Explain Tech
Back
Lesson 4 of 5

Security and Privacy Basics — Lesson 4

Phishing, Malware, and Social Engineering

13 min read

Learning Objectives

  • 1Recognize common phishing techniques and red flags.
  • 2Understand malware delivery methods and basic prevention.
  • 3Build a practical incident response process for small teams.

How phishing works

Phishing attacks impersonate trusted senders to trick recipients into clicking malicious links, opening infected attachments, entering credentials on fake login pages, or approving fraudulent transactions. They work because they exploit human trust and urgency rather than technical vulnerabilities.

Modern phishing is sophisticated. Attackers research their targets, impersonate specific colleagues or vendors, reference real projects, and create login pages that are nearly identical to legitimate ones. A phishing email might reference a real invoice number, use the CFO real name, and include the company logo.

Red flags include unexpected urgency ("your account will be closed in 24 hours"), requests to bypass normal procedures ("wire this directly, don't go through the usual approval"), unfamiliar sender email addresses that are slightly misspelled, and links that go to domains that are similar to but not exactly the real domain.

Malware and ransomware prevention

Malware is malicious software that infects devices through email attachments, downloads, compromised websites, or infected USB drives. Common types include ransomware that encrypts your files, spyware that monitors your activity, and keyloggers that record everything you type.

Prevention is primarily about keeping software updated (updates close vulnerabilities), not opening unexpected attachments, not installing software from untrusted sources, and using endpoint protection software on all business devices.

Ransomware defense centers on backups. If your data is backed up regularly, tested for restoration, and stored separately from your main systems, ransomware loses most of its leverage. Without reliable backups, paying the ransom may be the only option — and payment does not guarantee recovery.

Incident response for small teams

Every organization needs a basic plan for what to do when something goes wrong. This does not need to be a 50-page document. It needs to answer: Who makes decisions during an incident? What are the first three actions to take? Who has emergency contacts for email, banking, hosting, and IT support?

For a compromised account, the immediate steps are: change the password, revoke active sessions, enable MFA if not already active, check for unauthorized changes or forwards, and notify anyone whose data may have been affected.

After any incident, conduct a brief review: What happened? How did we detect it? What was the impact? What should we change? This review process, even if informal, prevents the same type of incident from recurring.

Case Study

The CEO impersonation

Situation

An accounting clerk received an email that appeared to be from the CEO asking for an urgent wire transfer to a new vendor. The email used the CEO name and email signature. The clerk processed the $45,000 transfer without verification because the email said it was urgent and confidential. The email was from an attacker.

Analysis

The attack exploited authority (the CEO), urgency (immediate), and confidentiality (don't tell anyone). A simple policy — all wire transfers over $5,000 require verbal confirmation from the requester — would have prevented this. The confirmation call would have revealed that the CEO never sent the email.

Takeaway

Financial transactions should never be authorized based on email alone, regardless of who appears to have sent it. Establish verification procedures for sensitive actions.

Reflection Questions

  • 1. Has anyone at your organization received a phishing email in the last month? How did they respond?
  • 2. If a team member account was compromised right now, does your team know the first three steps to take?

Key Takeaways

  • Phishing exploits trust and urgency — verify unusual requests through a separate channel.
  • Keep software updated, use endpoint protection, and do not open unexpected attachments.
  • Ransomware defense is primarily about maintaining tested backups.
  • Every team needs a basic incident response plan before they need it.
← Previous LessonPermissions, Access Control, and Audit TrailsNext Lesson →Privacy, PII, Encryption, and Compliance