Welcome

Let's talk about email security.

Email is the most common way attackers try to get into our systems. You don't have to be a tech wizard to be a target — and you don't have to be a tech wizard to protect yourself either.

This training will walk you through what phishing, spoofing, and other email-based attacks look like, how to spot them, and exactly what to do when something seems off.

At the end, you'll take a short 10-question quiz. You'll need to score 80% or higher to complete the course. You can retake the quiz as many times as needed.

What you'll learn:
  • What phishing, spear phishing, and spoofing are
  • Red flags to watch for — including unexpected attachments, suspicious links, and common scam themes
  • Why verifying through a separate channel is your best defense
  • Safe handling habits: links, passwords, sensitive data, and device security
  • RSU #87's official reporting procedure
  • What to do if you accidentally click something
Module 1 of 7

Why Does Email Security Matter?

More than 90% of cyberattacks start with an email. It's cheap, it scales, and it works — because it targets people, not just software.

Attackers aren't just going after big corporations. Schools, nonprofits, and small organizations are frequently targeted because they often have valuable data (student records, payroll, personal information) and fewer dedicated security resources.

The good news? Most email attacks rely on tricking you into taking an action — clicking a link, opening a file, entering a password. That means you are the most important line of defense. Knowing what to look for makes a real difference.

Real consequences of a successful attack:
  • Ransomware that locks every computer on the network
  • Stolen student or staff personal data
  • Fraudulent wire transfers or payroll changes
  • Months of recovery work and significant costs
Module 2 of 7

What Is Phishing?

Phishing is when an attacker sends an email pretending to be someone or something trustworthy — like Microsoft, your bank, or even a coworker — to trick you into handing over credentials, clicking a malicious link, or opening an infected attachment.

Think of it like a digital version of a con artist. They're not breaking down a door — they're getting you to open it for them.

Example — Typical Phishing Email (as seen in Gmail)
🗃
🚫
🗑
1 of 847
⚠️ Unusual sign-in activity detected — verify your account now
Inbox
G
Google Accounts Team
10:14 AM
to me
from: Google Accounts Team <noreply@google-accounts-verify.net>
to: you@rsu87.org
⚠ This sender's domain (google-accounts-verify.net) does not match google.com
Dear User,

We've detected unusual sign-in activity on your Google Workspace account. Your account will be suspended within 24 hours unless you verify your identity immediately.

🔗 Click here to verify your Google account →

The Google Accounts Team
↩ Reply
↪ Forward

What makes this suspicious?

  • Expand the ▼ details arrow — the sending domain is google-accounts-verify.net, not google.com
  • It creates artificial urgency ("24 hours")
  • It addresses you as "Dear User" — not by name
  • It asks you to click a link to enter your credentials
Module 3 of 7

Spear Phishing — When It Gets Personal

Regular phishing casts a wide net. Spear phishing is targeted — the attacker researches you specifically before sending the email.

They might know your name, your supervisor's name, a project you're working on, or even something from your school's public website. That makes the email feel much more legitimate and harder to spot.

Example — Spear Phishing Email (as seen in Gmail)
🗃
🚫
🗑
1 of 847
Quick request — staff gift cards
Inbox
P
Dr. Patricia Mills
8:47 AM
to me
from: Dr. Patricia Mills <p.mills@rsu87-admin.org>
to: you@rsu87.org
⚠ This sender's domain (rsu87-admin.org) is different from your organization's domain (rsu87.org)
Hi [Your Name],

I'm in back-to-back meetings today and can't make calls. I need you to purchase 5 Amazon gift cards ($100 each) for a staff recognition surprise — it's time-sensitive. I'll reimburse you this afternoon.

Please send me the card numbers and PINs as soon as you have them. Don't mention it to anyone yet — I want it to be a surprise!

Thanks so much,
Dr. Mills
↩ Reply
↪ Forward

Why this one is tricky:

  • Uses a real name (the superintendent/principal) — attacker found it online
  • Creates urgency and a reason they can't be called ("in meetings")
  • Asks for secrecy ("don't mention it") to prevent you from checking
  • The domain is rsu87-admin.org — not rsu87.org

When in doubt, call the person directly using a number you already have — not one in the email.

Module 4 of 7

Email Spoofing — Fake Senders

Email spoofing is when an attacker forges the "From" field of an email to make it look like it came from someone you trust — a colleague, IT, your bank, or a well-known company.

There are two types to be aware of:

Type 1 — Display Name Spoofing

Gmail shows the sender's display name prominently. The real email address is hidden until you click the arrow to expand details. Attackers count on you never checking.

Click the ▼ details arrow below to see what's actually hiding behind a trusted-looking name.

🗃
🚫
Action required: Update your password now
IT
IT Department
2:03 PM
to me
from: IT Department <support@help-desk-notice.ru>
to: you@rsu87.org
⚠ .ru is a Russian domain — this is NOT from your IT department
Your password expires today. Click the link below to reset it immediately to avoid losing access.

🔗 Reset my password →

Type 2 — Domain Lookalike

The address looks almost exactly right — but one small change makes it completely different. These are easy to miss when you're busy.

Real it@rsu87.org
Fake it@rsu-87.org (dash added between rsu and 87)
Fake it@rsu87.org.support-desk.com (real domain buried in the middle — the actual domain is support-desk.com)
Fake it@rsu87-helpdesk.com (looks official, completely different domain)

Habit to build: In Gmail, always click ▼ details to expand the sender info and read the full email address before clicking anything or replying.

Module 5 of 7

Red Flags — What to Watch For

No single red flag means an email is definitely malicious, but the more you spot, the more suspicious you should be. Here are the most common ones:

  • Urgency or threats — "Act now," "Your account will be deleted," "Last warning." Pressure is a tool to stop you from thinking.
  • Unexpected requests involving money or sensitive info — Gift cards, wire transfers, W-2 forms, invoices, payroll changes you didn't initiate.
  • Common lures — Missed package delivery, account locked, unpaid invoice, password expiring, prize won. These work because they feel plausible.
  • Suspicious sender address — The display name looks right but click ▼ details in Gmail to see the real address. Look for extra dashes, misspellings, or unfamiliar domains.
  • Suspicious links — Hover over a link before clicking. If the URL looks odd, shortened, or doesn't match the supposed site, do not click it. When in doubt, navigate to the real site yourself by typing the address.
  • Dangerous attachments — Be especially wary of Office files (Word, Excel) that ask you to "Enable Macros," ZIP files, and any executable (.exe, .bat) files. Even PDFs can carry malware.
  • You weren't expecting it — If you didn't initiate the contact or request, treat it with extra suspicion — especially if it asks for action, credentials, or sensitive data.
  • Requests for credentials or sensitive data — Legitimate services never ask for your password, Social Security number, or full credit card number via email.
  • Asks for secrecy — "Don't tell anyone," "This is between us," "It's a surprise." A major warning sign designed to prevent you from verifying.
  • Poor grammar or unusual phrasing — Not always present in modern attacks, but still a clue.
Quick gut check: Ask yourself — "Was I expecting this email? Does this request make sense? Would I feel comfortable calling this person on a number I already have to verify?" If anything feels off, verify before acting — never reply to the suspicious email to check.
Module 6 of 7

When In Doubt — Always Verify

This is the most important habit you can build: if you weren't expecting an email, especially one asking for sensitive information or urgent action, verify it through a completely separate channel before doing anything.

Don't reply to the email. Don't call numbers listed in it. Don't click links in it. Use a contact method you already trust.

How to verify through another channel

  1. 1
    Call the person using a phone number you already have saved — not one from the email. Ask them directly if they sent it.
  2. 2
    Navigate to the official website yourself — type the address directly into your browser. Don't click links in the email, even if they look right.
  3. 3
    Contact IT — when in doubt, forward the email to security@rsu87.org with a brief description of your concern. For general questions, email it@rsu87.org.
Example — Package Delivery Lure (as seen in Gmail)
🗃
🚫
Your package could not be delivered — action required
Spam
U
UPS Delivery Notification
Yesterday
to me
from: UPS Delivery Notification <noreply@ups-delivery-track.info>
to: you@rsu87.org
⚠ ups.com is the real UPS domain — ups-delivery-track.info is not
We attempted to deliver your package but were unable to complete delivery. Your package will be returned in 24 hours unless you confirm your delivery address.

🔗 Reschedule my delivery →

UPS Customer Service

What to do instead of clicking: Were you actually expecting a UPS package? If yes — go directly to ups.com and enter your tracking number there. If no — this is almost certainly a phishing email. Report it to IT.

This same pattern works for FedEx, USPS, Amazon, your bank, your health insurance, and any other trusted brand. Attackers clone them all. The URL in the email is never trustworthy. The real website always is.

Never enter your password on a page you reached by clicking an email link. Fake login pages can look pixel-perfect — same logo, same layout, same colors. If an email sends you to a sign-in page, close it and navigate to the real site yourself by typing the address.
Module 7 of 7

Safe Habits That Make a Real Difference

Beyond spotting bad emails, a few everyday habits significantly reduce your risk — and protect your coworkers and students too.

🔒 Safe Handling of Messages

  • Never enter your password on a page you reached from an email link. Close the page and type the real website address yourself.
  • Don't forward suspicious emails to coworkers to "warn them" — this can spread the threat. Use the Gmail Report phishing option or forward to security@rsu87.org instead.
  • Lock or log out of your device when stepping away — even briefly. Anyone who sits down can access your email.
  • Keep your device and apps updated. Updates patch known security holes that malware in email attachments and links actively exploit.
  • Trust security prompts. If your device or browser warns you that a site is dangerous or an attachment looks suspicious, believe it — don't click through.

🔐 Protecting Sensitive Information

  • Never send passwords, Social Security numbers, or full credit card numbers via email — email is not a secure channel unless your organization has set up specific encrypted tools for this.
  • Watch auto-complete when addressing emails. Gmail will suggest recipients as you type — double-check that you're sending to the right person, especially when the email contains student records, payroll data, or personal information.
  • Follow your organization's data handling policies. If you see a classification label, an encryption prompt, or a DLP (data loss prevention) warning — don't bypass it for convenience. Those prompts exist for a reason.
  • When in doubt about whether something is sensitive — treat it as if it is. Ask IT rather than assuming it's okay to send.
The bottom line: Good email security isn't just about spotting attacks. It's also about how you handle information every day — what you send, who you send it to, and how you manage access to your account.
RSU #87 — Official Reporting Procedure

What To Do When You Spot Something Suspicious

RSU #87 provides two email addresses for IT support. Please use the appropriate address based on the nature of your request.

Contact Information at a Glance

Address
Purpose
it@rsu87.org
General IT questions, support requests, and non-urgent inquiries
security@rsu87.org
Reporting suspicious or potentially malicious emails

Please note: Both addresses are monitored by the IT Department — there is no need to send your message to both. If you are reporting a suspicious email, use security@rsu87.org exclusively, as it includes additional automated capabilities described below.

If you receive a suspicious email:

  1. 1
    Do not open any attachments, click any links, or contact any phone numbers or email addresses contained in the message. Even if the email appears legitimate, do not interact with its contents.
  2. 2
    Forward the email to security@rsu87.org and include a brief description of your concern — for example, why the message seems suspicious or what prompted you to report it. This context helps IT prioritize and investigate more effectively.
  3. 3
    Leave the original email in your inbox. Do not delete, move, or print it. IT may need the original message intact for investigation.
  4. 4
    Wait for IT's guidance. You will be advised when it is safe to delete the email and whether any further action is required on your part.
Automated Analysis (Experimental) When you forward a message or attachment to security@rsu87.org, it is automatically submitted for analysis by an automated security agent. You will receive a preliminary findings report within approximately 5–10 minutes. Please be aware that this is an experimental process and is intended to supplement — not replace — human review by IT staff. If you have any doubt whatsoever about the safety of an email, do not open it. Err on the side of caution and allow IT to review it first.

A Note from the IT Department

These emails are designed by professionals to deceive. They are crafted to appear authentic, create a sense of urgency, and bypass your instincts — and they are effective against everyone, including cybersecurity professionals.

If you click a link, open an attachment, or realize after the fact that something was suspicious, please do not hesitate to contact us. There is absolutely no judgment here. Mistakes happen, and they happen to the best of us.

What matters most is that you let us know right away. The sooner we hear from you, the more we can do to protect you and everyone else in the district. A quick call or email can prevent what might otherwise become a serious incident.

You will never be penalized for reporting something in good faith, and you will never be criticized for asking a question. Please always feel comfortable reaching out.

If you accidentally clicked a link or opened an attachment:

Take a breath — then act quickly.
  1. 1
    Contact IT immediately — call the IT Department or email security@rsu87.org. Do not wait to see if anything happens. The faster we are notified, the more effectively we can respond.
  2. 2
    Do not interact further with the email — do not click anything else, reply, or call any numbers listed in the message.
  3. 3
    Leave the email in your inbox — IT needs the original message for investigation, even after an accidental click.
  4. 4
    Follow IT's instructions. You may be asked to disconnect from the network, change your password, or take other steps. IT will walk you through the process.
After-Hours Reporting If an incident occurs outside of normal business hours, email security@rsu87.org immediately. Do not interact with the email or any contact information within it until you receive a response from IT.
Gmail — Labeling Suspicious Emails

How to Tag a Suspicious Email in Gmail

If IT determines that an email is suspicious — or if you would like to tag it for your own records — you can apply a label in Gmail to keep it clearly marked. Follow the steps below.

Step 1 — Open the Suspicious Email

Click on the email in your inbox to open it. Do not click any links or download any attachments within the message.

🗃
🚫
🗑
Suspicious email subject line
Inbox
🗃 Archive
🚫 Report spam
🗑 Delete
🏷 Labels
📁 Move to
⋮ More
Click the Labels button (tag icon) in the toolbar above the email.

Step 2 — Open the Label Menu and Create a New Label

After clicking the Labels button, a dropdown menu will appear showing your existing labels.

Label as:
Search labels
Personal
Work
+ Create new
Scroll to the bottom of the dropdown and click "Create new" (you only need to do this the first time).

Step 3 — Name the Label

In the dialog box that appears, type a label name. We recommend:

New label
Please enter a new label name:
Suspicious
Cancel
Create
Type "Suspicious" (or a name of your choosing) and click Create.

Step 4 — Apply the Label to the Email

Once the label is created, it will automatically be applied to the email. For future suspicious emails, simply click Labels, check the box next to "Suspicious", and click Apply.

Label as:
Search labels
Personal
Work
Suspicious
Apply
The email will now display the "Suspicious" label tag, making it easy to identify at a glance.

Result — Labeled Email

After applying the label, the email will appear in your inbox with the label clearly visible next to the subject line:

🗃
🚫
Suspicious email subject line
Inbox Suspicious
?
Unknown Sender
10:14 AM
Email content — do not interact with links or attachments.
Tip: You can also color-code your label for added visibility. In Gmail, go to the left sidebar, hover over your "Suspicious" label, click the three-dot menu, select "Label color", and choose red. This will make flagged emails stand out immediately in your inbox.
Remember: Labeling an email is for your personal organization only — it does not notify IT. Always forward suspicious emails to security@rsu87.org with a description of your concern so IT can investigate and the automated analysis can begin.
Knowledge Check

Time for the Quiz

You've made it through the content — great work. Now let's see how much stuck.

The quiz has 10 questions. You'll get immediate feedback after each answer. You need to score 80% or higher (8 out of 10) to pass.

If you don't pass on the first try, no problem — you can retake it as many times as you need.

Tip: Questions cover the full course — reporting procedure, red flags, safe handling habits, and how to verify suspicious emails. The reporting procedure and "When In Doubt" slides are especially worth reviewing.
Results
--
Score

Reporting reminder: Suspicious email? Forward it to security@rsu87.org with a brief description of your concern, leave the original in your inbox, and never click links or attachments. If you accidentally click something — contact IT immediately. No judgment, ever.
Bonus Challenge

Think you can spot a phishing email?

Put your skills to the test with Google's interactive Phishing Quiz. It presents real-world phishing scenarios and challenges you to tell the difference between legitimate and malicious emails.

Take the Google Phishing Quiz →

Opens in a new tab. Free, no login required.

Thank you for completing this training.

Your awareness is one of the most important defenses our district has. Attackers rely on people not knowing what to look for — and now you do.

If you ever have a question, something feels off, or you just want a second opinion on an email — forward suspicious messages to security@rsu87.org or reach out to us anytime at it@rsu87.org for general inquiries. We would rather hear from you ten times about something that turns out to be nothing than not hear from you once about something that matters.

— RSU #87 IT Department