Lesson 5.2

Realistic Scenarios

15 minutes

These scenarios are designed to be ambiguous — just like real life. Not every suspicious message is an attack. Not every legitimate message is safe. Your job is to apply the checklist, decide which Rules apply, and take the right action.

For each scenario, think through the four questions (WHO, WHAT, WHY, DOES IT MAKE SENSE) before revealing the answer.

Scenario 1: The New Vendor Invoice

You work in Accounts Payable. An email arrives from a company you’ve been in talks with but haven’t done business with yet. They’ve sent a signed contract and an initial invoice for $22,000 with wire transfer instructions.

The email comes from [email protected]. You search for the company online and find their website is summitconsultinggroup.com.

The contract looks professional. The amounts match what was discussed. But the domains are different.

Is this legitimate? What do you do?

Answer **The domains don't match** — the email is from `summitconsulting.co` but the company's real website is `summitconsultinggroup.com`. This could be a scam using a lookalike domain, or it could be (though unusual) a separate billing domain. Don't assume the worst, but don't assume the best either. This is a $22,000 wire transfer — the stakes warrant a phone call. **What to do:** 1. Call Summit Consulting Group at the phone number on their real website (`summitconsultinggroup.com`) or from your notes from business discussions 2. Ask: "We received an invoice from `[email protected]`. Is that your billing address?" 3. If they confirm — proceed with normal payment processing 4. If they don't recognize it — you've just caught a fraud attempt. Report it to your security team and alert Summit Consulting that someone is impersonating them. **Rules that apply:** - **Rule #1** (the real destination is the last two parts before the slash) — the domains are different - **Rule #3** (never use a suspicious message to verify itself) — don't call a number from the invoice; use one from the real website - **Rule #12** (any change to where money goes requires a phone call) — this is a new payee with wire instructions

Scenario 2: The IT Password Reset — NOT a scam

Your IT department sends a company-wide email:

“As part of our quarterly security review, all employees must reset their passwords by Friday. Click the link below to access the IT portal.”

The link goes to your company’s real IT portal. The email came from your real IT department’s address. Your manager mentioned the password reset in yesterday’s team meeting.

Is this phishing?

Answer **This is legitimate.** Run the checklist: - **WHO:** Your real IT department, from their real email address - **WHAT:** Reset your password via the real IT portal - **WHY:** Quarterly review — routine, not urgent or threatening - **DOES IT MAKE SENSE:** Yes — your manager independently confirmed it yesterday However, best practice is still to navigate to the IT portal directly (type the URL or use a bookmark) rather than clicking the email link. This costs nothing extra and eliminates even the theoretical risk of a compromised IT account. **The important lesson here:** NOT everything is a scam. Flagging this legitimate IT communication as phishing would waste your security team's time investigating a false alarm. Calibrated judgment — the ability to distinguish real from fake based on evidence — is more valuable than blanket suspicion. **Rule that applies:** - **Rule #14** (not everything is a threat — accurate judgment beats blanket suspicion)

Scenario 3: The Deepfake Voice Call

Your phone rings at 4:40 PM on a Friday. It’s your CFO — sounds exactly like them. They say:

“Hey, I’m traveling and I need you to process a $95,000 wire transfer to a new vendor before banks close. The contract closes Monday and we can’t miss this deadline. I’ll send you the account details by email. Please process it right away — I’m about to board a flight and won’t be reachable for several hours.”

The voice is perfect. The caller ID shows the CFO’s name. The request references a project you know is real.

What do you do?

Answer **This has every hallmark of a vishing attack using AI voice cloning.** Run the checklist: - **WHO:** Caller ID can be spoofed. AI can clone voices from seconds of audio. The "who" cannot be verified from the call itself. - **WHAT:** Process a $95,000 wire to a NEW vendor — high-risk action - **WHY:** "Before banks close," "about to board a flight," "won't be reachable" — manufactured urgency designed to prevent you from verifying - **DOES IT MAKE SENSE:** Would the CFO normally call you directly to process a wire? Would they normally bypass the two-person approval process? Would a $95,000 payment really not be set up until 4:40 PM on a Friday? **What to do:** 1. Hang up 2. Call the CFO at their known number from your contacts or company directory 3. If it was really them, they'll understand. If it wasn't, you just prevented a $95,000 loss. The "won't be reachable for several hours" is the key tell — it's specifically designed to prevent the verification call. When someone tells you NOT to follow up, that's when you MUST follow up. **Rules that apply:** - **Rule #5** (the more urgent it feels, the more important it is to slow down) - **Rule #7** (hang up and call back — you can't trust incoming calls) - **Rule #12** (any change to where money goes requires a phone call to confirm)

Scenario 4: Your Account Was Compromised

A colleague walks to your desk and says: “I got a weird email from you with a link to a shared document, but I don’t remember you sending anything about this. Did you send it?”

You did not send it.

What should you do?

Answer **Your email account may be compromised.** This is now an incident response situation. Take these steps immediately: 1. **Tell your colleague NOT to click the link** if they haven't already — and to warn anyone else who received it 2. **Change your password immediately** from a trusted device 3. **Check your Sent folder** for messages you didn't send 4. **Check your email rules and filters** — look for forwarding rules you didn't create. Attackers commonly set up rules with minimal names (a period, a semicolon, a single letter) that forward emails containing keywords like "invoice," "payment," or "bank" to an external address. These rules survive password resets. 5. **Review connected applications** — check for OAuth apps you didn't authorize. Revoke anything unfamiliar. Remember: password resets alone do NOT invalidate existing OAuth tokens. 6. **Contact your IT/security team immediately** — "My colleague received an email from my account that I didn't send. I think my account may be compromised." 7. **Think about exposure** — did you recently enter credentials on a page you weren't 100% sure about? Do you reuse this password on other sites? Notice how the compromise was discovered: not by you, but by a colleague who verified in person ("Did you send this?"). Your colleague applied **Rule #6** (verify the person, not the account) — they didn't trust the email just because it came from your address. They walked over and asked you directly. **Rules that apply:** - **Rule #6** (verify the person, not the account — your colleague did this by asking you in person) - **Rule #3** (never use a suspicious message to verify itself — your colleague went outside of it)

Scenario 5: Everything Checks Out

You receive an email from a client you work with regularly. It’s in an existing email thread about a real project. The client asks you to review a document and provides a link.

You check the link: it goes to their real company domain. The email came from their real email address. The project reference is accurate. The tone matches how they normally write. Everything looks completely normal.

Should you click the link?

Answer **Yes.** Run the checklist: - **WHO:** Real client, real address, in a thread you've been part of - **WHAT:** Review a document — no money, no passwords, no sensitive data - **WHY:** Normal project workflow — no manufactured urgency - **DOES IT MAKE SENSE:** Yes, completely. This is routine collaboration. The checklist clears it. Click the link. **One caveat:** If the document requires you to enter credentials (username and password) to view it, pause and verify through a separate channel. A compromised account could send a link to a credential-harvesting page, even if the initial email looks perfect. But if it's just a document to review — proceed normally. **The broader lesson:** Not everything is a threat. If you refuse to click any link ever, you can't do your job. If you treat every email with suspicion regardless of evidence, your colleagues will stop taking you seriously — and you'll burn out from the constant vigilance. The goal of this course was never to make you afraid of email. It was to give you a reliable process for distinguishing the 0.1% that's dangerous from the 99.9% that's routine. The four questions work. Trust them. **Rule that applies:** - **Rule #14** (not everything is a threat — accurate judgment beats blanket suspicion)

The Rule: Not everything is a threat. Accurate judgment beats blanket suspicion.