Lesson 1.0

Module 1: The Forensic Mindset

2 minutes

What You’ll Learn

By the end of this module, you’ll understand the mindset shift that turns a suspicious email from something you delete into something you investigate:

  • The ripple effect of reporting — why one person’s report protects hundreds of coworkers, and how your suspicion becomes everyone else’s warning
  • The invisible data every email carries — every message arrives with a trail of technical details that most people never see, but that tell a clear story about where it really came from
  • The TRACE framework — a simple, repeatable process for gathering evidence from a phishing email so your team can block it, study it, and warn others

This isn’t about becoming a forensic analyst. It’s about learning to think like one for the five minutes it takes to help.

The Three-Act Arc

You’ve already met two frameworks in earlier courses. TRACE is the third act.

PUSHED taught you to notice how an email makes you feel. VERIFY taught you what to do with that feeling — step out of the message and confirm through another channel. TRACE is what you do once you know something is wrong: you stop reacting and start investigating.

Framework Question Mode
PUSHED “What am I feeling?” Emotional
VERIFY “Can I confirm through a separate channel?” Behavioral
TRACE “What evidence can I gather so others don’t fall for this?” Investigative

Each framework builds on the one before it. You can’t investigate an email you didn’t notice was suspicious, and you can’t gather good evidence until you’ve confirmed the email isn’t legitimate.

When to Use TRACE

After VERIFY confirms a fake (or can’t confirm anything), TRACE is the investigative step that turns your suspicion into evidence.