11/13/2025

Bob (not his real name) started his day like any other, going through his inbox on his phone while he had his morning cup of coffee. He was swamped with a project that had a looming deadline. Between that and his other tasks, he was juggling several balls. Bob desparately hoped that he wouldn’t drop one as he scanned through his emails, looking for anthing that seemed urgent.

One email in particular jumped out at him. It was from Caroline. He knew his boss had met with her. It had Strategic Plan Draft in the subject line,  “This might be important”, he thought. He opened the email, it looked something like this.

 

He had been accepting a ton of document shares lately as part of his project work. So much so that his brain had developed a short hand for identifying them. As a result,  when he looked at this email that mimicked a legitimate Goolge drive share email, he focused on the key elements the attacker had included and determined that it was from Caroline. Even though the sending email address was wrong and it was not Caroline’s email address that was sharing the document, Bob’s brain used its short hand to deem the email legitimate.

Because he was using his phone to check the email, he didn’t see the sender’s email address either (this screen shot is from a computer), which would have tipped him off. All of this was exasperated by his urgency to get through his emails so he could get back to working on his project. It was the perfect storm. He clicked the link.

Fortunately for Bob, this was a phishing training email. He quickly realized the email was not what he thought it was and he reported it by clicking on the three dots in the upper right corner of the email window and selecting Report phishing from the drop down menu.

Had this been a real phishing email, his quick actions would have saved the University and his colleagues a lot of pain. As it was just a phishing training email, he was rewarded for his reporting efforts. Bob could have been embarrased and ashamed that he had made an error that could have caused immense damage. Especially as he had completed all his cybersecurity awareness training and he knew what to look for. Instead he chose to share what he learned in the hopes that others would not make the same mistake he did.

Here is Bob’s advice:

1. When you are reading your emails, slow down. Read every one carefully and thoughtfully.
2. Check the sender’s email address everytime. If you are going to use your phone to do so, make sure you know how. Otherwise, wait until you get to your computer to respond.
3. The right email at the right time can trick anyone. Make sure you report your error right away.

You don’t have to make the same mistake Bob did. Follow his advice, avoid the regrettable click and report every malicious email you find. Your colleagues and the University will thank you.