We use cookies to enhance your browsing experience, serve personalized ads, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.
This page is the training. Scroll down. Click things. Some of them bite.
— lesson 0
—the address bar
The first thing you should always check.
Before you type anything — look up. The address bar tells you if the site is encrypted and if the domain is who it claims to be.
Which of these is safe to enter your password on?
http://mybank.com/login — Not Secure
Enter your username and password to continue.
https://mybank.com/login
Enter your username and password to continue.
But HTTPS doesn't mean safe. A phishing site can have a lock icon too. The lock means the connection is encrypted — not that the site is trustworthy.
—spot the fake
One character. That's all it takes.
Click the real domain. Look carefully.
Attackers register domains that look identical at a glance. rnicrosoft.com — that's an r and an n, not an m. Also: paypa1.com (one not L), amaz0n.com (zero not O), g00gle.com (zeros). Check every character.
—the hover test
Links lie.
The text says one thing. The URL goes somewhere else. Hover these links to see where they really go:
Click here to verify your PayPal accounthttps://paypa1-verify.security-check.ru/login
✗ The real URL goes to a Russian domain. Sender is paypa1 — one not L.
Review your latest Amazon orderhttps://www.amazon.com/orders
✓ The real URL matches amazon.com — this one's legit.
Your Microsoft 365 password expires todayhttps://rnicrosoft365-reset.com/update
✗ The domain is rnicrosoft — "rn" looks like "m" in most fonts. Classic homograph attack.
Your UPS package is out for deliveryhttps://www.ups.com/track?loc=en_US&tracknum=1Z999AA1
✓ Correct ups.com domain with a real tracking parameter.
Zoom: You have a new meeting invitehttps://z00m-meeting.us-verify.net/join/8832
✗ Domain is z00m-meeting.us-verify.net — zeros, wrong domain. Real Zoom is zoom.us.
Click the links you think are safe. Hover to preview the real URL first.
On mobile there's no hover — long-press links to preview the URL. If the domain doesn't match, don't tap.
Act 2 — The Inbox
—your inbox
Time to clean out the inbox.
Click each email to read it. Spot the phishing. Click the sender address to check if it's legit.
Inbox (6)
Select an email to read
—passwords
Type a password. We'll tell you how fast it dies.
Length beats complexity. correct-horse-battery-staple takes centuries to crack. P@ss1! takes seconds. Use a password manager — Bitwarden, 1Password, KeePass. Generate unique 16+ character passwords for every account.
Act 3 — Your Environment
—public wi-fi
You're at the airport. Pick a network.
9:41 AM Airplane Mode 64%
Wi-Fi
Choose a network to join
—the popup
The popup.
Software updates patch security vulnerabilities. Delaying them leaves you exposed to known attacks. Let's check your update status.
System Security Check
Checking for outdated software...
Operating System✓ Up to date
Web Browser✓ Up to date
Adobe Flash Player✗ Critical update required
—physical security
You're grabbing coffee.
Your laptop is open with email, Slack, and VPN connected. What do you do?
—file extensions
Click to reveal what's hiding behind the name.
safe or malware?
Invoice_Q4.pdf
128 KB — PDF Document
✓ Safe
A normal PDF. The extension matches the file type. No hidden executable.
safe or malware?
Invoice_Q4.pdf.exe
2.4 MB — Application
✗ Malware
The real extension is .exe — an executable. The ".pdf" is fake decoration. Windows hides extensions by default.
safe or malware?
Report.xlsm
890 KB — Excel Macro-Enabled
~ Risky
.xlsm files contain macros that can execute code. Only open if you trust the sender AND verified with them directly.
safe or malware?
Photo.jpg.scr
1.1 MB — Screensaver
✗ Malware
.scr is a screensaver executable — it runs code. The ".jpg" is fake. Another hidden extension trick.
—smishing
Your texts lie too.
Phishing isn't just email. Check your messages.
9:41 AM LTE 47%
Messages
Act 4 — The Physical World
—usb drop
You found this in the parking lot.
USB Flash Drive
Label: "Q4 Payroll — Confidential"
—qr scam
Scan the code. Pay for parking.
You're at a parking meter. There are two QR codes — one is a sticker placed over the original. Tap one to scan it.
CITY PARKING — SCAN TO PAY
STICKER
Top QR (overlay)
c1ty-parking.com/pay
Bottom QR (original)
cityparking.gov/pay
Tap a QR code to scan
—tailgating
Hey, can you hold the door?
You just badged through a secure door. Someone behind you with their hands full says "Left my badge at my desk — can you hold it?"
—ransomware
This just appeared on your work computer.
YOUR FILES HAS BEEN ENCRYPTED
All your documents, photos, databases are encrypted. To decrypt send 0.5 BTC to wallet address below.
23:59:47
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
—clean desk audit
Spot the security violations.
Click every item on this desk that's a security risk.
Violations found: 0 / 5
—juice jacking
Your phone is at 4%. Flight boards in 45 minutes.
4% — Low Battery
Gate B14 — Charging Station Available
Act 5 — The Deeper Game
—oversharing
Her profile is public. Find the risks.
Tap every post that leaks information an attacker could exploit.
Jessica M.
@jessicam · 1,247 followers
Risks spotted: 0 / 4
—search poisoning
You Googled "download VLC media player".
Pick the right result. Watch the URLs.
download VLC media player
—vishing
Incoming call: IT Support.
IT Support (ext. 4401)
Connected — 0:42
IT: Hi, this is Mike from IT. We detected unusual login activity on your account from an IP in Romania.
IT: I need to verify your identity real quick. Can you confirm your password so I can check the audit log?
—browser permissions
FreePDFConverter.com wants access.
This site already has clipboard access — granted silently when you pasted text. Most users never know.
—mfa fatigue
You didn't try to log in.
You're watching TV. These notifications keep popping up.
—fake update
One of these is real.
Click the legitimate update notification.
System Update Available
macOS 15.2 is available. Includes security fixes and performance improvements.
Restart to install · 2.1 GB
CRITICAL UPDATE REQUIRED!!
Your Adobe Flash Player is OUT OF DATE! Your system is at RISK!! Click HERE to update NOW!
Update immediately · free download
—incognito myth
What does incognito mode actually hide?
Check all that apply. Most people get this wrong.
Private Browsing Mode
The point.
Every interaction on this page is something that happens to real people every day. The cookie popup. The misspelled domain. The urgent email. The parking lot USB. The MFA prompt at midnight. None of this is hypothetical — it's Tuesday.
The difference between a breach and a near-miss is usually one click. Stay skeptical. Hover before you click. Check the sender. Lock your screen. Use a password manager. Don't plug in random drives. And for the love of everything — reject the cookies.