Lesson 3.3

Putting VERIFY into Practice

10 minutes

Complete Walkthrough: The IT Support Call

Let’s walk through a complete scenario using both PUSHED and VERIFY.

The Scenario

Your phone rings. Caller ID shows “IT Support.” The caller says:

“Hi, this is Mike from IT. We detected malware on your laptop — it’s actively stealing data right now. We need remote access immediately to clean it, or we’ll have to remotely wipe your computer to protect the network.”

Step 1: PUSHED Check

Before anything else, notice your emotional response. What PUSHED tactics are present?

U - Urgency ("immediately," "right now") H - High-stakes (data loss, computer wipe) P - Pressure (IT authority)

You’re definitely being PUSHED. Time to VERIFY.

Step 2: VERIFY Walkthrough

V — View Carefully

Who is actually contacting me?

  • Caller ID says “IT Support” but anyone can spoof caller ID
  • I don’t recognize “Mike” from IT
  • Is this how our IT department normally contacts me?

E — Evaluate Context

Does this make sense?

  • Has my computer been acting strange? (No)
  • Did I do anything risky recently? (No)
  • Does IT normally call, or do they email/ticket? (Usually they email first)
  • Have I ever received a call like this from IT? (No)

R — Request Examination

What are they asking for?

  • Remote access to my computer
  • Permission to download software
  • This is a very high-risk request — giving remote access is like handing over your keys

I — Interrogate Action

Challenge the urgency:

  • What happens if I take 5 minutes to verify this?
  • If this is real, IT will understand
  • If it’s fake, they’ll push back on any delay

F — Freeze Action

What should I NOT do?

  • Don’t download anything
  • Don’t grant remote access
  • Don’t share any passwords or codes

Y — Your Instincts

Does this feel right?

  • Unsolicited call demanding immediate remote access should feel wrong
  • The pressure and urgency are suspicious
  • Something is off

The Correct Response

Say this:

“I understand this sounds urgent. Let me verify this by contacting the IT helpdesk directly. Can you give me a ticket number I can reference?”

Then:

  1. Hang up politely
  2. Contact IT through official channels — call the helpdesk at the number you already know, or submit a ticket through the normal system
  3. Report the suspicious call to your IT security team

If it was real: IT will have a record and can help you. If it was fake: You just stopped an attack.

Complete Walkthrough: The Bank Fraud Text

The Scenario

You receive a text message:

Text Message from 73628
Chase: We detected a $847.23 purchase at Apple Store. If you did not make this purchase, call immediately: 1-888-555-0192

PUSHED Check

H - High-stakes (potential fraud) U - Urgency ("immediately") S - Surprise (unexpected alert)

VERIFY Walkthrough

V — View Carefully

  • Short code 73628 — is this a known Chase number? (Not sure)
  • The phone number provided — is this Chase’s real number? (Can’t confirm)

E — Evaluate Context

  • Did I make an Apple purchase recently? (Check your memory/wallet)
  • Is Chase my bank? (If no, definitely fake)
  • Do I normally get fraud alerts by text from Chase?

R — Request Examination

  • They want me to call a number
  • That could connect me to scammers who will try to get my card details

I — Interrogate Action

  • What if I take 2 minutes to look up Chase’s real number instead?
  • If it’s real fraud, it’ll still be fraud 2 minutes from now

F — Freeze Action

  • Don’t call the number in the text
  • Don’t reply to the text

Y — Your Instincts

  • Something about this feels off — probably the specific dollar amount designed to seem realistic

The Correct Response

  1. Do NOT call the number in the text
  2. Find Chase’s real number:
    • Look on the back of your Chase card
    • Or go to chase.com directly (type it yourself)
  3. Call them to ask if there’s actually a fraud alert
  4. Check your account through the official Chase app or website

If the fraud is real: The bank will have a record. If it’s a scam: You protected yourself.

Quick Scenario: The Password Reset Email

Microsoft Account Team
Subject: Your password expires in 24 hours

Your Microsoft password will expire in 24 hours. Click below to update it and avoid losing access to your account.

Update Password

Quick VERIFY:

  • V: Domain is microsoft-online-security.com, NOT microsoft.com ❌
  • E: Did I request a password change? No ❌
  • R: They want my credentials — high risk ❌
  • I: Can this wait while I check? Yes ✓
  • F: Don’t click the link ✓
  • Y: Feels suspicious ✓

Correct action: Go directly to account.microsoft.com (type it yourself) and check if there are any actual issues with your account.

The PUSHED + VERIFY Flow

Here’s how the two frameworks work together:

Message received
      ↓
Do I feel PUSHED?
      ↓
YES → Use VERIFY before acting
      ↓
V - Is the sender really who they claim?
E - Does this make sense in context?
R - Is this request normal and appropriate?
I - Can this wait for verification?
F - FREEZE - don't act yet
Y - Does something feel off?
      ↓
Verify through a SEPARATE CHANNEL
      ↓
Confirmed real → Proceed safely
Confirmed fake → Report and delete

Key Takeaways

  1. Use PUSHED to recognize when to verify
  2. Use VERIFY to systematically validate the message
  3. Always verify through a channel the attacker doesn’t control
  4. Never use contact information from the suspicious message
  5. If in doubt, take 5 minutes — legitimate requests can wait
  6. Report suspicious messages even if you’re not sure