Phishing Quiz with Answers: Spot Email Scams and Stay Safe
This quiz targets cybersecurity security-awareness skills for identifying email phishing tactics (spoofed senders, deceptive links, credential harvest pages, and BEC-style payment requests) at the depth expected in an intro information assurance course and CompTIA Security+ social engineering objectives. If you’re compiling a phishing quiz with answers pdf, comparing a phishing email quiz to real inbox risk, drafting phishing survey questions, or searching quiz phishing and phishing quiz with answers, the scenarios focus on decisions you must make before clicking, replying, or paying.
True / False
True / False
True / False
Select all that apply
Put in order
Select all that apply
Put in order
Select all that apply
Put in order
Select all that apply
Put in order
Put in order
Disclaimer
This quiz is for educational purposes only. It does not constitute professional advice. Consult a qualified professional for specific guidance.
High-Frequency Phishing Misreads That Still Lead to Real Breaches
Most misses in a phishing email quiz come from fast pattern-matching under time pressure, not from ignoring “obvious” typos. These are the errors that repeatedly cause credential theft and business email compromise (BEC) outcomes.
Trusting the display name instead of the real sender
Avoid it: Expand the sender details and verify the domain matches the organization’s real domain (not a free mail domain, a misspelling, or an unrelated vendor domain). Treat “external” banners as a signal, not proof of safety.
Reading the link text, not the destination
Avoid it: Hover to preview, but also evaluate who controls the domain and whether the path makes sense (login pages on strange subdomains, URL shorteners, and tracking/redirect chains). When stakes are high (passwords, payments), open a new tab and navigate via a trusted bookmark or known URL.
Assuming HTTPS or a lock icon means legitimacy
Avoid it: Encryption protects transport, not identity. A phishing site can use HTTPS; legitimacy comes from the correct domain and expected workflow.
Ignoring reply-to, “on behalf of,” and header cues
Avoid it: If “From” looks right but replies route elsewhere (or the message is “on behalf of” an unexpected sender), treat it as suspicious until verified via a separate channel.
Normalizing urgent “action required” demands
Avoid it: Deadlines, threats, or secrecy requests are designed to bypass controls. Slow down and verify the request using known contacts—especially for payroll changes, wire transfers, gift cards, and MFA resets.
Opening unexpected attachments as if they were inert documents
Avoid it: Office files, PDFs, and archives can deliver malware or credential prompts. If you weren’t expecting it, confirm the context first and use approved secure-sharing methods.
Email Phishing Detection: 5 Actions That Raise Your Accuracy Immediately
Use these takeaways as a checklist for what the quiz is really measuring: your ability to validate identity, intent, and destination before you interact with a message.
- Validate the sender’s domain and the reply path before content. Expand the sender details, confirm the organizational domain, and check for reply-to mismatches; treat “looks internal” as untrusted until verified.
- Judge links by registrable domain ownership, not by familiar words. A brand name in the subdomain (e.g., brand.login.example) can still point to an attacker-controlled domain; when uncertain, navigate independently rather than using the email’s button.
- Translate urgency into a verification step. If an email imposes a deadline (account lock, payment failure, delivery issue), switch channels: call a known number, use your company directory, or open the vendor portal from a saved bookmark.
- Treat credential prompts as high-risk events. Password resets, MFA re-enrollment, “secure document” viewers, and shared file notifications are common lures; use your organization’s official sign-in entry point and consider phishing-resistant MFA where available.
- Assume attachments can execute outcomes, not just display content. Unexpected invoices, “scanned documents,” HR forms, and compressed files should be handled as potential malware delivery or credential capture; confirm with the supposed sender and use scanning/preview tools approved by IT.
Skill goal: build the habit of pausing at the decision points the attacker needs—click, reply, open, or pay—and forcing a quick identity/destination check first.
Authoritative Phishing Guidance for Deeper Study (Gov + Standards)
- CISA: Recognize and Report Phishing — Practical indicators, resist/report guidance, and tip-sheet material suitable for security awareness training.
- CISA: Avoiding Social Engineering and Phishing Attacks — Deeper explanation of phishing mechanics, spoofed links, and recommended protective behaviors.
- FTC Consumer Advice: How to Recognize and Avoid Phishing Scams — Clear guidance on recognition, protection steps, and what to do if you already responded.
- OCC: Phishing Attack Prevention — Banking-focused phishing warnings and response steps if financial data is exposed.
- NIST SP 800-63B: Digital Identity Guidelines (Authentication) — Standards language on phishing-resistant authentication and why some MFA methods are more resistant than others.
Phishing Email Quiz FAQ: Interpreting Red Flags and Choosing Safe Next Steps
Which parts of an email should I inspect first to spot spoofing quickly?
Start with the From address (expand it), then check reply-to and any “sent on behalf of” indicator. Next, evaluate the call to action (reset password, open attachment, approve payment) and only then read the narrative. This order prevents a believable story from biasing your technical checks.
If the URL preview looks normal when I hover, is it safe to click?
It’s safer, not guaranteed. Lookalike domains can appear legitimate at a glance, and redirect chains can begin on a reputable domain and end on a credential-harvesting page. For logins, payroll, or payments, the safer workflow is: open a new tab and navigate via a trusted bookmark or your organization’s official portal.
How do I handle emails requesting wire transfers, gift cards, or payroll changes?
Treat them as potential business email compromise even if the sender appears internal. Use an out-of-band verification step (call a known number from your directory, not the email). Require a second approver for payment changes, and confirm the request details (beneficiary, routing, timing) verbally.
What should I do immediately if I clicked a suspicious link or opened an attachment?
Stop the interaction (close the tab/document), do not enter credentials, and report it to your IT/security team using your organization’s preferred method. If you entered a password, change it right away and enable MFA; if it was a work account, follow incident-response instructions from IT. For broader practice on workplace reporting and safe handling, see the Information Security Quiz for Employees.
Why do some phishing emails look “perfect” now, and what should I rely on instead of spelling mistakes?
Attackers increasingly use polished templates and AI-assisted writing, so grammar is no longer a reliable filter. Use stronger signals: context mismatch (unexpected invoice/reset), identity mismatch (sender domain, reply-to), and destination mismatch (where the link actually goes). Also, prepare for account recovery by maintaining secure backups of important data; the Data Backup Assessment Questionnaire complements this quiz by reinforcing resilience if an incident escalates.