Handout A: Phishing Email Received by Tom Reeves

The Email Players See

Received by Tom Reeves, Sunday 2:14pm. Reconstructed from mail server logs and browser cache.

IM Notes

When to release: Start of Round 1. Static artifact – does not depend on player decisions.

Facilitation: Do not narrate the red flags. Place the handout in front of players and ask: “What do you notice about this email?” The correct-domain text in the footer is intentionally green – it draws the eye and creates the contrast that makes the From mismatch discoverable by comparison. If players miss both red flags after 3 minutes, offer Clue 1: “Detective, the email Tom received came from noreply@donor-portal-secure.net – not from the foundation’s actual domain.”

Why it worked: The foundation’s full name appears in the email body. The reason given (account locked) matches something Tom has genuinely experienced when traveling. The support link uses the real domain, adding apparent legitimacy. Sunday afternoon – Tom was not at work, slightly less alert than on a weekday.

Red flags players should find (do not point out):

  1. Wrong From domain: donor-portal-secure.net, not clearwaterfoundation.example – the contrast with the green support link at the bottom makes this discoverable.
  2. Generic greeting: “Dear Valued User” – the foundation’s own system has Tom’s name and would use it.

Key discussion questions:

  • “What is wrong with the From address?” (The domain is donor-portal-secure.net, not clearwaterfoundation.example. Players may need a moment to compare it against the support link – the contrast is the discovery.)
  • “What does ‘Dear Valued User’ tell you about who sent this?” (The foundation’s system has Tom’s name and would use it. A mass-delivery template does not. The attacker did not personalize because they could not.)