Skip to content
Step 1 /
flag Introduction

At work and what to do

At work, phishing often takes a more targeted form: a “director” asking for an urgent payment, or a “supplier” changing their bank account number. In this last module you will learn to recognise those forms, and most importantly: what to do if something does go wrong, and how to report a suspicious message.

target What you will learn in this module
  • check_circle Recognising phishing at work: CEO fraud and invoice fraud
  • check_circle What to do if you did click or reply
  • check_circle How to report a suspicious message, at work and in the UK
work At work

Phishing at work

A business is an attractive target: there are payments, customer data, and access to systems. Two forms come up often.

  • CEO fraud (director fraud). A message that looks like it is from your owner or manager, with an urgent and discreet request: a transfer, a purchase of gift cards, or data. Often with “I am in a meeting, reply only by email”.
  • Invoice fraud. A “supplier” lets you know their bank account number has changed. Future invoices then go to the scammer’s account.
account_balance_wallet Always verify payments and account changes through a known channel

You verify an urgent payment request or a changed account number never by email, but by phone using a number you know yourself, or in person. One phone call prevents an expensive mistake.

badge Example 1 of 2 · director

”The director” with an urgent request

Inspect the sender, and pay attention to the request itself.

View in
Quick discreet question, are you around?
J
ads_click hover or tap to see the real sender
Quick discreet question, are you around?

Hi,

Are you at your desk? I need you discreetly for an urgent payment to a new supplier. It has to happen today.

I am in a meeting, so reply only by email. I will send you the details shortly. Thanks!

James

Is this message phishing or trustworthy?

receipt_long Example 2 of 2 · invoice

A “changed bank account number”

A common form of invoice fraud. Inspect and judge.

View in
Important: new bank account number for payments
B
ads_click hover or tap to see the real sender
Important: new bank account number for payments

Dear customer,

Due to a change with our bank, we now use a new bank account number. Please pay outstanding and future invoices to:

Sort code: 40-12-34 · Account: 87654321

We apologise for the inconvenience.

Is this message phishing or trustworthy?

emergency Oops, clicked

You did click or reply. Now what?

Anyone can click too quickly once. What matters is that you respond quickly and calmly. The order:

  • Stop and enter nothing else. Do not fill in a password or code, close the page.
  • Change your password for the service involved, from a different, trusted device. Where possible, turn on two-factor authentication (2FA).
  • Tell the right people. At work: your IT team or manager straight away. At home: your bank if you shared payment details.
  • Keep an eye on your accounts and stay alert for unusual activity.
bolt Speed matters, embarrassment does not

The faster you tell IT or your bank, the more there is left to save. Do not wait out of embarrassment: reporting helps, and you are certainly not the only one this happens to.

campaign Report

You spotted it in time. Report it.

You spotted phishing and did not click? Good. One step left: report it, so others are protected.

  • At work: report or forward the message to your IT team. That way they can warn others and block it.
  • In the UK: forward suspicious emails to report@phishing.gov.uk (the NCSC’s Suspicious Email Reporting Service). Forward suspicious texts to 7726 (free, spells “SPAM”). For fraud you have already engaged with, contact Action Fraud on 0300 123 2040.
  • After: delete the message. Do not click, do not reply, and do not forward it to colleagues or family (except to IT or the reporting service).
forward_to_inbox Forwarding to the NCSC menu_bookncsc.gov.uk

Forwarding suspicious messages to report@phishing.gov.uk is free and takes a second. The more people report, the faster fraudulent links go offline.

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
You realise you just entered your password on a fake page. What do you do first?
Correct: change your password straight away (from a different device), turn on 2FA, and alert your IT team or bank. Speed decides how much can still be saved; embarrassment helps no one.
quiz Practice · question 2 of 2
You spotted a phishing email and did not click. What is a good next step (in the UK)?
Correct: report suspicious messages to your IT team and, in the UK, to report@phishing.gov.uk. That way fraudulent links get blocked faster. Then delete the message. Forwarding it to colleagues or family only spreads the risk.
summarize Summary

What you take away from module 4

  • bolt At work: watch for CEO fraud (urgent, discreet payment request) and invoice fraud (changed bank account number).
  • bolt Always verify payments and account changes by phone using a number you know, or in person.
  • bolt Clicked? Stop, change your password from a different device, turn on 2FA, and tell IT or your bank quickly.
  • bolt Speed matters, embarrassment does not: reporting helps, and it happens to everyone.
  • bolt Spotted it? Report it to IT and, in the UK, to report@phishing.gov.uk (or 7726 for SMS), then delete the message.
workspace_premium Ready for the exam

Module 4 complete 🎉

Strong work. You can recognise phishing through email, SMS, and chat, you know the patterns and the routine, and you know what to do if something goes wrong. Just the final exam now, and your certificate is in.

lock_open 4 of 5 modules

Ready for your “Recognising phishing” certificate

You have finished all the teaching modules. Pass the final exam (at least 70%) and you will receive your personal certificate of attendance in your name.

check_circle Modules 1-4 completeradio_button_unchecked Final exam ≥ 70%
workspace_premium