Cyber
Awareness.

The first thing you should always check.

Before you type anything — look up. The address bar tells you if the site is encrypted and if the domain is who it claims to be.

Which of these is safe to enter your password on?

But HTTPS doesn't mean safe. A phishing site can have a lock icon too. The lock means the connection is encrypted — not that the site is trustworthy.

One character. That's all it takes.

Attackers register domains that look identical at a glance. rnicrosoft.com — that's an r and an n, not an m. Also: paypa1.com (one not L), amaz0n.com (zero not O), g00gle.com (zeros). Check every character.

Links lie.

The text says one thing. The URL goes somewhere else. Hover these links to see where they really go:

Click the links you think are safe. Hover to preview the real URL first.

On mobile there's no hover — long-press links to preview the URL. If the domain doesn't match, don't tap.

Time to clean out the inbox.

Click each email to read it. Spot the phishing. Click the sender address to check if it's legit.

Your texts lie too.

Phishing isn't just email. Check your messages.

No links. No malware. Just a request.

This email passed every spam filter. There's nothing technically malicious in it.

The sender is dchen@company-corp.com. Your company is company.com — not company-corp.com. No links to click, no malware to scan. BEC cost organizations $2.9 billion in 2023 (FBI IC3). It's the #1 financial loss vector in cybercrime.

Incoming call: IT Support.

Your boss is on the phone. Or is he?

You get an urgent call. The voice sounds exactly like your CFO.

Scan the code. Pay for parking.

You're at a parking meter. There are two QR codes — one is a sticker placed over the original. Tap one to scan it.

Type a password. We'll tell you how fast it dies.

Length beats complexity. correct-horse-battery-staple takes centuries to crack. P@ss1! takes seconds. Use a password manager — Bitwarden, 1Password, KeePass. Generate unique 16+ character passwords for every account.

You didn't try to log in.

You're watching TV. These notifications keep popping up.

What does incognito mode actually hide?

Check all that apply. Most people get this wrong.

Click to reveal what's hiding behind the name.

One of these is real.

Click the legitimate update notification.

The popup.

Software updates patch security vulnerabilities. Delaying them leaves you exposed to known attacks. Let's check your update status.

This just appeared on your work computer.

You Googled "download VLC media player".

Pick the right result. Watch the URLs.

You're grabbing coffee.

Spot the security violations.

Click every item on this desk that's a security risk.

Hey, can you hold the door?

You just badged through a secure door. Someone behind you with their hands full says "Left my badge at my desk — can you hold it?"

You found this in the parking lot.

You're at the airport. Pick a network.

Your phone is at 4%. Flight boards in 45 minutes.

You're working from a coffee shop.

You need to access the company VPN and check email. How do you connect?

FreePDFConverter.com wants access.

Her profile is public. Find the risks.

Tap every post that leaks information an attacker could exploit.

Convenient isn't the same as allowed.

Four workplace shortcuts. Acceptable or violation?

Not everything is confidential. That's the problem.

Classify each document. Over-classification is as bad as under-classification.

Which of these would you report?

Not every coworker having a bad day is a threat. But some patterns matter. Tap the behaviors that should be reported.

When in doubt, report.

For each situation: report now, report later, or not reportable?

How'd you do?