Spot the Phishing Email
Before It Gets You

Five real-world email scenarios — from obvious scams to expert-level lures that fool even security teams. Think you can tell the difference?

🎯

Three levels — beginner to advanced — gradually introduce the tactics attackers actually use in the wild.

🔍

After every email, get a full breakdown of what to look for: domain spoofs, urgency tactics, URL tricks, and BEC patterns.

📊

Track your score and streak across 5 scenarios. Results include a security grade and take-home detection tips.

Level 1

0 / 5

—

From:— To:you@company.com Date:—

—

Drill Complete

—

🔍 Check the sender domain

Hover the sender name to see the real address. Attackers use paypa1.com, amazon-security.net, and lookalike domains.

🔗 Inspect links before clicking

Hover over any link to see the real URL in your status bar. Display text and destination can be completely different.

⚡ Be suspicious of urgency

"Your account will be suspended in 24 hours!" is a manipulation tactic designed to make you act before you think.

📧 Go direct, not through email

Never click email links to log in. Open a browser and navigate directly to the site instead.

🏢 Verify unusual requests

A CEO asking for a wire transfer? Call them on a known number to confirm — never rely on email alone.

🔤 Watch for subdomain tricks

accounts.google.com.evil.net is owned by evil.net, not Google. The real domain is always the last segment before the path.