CAN YOU SPOT THE FAKE EMAIL? TAKE THIS PHISHING QUIZ TO TEST YOUR SKILLS
Test your ability to identify phishing emails with our interactive quiz. Learn how phishing attacks work, why they succeed, and how to protect yourself and your organization from email fraud.
Can You Spot the Fake Email? Take This Phishing Quiz to Test Your Skills
Direct answer
Phishing emails are fraudulent messages designed to trick recipients into revealing sensitive information, clicking malicious links, or transferring funds. The most effective way to build detection skills is through hands-on practice with realistic phishing simulations. A phishing quiz presents real and fake email examples side by side, training your eye to catch red flags such as mismatched sender domains, urgent language, suspicious links, and requests for credentials. According to the FBI, phishing was the most reported cybercrime in 2023, with over 298,000 complaints filed with IC3.
What is a phishing Email?
A phishing email is a deceptive message sent by an attacker who impersonates a trusted entity, such as a bank, employer, government agency, or software provider, to manipulate the recipient into taking a harmful action. These actions typically include clicking a malicious link, downloading an infected attachment, entering login credentials on a spoofed website, or authorizing a fraudulent wire transfer.
Phishing is a subset of social engineering, which the National Institute of Standards and Technology (NIST) defines as "an attempt to trick someone into revealing information or taking an action" (NIST SP 800-63B). Unlike brute-force cyberattacks that exploit software vulnerabilities, phishing exploits human psychology: trust, urgency, fear, and authority.
Phishing emails range from mass-distributed generic campaigns ("spray and pray") to highly targeted spear-phishing attacks crafted for a specific individual or organization. Business Email Compromise (BEC), a sophisticated variant, involves attackers impersonating executives or vendors to redirect payments or extract sensitive data.
Why does phishing detection matter?
Phishing remains the single most common initial attack vector in cybersecurity breaches worldwide. The statistics paint a stark picture of the threat landscape.
The scale of the problem is growing. The FBI's Internet Crime Complaint Center (IC3) reported that phishing and its variants accounted for over 298,000 complaints in 2023 alone, making it the most reported cybercrime category for the fifth consecutive year. Total losses from internet crime exceeded $12.5 billion, with Business Email Compromise responsible for approximately $2.9 billion of that figure (FBI IC3 2023 Annual Report).
Most breaches start with a phishing email. According to the Verizon 2024 Data Breach Investigations Report, the human element was involved in 68% of breaches, and phishing was consistently among the top action varieties in social engineering attacks. The median time for a user to click a phishing link after opening the email is less than 60 seconds.
Small businesses are disproportionately vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA) notes that small and medium businesses often lack dedicated security teams, making them attractive targets. A single successful phishing attack can result in ransomware deployment, data exfiltration, or financial theft that threatens the survival of a small organization.
Phishing simulations and quizzes measurably reduce risk. NIST research demonstrates that regular phishing awareness training can reduce click rates on simulated phishing emails by 50% or more over a 12-month period. Employees who practice identifying phishing in controlled environments develop pattern recognition that transfers to real-world threats.
Phishing awareness is not a one-time exercise. Attackers continuously refine their techniques, incorporating AI-generated text, deepfake voice messages, and pixel-perfect website clones. Ongoing training through tools like phishing quizzes keeps detection skills current and reflexive.
How does a phishing attack work?
Understanding the anatomy of a phishing attack is essential for recognizing one. Most phishing campaigns follow a predictable sequence of steps.
Step 1: Reconnaissance and target selection. The attacker identifies targets and gathers publicly available information. For spear-phishing, this may include harvesting email addresses from LinkedIn, company websites, data breach dumps, or social media profiles. The attacker studies organizational hierarchies, vendor relationships, and communication patterns to craft a believable pretext.
Step 2: Infrastructure preparation. The attacker registers lookalike domains (for example, "arnazon.com" instead of "amazon.com"), sets up spoofed email addresses, and creates cloned login pages. Some attackers compromise legitimate email accounts to send phishing messages from trusted domains, bypassing basic email authentication checks.
Step 3: Crafting the lure. The phishing email is designed to trigger an emotional response. Common lures include fake invoice notifications with urgent payment deadlines, account suspension warnings requiring immediate credential verification, package delivery failure notices with tracking links, HR policy updates requiring employees to log in, and tax refund notifications impersonating the IRS or CRA. The message typically includes one or more psychological triggers: urgency ("Your account will be locked in 24 hours"), authority ("Message from the CEO"), fear ("Unusual login detected"), or reward ("You have a pending refund").
Step 4: Delivery. The email is sent, often timed for maximum impact, such as early morning when attention is divided, end of fiscal quarter when invoice volume is high, or during major events like tax season. Sophisticated attackers may send the phishing email as a reply in an existing email thread if they have compromised a participant's account.
Step 5: Exploitation. When the recipient clicks a link, they are directed to a credential-harvesting page, a malware download, or a form that captures personal information. Some phishing attacks use no links at all, instead relying on reply-based social engineering ("Please wire $47,000 to the following account for the Henderson acquisition").
Step 6: Post-compromise actions. Once the attacker has credentials or access, they may install persistent backdoors, move laterally through the network, exfiltrate data, set up email forwarding rules to intercept future communications, or initiate fraudulent transactions. The attacker may remain undetected for weeks or months.
Real case: the ubiquiti networks BEC attack
In 2015, Ubiquiti Networks, a publicly traded technology company, disclosed that it had lost $46.7 million in a Business Email Compromise attack. Attackers impersonated company executives and targeted employees in the finance department, requesting a series of wire transfers to overseas accounts controlled by the criminals.
The attack exploited several classic phishing and BEC characteristics. The emails appeared to come from senior leadership within the company. The requests involved standard financial operations (wire transfers) that finance employees routinely processed. The attackers used urgency and authority to discourage verification through alternative channels. The fraud was discovered only after an external notification from law enforcement.
Ubiquiti recovered approximately $8.1 million of the stolen funds, but the incident resulted in significant financial loss, reputational damage, and a drop in stock price. The SEC filing noted that the attack involved "employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department" (Ubiquiti Networks 10-Q, August 2015).
This case illustrates why phishing detection is a critical organizational skill. The employees who processed the wire transfers were not negligent; they were executing what appeared to be legitimate instructions from leadership. Without training to recognize the specific indicators of BEC, even diligent employees can be deceived.
How can you detect a phishing Email? A complete checklist
Use this checklist every time you evaluate a suspicious email. A single red flag warrants caution; multiple red flags strongly suggest phishing.
Sender verification. Check the full email address, not just the display name. Look for subtle misspellings in the domain (e.g., "micros0ft.com" or "paypa1.com"). Verify that the Reply-To address matches the From address. Check email authentication headers (SPF, DKIM, DMARC) if accessible.
Link inspection. Hover over every link before clicking to reveal the actual destination URL. Look for URL shorteners that obscure the true destination. Check for HTTPS, but remember that attackers also use SSL certificates. Compare the link domain to the organization's known, legitimate domain.
Content and language analysis. Watch for generic greetings ("Dear Customer") instead of your name. Note grammatical errors, unusual phrasing, or inconsistent formatting. Be skeptical of urgent language demanding immediate action. Question requests that bypass normal procedures.
Attachment scrutiny. Be cautious with unexpected attachments, especially .exe, .zip, .docm, .xlsm, and .html files. Verify with the sender through a separate communication channel before opening. Use your email security tool to scan attachments before downloading.
Contextual verification. Ask whether you expected this email. Confirm unusual requests (especially financial) through a known phone number or in-person. Check whether colleagues received similar messages. Verify the request against your organization's established procedures.
Technical indicators. Look for mismatched envelope sender and header sender addresses. Check for recently registered domains in the sender's address. Note if the email bypassed your spam filter but still feels suspicious. Examine the email headers for routing anomalies.
How can you prevent phishing attacks?
Phishing prevention requires a layered defense strategy that combines human awareness with technical controls.
Implement email authentication protocols. Configure SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) for all organizational domains. NIST recommends DMARC with a policy of "reject" as a baseline email security measure (NIST SP 800-177 Rev. 1). These protocols prevent attackers from spoofing your domain to send phishing emails to your customers and partners.
Deploy AI-powered email security tools. Traditional rule-based spam filters miss sophisticated phishing attempts. Modern email security platforms analyze sender behavior, message content, link destinations, and contextual signals using machine learning to identify threats that evade conventional filters. Tools that process emails locally, without storing user data, provide security without compromising privacy.
Conduct regular phishing simulations and training. Run phishing simulations at least quarterly to maintain awareness. Provide immediate feedback when employees click simulated phishing links. Use varied and realistic scenarios that reflect current threat trends. Track organizational click rates over time to measure improvement.
Enforce multi-factor authentication (MFA) everywhere. MFA ensures that stolen credentials alone are insufficient for account compromise. CISA recommends phishing-resistant MFA methods such as FIDO2 security keys or platform authenticators over SMS-based codes, which are vulnerable to SIM-swapping attacks.
Establish verification procedures for financial requests. Require out-of-band confirmation (phone call to a known number, in-person verification) for all wire transfers, payment changes, and sensitive data requests. The FBI specifically recommends verifying payment and purchase requests in person or via a known phone number, not using contact information provided in the email (FBI IC3 PSA).
Keep software and systems updated. Ensure operating systems, browsers, email clients, and security tools are patched and current. Many phishing attacks deliver payloads that exploit known vulnerabilities in outdated software.
Use the 3-Second Hover Rule. Before clicking any link in any email, hover your cursor over the link for at least three seconds and read the full destination URL. This simple habit catches the majority of phishing links that rely on urgency to bypass careful inspection.
What should you do if you fall for a phishing Email?
Speed is critical in incident response. The actions taken in the first hour after a phishing compromise significantly affect the scope of damage.
Immediate actions (first 15 minutes). Do not delete the email, as it contains forensic evidence. Disconnect the affected device from the network if malware is suspected. Change the password for the compromised account immediately from a different, trusted device. Enable or reset multi-factor authentication on the affected account.
Reporting and containment (first hour). Report the incident to your IT or security team using your organization's established reporting channel. Forward the phishing email to your email security provider and, in the United States, to the Anti-Phishing Working Group at reportphishing@apwg.org. If financial information was compromised, contact your bank or financial institution immediately. File a report with the FBI's IC3 at ic3.gov if you are a U.S. resident.
Investigation and recovery (first 24 hours). Review account activity logs for unauthorized access, especially email forwarding rules, sent items, and login history. Scan affected devices with updated antivirus and anti-malware tools. Identify whether other accounts used the same credentials and change those passwords. Notify affected parties if sensitive data was exposed.
Post-incident review (first week). Document the full timeline and impact of the incident. Analyze how the phishing email bypassed existing controls. Update security policies and training based on lessons learned. Share anonymized details with your team to prevent similar attacks.
If you provided financial information or authorized a wire transfer, contact your bank immediately. The FBI recommends contacting your financial institution within 24 hours to initiate a fund recovery process. For international wire transfers, also contact the receiving financial institution.
Frequently Asked Questions
What percentage of cyberattacks start with a phishing email?
Research consistently shows that phishing is the most common initial attack vector. The Verizon 2024 Data Breach Investigations Report found that phishing was among the top social engineering actions in breaches, and the human element was involved in 68% of breaches overall. CISA has stated that over 90% of successful cyberattacks begin with a phishing email, reinforcing phishing awareness as the single most impactful security behavior for individuals and organizations.
Can phishing emails come from someone I know?
Yes. In Business Email Compromise and account takeover attacks, phishing emails are sent from legitimate, compromised accounts. The attacker gains access to a trusted contact's email and uses it to send phishing messages to their contacts. This is one of the most dangerous forms of phishing because the email passes authentication checks (SPF, DKIM, DMARC) and comes from a recognized sender. Always verify unusual requests through a separate communication channel, even when the sender appears familiar.
Are phishing quizzes effective for training?
Phishing quizzes and simulations are among the most effective security awareness tools available. NIST research and multiple industry studies demonstrate that employees who participate in regular phishing simulations show significantly lower click rates on real phishing emails over time. Interactive quizzes are more effective than passive training materials because they require active decision-making, provide immediate feedback, and build pattern recognition through practice. The key to effectiveness is regularity: a single quiz improves awareness temporarily, but sustained reduction in phishing susceptibility requires ongoing training.
How do I check if an email is really from the IRS?
The IRS has stated clearly and repeatedly that it does not initiate contact with taxpayers by email, text message, or social media to request personal or financial information (IRS.gov, "How to Know It's Really the IRS"). Any email claiming to be from the IRS that requests login credentials, Social Security numbers, bank account information, or payment is fraudulent. The IRS initiates most contacts through postal mail. If you receive a suspicious email claiming to be from the IRS, forward it to phishing@irs.gov and delete it. To verify a legitimate IRS matter, contact the IRS directly at 1-800-829-1040 or visit irs.gov.
What is the difference between phishing, spear-phishing, and whaling?
These terms describe phishing attacks of increasing specificity. Standard phishing involves mass-distributed emails sent to large numbers of recipients with a generic lure, such as a fake password reset from a popular service. Spear-phishing targets a specific individual or small group, using personalized details gathered through research, such as the target's name, job title, recent activities, or organizational relationships. Whaling is spear-phishing directed at senior executives ("big fish"), typically involving high-value requests such as wire transfers, strategic data access, or credential harvesting for privileged accounts. The FBI's IC3 tracks these variants under the broader category of Business Email Compromise, which resulted in approximately $2.9 billion in reported losses in 2023.
Executive summary (TL;DR)
Phishing is the most reported cybercrime globally, with the FBI documenting over 298,000 complaints and $2.9 billion in BEC losses in 2023 alone. Phishing emails work by impersonating trusted entities and exploiting urgency, authority, and fear to trick recipients into clicking malicious links, surrendering credentials, or authorizing fraudulent payments.
The six pillars of phishing defense are: implementing email authentication (SPF, DKIM, DMARC), deploying AI-powered email security tools, conducting regular phishing simulations and quizzes, enforcing phishing-resistant multi-factor authentication, establishing out-of-band verification for financial requests, and maintaining software updates.
Detection comes down to consistent habits: verify the sender's full email address, hover over links before clicking, question urgent or unusual requests, and confirm financial instructions through a known phone number. If compromised, act within the first hour: change credentials from a trusted device, report the incident, contact your financial institution, and preserve the phishing email as evidence.
Phishing quizzes are one of the most effective tools for building real detection skills because they require active decision-making in realistic scenarios. Regular practice measurably reduces organizational phishing susceptibility over time.
Sources: FBI IC3 2023 Annual Report, Verizon 2024 Data Breach Investigations Report, NIST SP 800-63B, NIST SP 800-177 Rev. 1, CISA Phishing Guidance, IRS.gov Taxpayer Guide, SEC Filing Ubiquiti Networks 10-Q (August 2015).
Published by SO Email Security — AI-powered email protection built on five trust pillars: browser-only processing, zero data storage, no human access to user data, complete user data control, and no data monetization.