Phishing is the most common vector for account compromise. Most successful attacks exploit urgency and impersonation — knowing the patterns makes them easy to spot.
Common patterns
Urgency and pressure — “Your account will be suspended in 24 hours.” Legitimate systems don’t work like this. When in doubt, verify through a separate channel.
Mismatched sender domains — An email claiming to be from your bank with a domain like secure-bank-alert.net is a red flag. Check the full email address, not just the display name.
Requests for credentials — No legitimate internal system will ask you to enter your password via email. If a link takes you to a login page you weren’t expecting, close it.
Unexpected attachments — Don’t open attachments you weren’t expecting, especially .exe, .zip, or macro-enabled Office files.
What to do
If you receive a suspicious email:
- Don’t click any links or download attachments.
- Report it using the “Report Phishing” button in your email client, or forward to
security@example.com.
- Delete it.
If you clicked a link or entered credentials:
- Change your password immediately.
- Notify the security team at
security@example.com — include the URL you visited.
- Don’t wait to see if anything happens. Speed matters.
Simulated phishing tests
IT runs periodic simulated phishing campaigns. Clicking a simulated phishing link triggers a short training module — it’s not punitive. The goal is awareness.
If you receive an unusual volume of phishing attempts targeting your account specifically, notify the security team. Last modified on June 5, 2026
