Lemieux Consulting Urban League of Louisiana

Tech use cases · CompTIA prep

Mark up a phishing email for a non-technical user (Security+ flavored)

The scenario

Half of help desk security work is teaching the rest of the company to spot phishing. AI is good at producing a marked-up version of a suspicious email that highlights every red flag in plain language. This is also direct practice for the social-engineering and security-awareness portions of the Security+ exam.

The prompt

You are explaining a phishing email to a non-technical user, in a way that teaches them how to spot the next one. I will paste the email body and headers.

Format:
1. The verdict in one sentence: is this phishing, possibly phishing, or legitimate. State your confidence in plain words.
2. A numbered list of every red flag you can spot, with two-line explanations. For each one, name the technique by its standard term (in parentheses) so the user can search for it later if they want, for example, "fake urgency (pretexting)" or "look-alike domain (typosquatting)."
3. The action the user should take right now, in three steps or fewer.
4. One sentence on what a real, legitimate version of this email would look like, so the user can recognize the genuine pattern next time.

Rules:
- Do not lecture. The goal is to teach this user, not to prove how much you know.
- Plain language. No "threat actor" or "malicious payload." Say "the person who sent this" and "the link is bad."
- If a red flag is borderline (the email could be a legitimate but poorly written marketing email), say so honestly. Do not over-call.

Email:
From: payroll-update@hr-companysupport.com
Subject: URGENT: Action required by 5pm or your direct deposit will be suspended
Body:
Dear Employee,

Our records indicate that your direct deposit information has not been verified for the new payroll system. To prevent any disruption to your paycheck this Friday, please log in immediately using the secure link below and confirm your account details.

Click here: hxxp://hr-portal-companylogin[.]net/verify

If you do not verify by 5:00 PM today, your direct deposit will be suspended and a check will not be issued.

Thank you,
HR Payroll Team

The output

Verdict.

This is phishing. High confidence. Do not click the link.

Red flags, numbered.

  1. Sender domain does not match a real HR or payroll system (look-alike domain / typosquatting). The address is hr-companysupport.com rather than companyname.com. Attackers register domains that look almost right and rely on you not double-checking.
  2. Manufactured deadline (fake urgency / pretexting). “URGENT: Action required by 5pm.” Real payroll systems do not run on same-day deadlines and do not threaten to suspend your paycheck if you do not act in four hours. Urgency is the single most common phishing pattern.
  3. Link domain is unrelated to the company you actually work for (URL spoofing). The address hr-portal-companylogin.net has no connection to your real employer’s domain. Legitimate company links live on the company’s own domain.
  4. Generic greeting (broad-cast targeting). “Dear Employee” rather than your real name. Mass phishing campaigns address everyone the same way. Legitimate HR mail has your name on it.
  5. Threat of immediate financial harm if you do not act (coercion). “Your direct deposit will be suspended.” Designed to push you past the part of your brain that asks questions.
  6. Requests credential entry via an emailed link (credential harvesting). Real HR systems direct you to log in by going to the company’s normal portal yourself, not by clicking a link in an email.

Six red flags is overwhelming. One or two could be sloppy IT communication. Six is a phishing campaign.

What to do right now.

  1. Do not click the link. Do not reply.
  2. Report the email through your company’s reporting button (often “Report Phishing” in Outlook or Gmail) or forward it to the security team’s reporting address. Do not just delete it, your security team learns from these reports.
  3. If you have already clicked the link or entered any credentials, contact your help desk or security team immediately. The faster they know, the less damage there is.

What a legitimate email would look like.

Real payroll updates from your real employer would come from a sender on the company’s own email domain, address you by name, never include a clickable login link, and either ask you to log in to the portal you already use or come with a phone number or in-person follow-up. The genuine version of this email, if it existed, would be boring.

One reasonable answer. Your run may differ. Read it against the scenario before using any of it.

What to watch for

  • AI may invent plausible-but-fake context (a real company name in the email, a real domain). Read what the AI claims about the email and verify it against the actual headers you pasted.
  • AI sometimes calls every urgent email phishing. Real legitimate urgency exists. The cluster of red flags matters more than any one of them.
  • Never click the link to 'check.' Hover only. Better, copy the URL into a phishing analysis service like VirusTotal or Google Safe Browsing if your shop allows it.
  • If the user already clicked the link or entered credentials, the response changes immediately: lock the account, reset the password from a clean device, and escalate to whoever owns incident response.
← Back to tech use cases
Lemieux Consulting Urban League of Louisiana

Facilitated by Lemieux Consulting. Hosted by the Urban League of Louisiana.