonation attempts
• Urgency-based payment demands
• Account detail change requests

Executives are prime targets for whaling attacks:

Focus areas:

• High-value target awareness
• Sophisticated attack recognition
• Verification importance (even for “urgent” requests)
• Leading by example

Simulations should include:

• Board member impersonation
• Legal urgency scenarios
• Confidential matter requests
• Time-sensitive authorization demands

IT employees face targeted attacks seeking system access:

Focus areas:

• Credential theft recognition
• System access request verification
• Vendor and support impersonation
• Insider threat awareness

Simulations should include:

• Fake support requests
• Credential reset attempts
• System access demands
• Technical support impersonation

Universal email security skills everyone needs:

• Basic phishing recognition
• Link and attachment safety
• Reporting procedures
• Password protection

Training works best alongside technical controls:

• Email authentication (SPF, DKIM, DMARC)
• Advanced threat protection
• Link scanning and sandboxing
• Attachment filtering
• Impersonation detection

• Multi-person approval for significant transactions
• Out-of-band verification requirements
• Payment change waiting periods
• Documented authorization procedures

• Easy reporting mechanisms (button in email client)
• Clear escalation procedures
• Feedback loops for reporters
• Integration with security operations

Problem: Simulations designed to trick employees rather than train them. Impossible-to-detect tests create resentment without building skills.

Solution: Design simulations that challenge but are detectable with proper attention. The goal is education, not embarrassment.

Problem: Employees who click face public shaming, job consequences, or repeated remediation. This drives behavior underground rather than improving it.

Solution: Treat clicks as learning opportunities. Focus on improvement, provide support, and celebrate progress rather than punishing failure.

Problem: Annual training creates brief awareness that fades within weeks. Employees forget lessons before they encounter real attacks.

Solution: Maintain continuous touchpoints through monthly simulations, regular tips, and ongoing reinforcement.

Problem: Training uses examples irrelevant to employees’ actual work. Accountants need different scenarios than engineers.

Solution: Customize simulations and training to reflect real threats facing specific roles and your industry.

Problem: Training emphasizes recognition but neglects reporting. Employees identify threats but don’t escalate them appropriately.

Solution: Make reporting easy, celebrate reporters, and track reporting metrics alongside click rates.

Email remains the primary path attackers use to reach your employees. Technical controls block many threats but cannot stop sophisticated attacks that exploit human judgment. Email security training fills this gap.

Effective programs combine knowledge (understanding threats), practice (realistic simulations), and culture (encouraging reporting). They treat employees as partners in security rather than problems to be managed.

The investment pays returns beyond security metrics. Organizations with strong email security training experience fewer incidents, faster detection when attacks occur, reduced breach impact, and employees who feel empowered rather than victimized.

Your employees will receive malicious emails. With proper training, they’ll recognize and report them instead of clicking.

Build practical email security skills through hands-on practice. Try our free phishing simulation exercises and experience interactive training that develops real threat recognition abilities.

You know what phishing looks like. Misspelled words, suspicious links, Nigerian princes. You’ve done the training. You’ve passed the tests.

And yet.

Somewhere, right now, someone who knows all of this is clicking a link they shouldn’t. Not because they’re careless or stupid, but because they’re busy, distracted, and the email looked just legitimate enough.

Phishing detection isn’t about knowledge. It’s about habits that kick in automatically, even when you’re not thinking clearly.

Most phishing fails a quick sanity check. The problem is we don’t do the check. We see an email, we react, we click. The trick is building a pause into that reaction:

1. Was this expected? Unexpected requests for credentials, payments, or sensitive data are suspicious by default.

2. Does the context make sense? An “account locked” email for a service you don’t use is obviously fake. But even for services you do use, did you do anything that would trigger this?

3. Who sent this? Look at the actual email address, not just the display name. “PayPal Security” from security-paypal@mail-verify.net is not PayPal.

Most phishing attempts fail this 3-second test. The ones that pass deserve closer scrutiny.

URLs are the hardest thing for attackers to fake. Learn to read them.

https://account.paypal.com/login breaks down as:

• https:// - Protocol (should be HTTPS for any login)
• account.paypal.com - Domain (this is what matters)
• /login - Path (less important for legitimacy)

The domain is everything between :// and the next /. Within that domain, read right to left:

• paypal.com - This is the actual domain (owned by PayPal)
• account. - This is a subdomain (controlled by whoever owns paypal.com)

Attackers use several tricks:

Subdomain deception:

• paypal.account-verify.com - The domain is account-verify.com, not PayPal
• secure-paypal.com.malicious.net - The domain is malicious.net

Typosquatting:

• paypai.com (lowercase L instead of lowercase l)
• paypa1.com (number 1 instead of lowercase l)
• paypal-secure.com (adding words to legitimate brand)

Homograph attacks:

• Using characters from different alphabets that look identical
• pаypal.com using Cyrillic ‘а’ instead of Latin ‘a’

On desktop, hover over links to see their destination before clicking. On mobile, long-press links to preview URLs.

If the displayed text says “www.paypal.com” but the link goes elsewhere, that’s phishing.

Email display names can be anything. The actual address matters.

Legitimate:

• service@paypal.com
• noreply@email.chase.com

Suspicious:

• paypal-service@gmail.com
• support@paypal.security-verify.com
• alert@paypal.com.suspicious-domain.net

Urgency without specificity:

• “Your account will be suspended in 24 hours” - What account? Why?
• Legitimate services provide specific details about issues

Generic greetings:

• “Dear Customer” or “Dear User” when legitimate emails would use your name

Grammar and formatting:

• Legitimate companies have professional copywriters and QA processes
• Errors suggest rushed, non-professional origin

Mismatched branding:

• Wrong logo colors, fonts, or layouts
• Images that look stretched or pixelated
• Footer information that doesn’t match the claimed sender

Be especially cautious of:

• Unexpected attachments from anyone
• File types that can execute code (.exe, .js, .html, .zip with executables)
• “Invoice” or “Document” attachments you didn’t expect
• Password-protected files (attackers use this to bypass security scanners)

When you reach a website (whether through email link or direct navigation), verify legitimacy before entering credentials.

HTTPS with a valid certificate is necessary but not sufficient. Attackers get SSL certificates too.

What to check:

• Click the padlock icon → View certificate details
• Verify the certificate is issued to the expected organization
• Check the certificate isn’t expired

What certificates DON’T tell you:

• That the site is legitimate
• That your data is safe
• That you should trust the organization

A phishing site can have a perfectly valid SSL certificate.

Compare against your memory of the legitimate site:

• Are colors exactly right?
• Is the logo correct?
• Is the layout what you expect?
• Do fonts look professional?

When in doubt, navigate directly to the site by typing the URL or using a bookmark. Don’t trust links.

Phishing sites often only implement the pages needed for credential theft.

Signs of a fake:

• Footer links that go nowhere or to unrelated pages
• “Forgot password” or “Create account” links that don’t work
• Missing functionality that the real site would have
• Error messages that don’t make sense

Check when a domain was registered:

• Legitimate company domains are typically years old
• Phishing domains are often registered days or weeks before attacks

Use whois command or online tools to check domain age.

Search certificate transparency logs for the domain to see:

• When certificates were issued
• How many certificates exist for the domain
• Whether the certificate history matches expectations

For technical users:

• Inspect network requests to see where data is actually sent
• Check for suspicious JavaScript
• Look at form action URLs

1. Don’t click anything in the suspicious message
2. Report it - Forward to your IT security team or use the report phishing button
3. Delete it - Remove from inbox to avoid accidental future clicks

1. Close the tab immediately
2. Clear your browser cache
3. Run a malware scan
4. Monitor for unusual activity

1. Change password immediately on the legitimate site
2. Enable 2FA if not already active
3. Check for unauthorized activity in the affected account
4. Report the incident to IT security
5. Monitor related accounts - if you reuse passwords, change those too

Make verification automatic, not exceptional:

• Always check sender addresses
• Always hover over links before clicking
• Always navigate directly for sensitive actions

Assume unexpected requests are suspicious until verified:

• Banks don’t email asking for credentials
• Tech support doesn’t call unsolicited
• Legitimate urgency comes with verifiable specifics

If a request might be legitimate:

• Call the company using a number from their official website (not from the email)
• Navigate directly to the service and check your account
• Contact the purported sender through a known-good method

For organizations building phishing detection capabilities:

Regular simulated phishing campaigns:

• Establish baseline click rates
• Provide immediate education when employees click
• Track improvement over time
• Adjust difficulty as skills improve

Make reporting easy:

• One-click phishing report buttons in email clients
• No penalties for reporting false positives
• Feedback on reported items to reinforce good behavior

Ongoing touchpoints:

• Brief reminders about current phishing trends
• Examples of real attacks targeting your industry
• Recognition for employees who catch and report attempts

Here’s what I’ve learned watching thousands of people go through phishing simulations: the ones who catch attacks aren’t the most security-aware. They’re the ones who’ve built checking into their workflow.

They hover over every link. Not because they’re suspicious of that specific email, but because that’s just what they do. They verify sender addresses the way they check their mirrors before changing lanes. Automatic.

The goal isn’t to become paranoid. It’s to make verification so routine that you don’t have to think about it.

Most phishing attempts are obvious once you look. The trick is remembering to look when you’re tired, rushed, or just trying to get through your inbox before lunch.

Build detection habits through practice, not just training. Try our interactive security exercises with phishing scenarios designed to test your reflexes, not just your knowledge.

Your phone buzzes. A text from your “bank” says suspicious activity was detected on your account. Click here to verify. The link looks legitimate. The message is urgent.

You’re already reaching for the link before you’ve finished reading.

That reaction is exactly why smishing works. SMS phishing succeeds where email fails because we’ve spent years training ourselves to distrust our inboxes. Nobody taught us to be suspicious of texts.

I’ve watched security-conscious people who would never click an email link tap a suspicious SMS without hesitation. The psychology is different:

Texts feel personal. Email comes from companies. Texts come from people you know. When a text arrives, your brain defaults to trust.

There’s no time to think. Email sits in your inbox until you’re ready. A text notification demands immediate attention. You’re responding on instinct, not analysis.

You can’t see where links go. On a phone screen, URLs get truncated. That suspicious domain? Hidden behind ”…” in a tiny font.

Your phone has no defenses. Your email has spam filters, phishing detection, attachment scanning. Your SMS app? Nothing.

“Chase Alert: Unusual activity detected on your account. Verify immediately: chase-verify-security.com”

These messages exploit:

• Trust in bank security alerts
• Fear of financial loss
• Urgency of fraud prevention

“USPS: Your package cannot be delivered. Update delivery preferences: usps-redelivery.net”

Effective because:

• Everyone receives packages
• Delivery issues feel plausible
• Small “redelivery fees” seem reasonable

“Google: Someone is trying to sign into your account. Reply YES if this was you, or click here to secure your account.”

This attack intercepts legitimate login attempts by tricking users into revealing authentication codes.

“Apple Support: Your iCloud is full and backups are failing. Upgrade now to prevent data loss: icloud-upgrade-storage.com”

Targets users’ fear of losing photos and data.

“IRS: You have an outstanding tax obligation. Avoid legal action by paying immediately: irs-payment-portal.com”

Uses authority and fear of government penalties.

Unexpected contact: Legitimate organizations rarely initiate sensitive communications via SMS.

Urgency language: “Immediately,” “urgent,” “within 24 hours” pressure quick action over careful evaluation.

Generic greetings: Your bank knows your name. “Dear Customer” suggests fraud.

Shortened or suspicious URLs: Bit.ly links or domains that don’t match the claimed sender.

Requests for sensitive info: Legitimate organizations don’t ask for passwords, PINs, or full account numbers via text.

Poor grammar or formatting: Professional organizations have professional communications.

Attackers rarely use just one channel. A smishing text might tell you to call a number (leading to vishing). A vishing call might reference a “confirmation text” they’re about to send. The channels reinforce each other.

The difference between them comes down to what makes each channel vulnerable:

• Email phishing gives attackers more space to craft convincing messages, but we’ve learned to be suspicious
• Smishing exploits the trust and urgency built into text messaging
• Vishing adds real-time social pressure that’s almost impossible to resist

If you get suspicious communication on one channel, expect attempts on others.

Never click links in unexpected texts. Navigate directly to services by typing URLs or using apps.

Verify independently. If a text claims to be from your bank, call the number on your card, not any number in the message.

Enable spam filtering. Both iOS and Android offer SMS spam detection. Enable it.

Report smishing. Forward suspicious texts to 7726 (SPAM) to report to carriers.

Don’t respond. Responding (even to say “stop”) confirms your number is active.

Mobile device management (MDM): Implement security policies on company devices including SMS threat detection.

Employee training: Include smishing scenarios in security awareness programs. Mobile threats are undertrained relative to email.

Clear policies: Establish that your organization will never request credentials or sensitive data via SMS.

Reporting mechanisms: Make it easy for employees to report suspicious texts to security teams.

Simulation testing: Include SMS-based simulations in phishing awareness programs where possible.

1. Delete the message
2. Block the sender
3. Report to 7726 (SPAM)

1. Close the page immediately
2. Clear browser data
3. Monitor for unusual activity

1. Change password immediately on the real site
2. Enable 2FA if not already active
3. Contact the real organization’s fraud department
4. Monitor accounts for unauthorized activity
5. Consider identity theft protection if personal information was shared

Smishing attacks increased 700% during 2021-2022 as attackers recognized the opportunity. Contributing factors:

• Mobile-first communication: People increasingly handle sensitive transactions on phones
• Trust gap: Security training focuses on email while mobile threats are undertrained
• Technical limitations: SMS lacks the authentication and filtering infrastructure email has developed
• Pandemic acceleration: Increased reliance on delivery services and mobile banking created new attack surfaces

A 2023 smishing campaign impersonated USPS, UPS, and FedEx simultaneously:

Attack pattern:

1. Text claiming delivery issue
2. Link to credential harvesting page mimicking carrier site
3. Request for “small redelivery fee” ($1.99)
4. Payment form capturing full credit card details

Scale: Millions of texts sent during holiday shipping season

Effectiveness: Higher success rate than equivalent email phishing due to timing (everyone expected packages) and mobile trust dynamics

Lesson: Seasonal context dramatically increases smishing effectiveness. Training should address current attack patterns.

We’ve spent two decades building email security. Spam filters, phishing detection, user training. And it worked. Click rates on phishing emails have dropped.

So attackers moved to SMS, where none of those defenses exist.

The same skepticism you’ve learned to apply to email needs to extend to every channel. That “bank alert” text? Call your bank using the number on your card. That “delivery notification”? Check the tracking on the carrier’s actual website.

It feels paranoid. It’s not. It’s just how we have to operate now.

Build the instincts that catch smishing before you click. Try our interactive security exercises with realistic SMS attack scenarios.