Spotting Phishing – FakeID 101

Why this matters: Phishing tricks you into clicking links, opening attachments, or sharing passwords and codes. It’s the #1 way attackers break into email, banking, social, and cloud accounts.

What Is Phishing?

Phishing is a social engineering attack where criminals impersonate trusted brands, services, or people to steal your credentials, money, or data. It shows up via email, SMS/WhatsApp (smishing), voice calls (vishing), and social media DMs.

Common Channels

Email: “Account suspended—verify now.”
SMS/WhatsApp: “Your parcel fee is due. Pay here.”
Voice calls: “Bank security—share the OTP to secure your account.”
Social DMs: “Is this you in the video?” leading to fake login pages.

Phishing infographic (FakeID 101) — Replace with your final infographic (optional).

Red Flags to Spot Quickly

Urgency “Act now”, “Verify in 10 minutes”, threats or rewards.

Sender Odd email/domain (e.g., support@paypaI.com with capital i).

Links Hover to preview; mismatched or shortened URLs.

Attachments Unexpected invoices/ZIPs from unknown senders.

Language Spelling mistakes, awkward phrasing, strange salutations.

Requests Codes, passwords, PINs, or payment “fees”.

How to Verify Before You Click

Type the website yourself in the browser or open the official app—don’t use the link.

Check the sender domain carefully; compare with previous legit messages.

Call the organisation using numbers from their official website.

For DMs, ask the person to send a voice note or call (but beware deepfakes—use a passphrase if possible).

Look up the message text online with “scam” to see if others reported it.

Example of a Phishing Email (Annotated)

Subject: URGENT: Your Account Will Be Disabled in 24 Hours From: Security Team <support@secure-paypaI.com> ← suspicious domain (capital i) Link: https://secure-paypaI.com/verify ← fake URL (hover to see) Message: Please verify your identity by entering your password and the 6-digit code we sent. Attachment: invoice.zip ← unexpected attachment

If You Clicked or Entered Details

Change your password immediately on the real site/app.

Enable/upgrade 2FA (use an authenticator app, not SMS if possible).

Revoke sessions/devices in account security settings.

Scan your device with reputable security software.

Warn contacts if your account may have sent phishing.

Report the phishing to the service (e.g., reportphishing@apwg.org) and local authorities.

Tips for Organisations, Schools & NGOs

MFA Enforce multi-factor authentication for email and admin portals.

Training Short, regular awareness with local examples (WhatsApp/FB focus).

Reporting One-click “report phishing” and clear response playbooks.

Filtering Keep mail filters, SPF/DKIM/DMARC configured and monitored.

Backups Regular, tested backups protect against ransomware after a phish.

Tip: If a message triggers strong emotion—fear, excitement, urgency—pause, verify via official channels, then act.