This was a controlled test — no real data was captured. But in a real attack, things would be very different. Let's learn why this matters.
Here's how this simulated phishing attack unfolded — and how a real attack would work.
Phishing emails are designed to mimic trusted senders — banks, employers, IT departments, or popular services. They create a sense of urgency to stop you from thinking clearly.
The link appeared legitimate but pointed to a fake website. Real phishing URLs often mimic trusted domains with subtle typos or extra subdomains.
Fake pages are pixel-perfect copies of real ones. Any details you enter go directly to the attacker — not to the legitimate service.
With your credentials, attackers can lock you out, access sensitive data, impersonate you, and launch further attacks on your contacts.
Train your eye to spot these patterns in every email you receive.
The display name may say "Apple Support" but the actual email address looks nothing like apple.com. Always expand the sender field.
"Act within 24 hours or your account will be deleted." Pressure tactics are designed to override your rational thinking.
Hover over any link before clicking. If the destination URL looks odd, don't click. Go directly to the website instead.
"Dear Customer" or "Dear User" — legitimate companies know your name and personalise their communications.
No legitimate company will ask for your password, PIN, or security codes via email. Ever. Full stop.
Prize notifications, tax refunds, or package delivery alerts you weren't expecting are common lures to get you to click.
Build these habits to protect yourself — and your organisation — every day.