Lesson 4.1

Email Scenarios

10 minutes

Common Email Attack Types

Let’s apply PUSHED+VERIFY to the most common email scenarios you’ll encounter.

Scenario 1: Business Email Compromise (BEC)

David Chen (CFO)
Subject: Wire Transfer - Confidential

Hi,

I need you to process a wire transfer today for a time-sensitive acquisition. This needs to stay confidential until the deal closes.

Amount: $47,500
Recipient: Apex Holdings LLC
Account: [will send separately]

Please confirm when complete. I'm in meetings all day so email is best.

Thanks,
David

PUSHED Analysis

P - Pressure (CFO authority) U - Urgency ("today," "time-sensitive") S - Surprise (unexpected request)

VERIFY Analysis

  • V: Domain is “acme-financial.com” not your actual company domain
  • E: Does the CFO normally ask you directly for wire transfers?
  • R: High-risk request (financial transfer) outside normal procedures
  • I: Can you verify before processing? Absolutely.
  • F: Don’t initiate the transfer yet
  • Y: “Confidential” and “email is best” feel like isolation tactics

Correct Action

Do NOT process the wire. Contact David Chen through a channel you already use — his known phone number, in person, or your company’s internal messaging system. Do not use any contact info from this email.

Scenario 2: Account Security Alert

Microsoft Security
Subject: Unusual sign-in activity detected

We detected an unusual sign-in attempt to your Microsoft account.

Location: Moscow, Russia
IP: 185.220.101.42
Time: Today at 3:47 AM

If this wasn't you, your account may be compromised. Secure your account immediately:

Secure My Account

If you don't recognize this activity, we recommend changing your password immediately.

PUSHED Analysis

H - High-stakes (account compromise) U - Urgency ("immediately") S - Surprise (unexpected alert)

VERIFY Analysis

  • V: Domain “microsoft-online-secure.com” is NOT microsoft.com ❌
  • E: Was there actually unusual activity? Check your actual account.
  • R: They want you to click a link — could lead to credential theft
  • I: Take 2 minutes to verify through Microsoft directly
  • F: Don’t click the link
  • Y: Scary language designed to make you act without thinking

Correct Action

Do NOT click the link. Go directly to account.microsoft.com by typing it in your browser. Check your sign-in activity there. If there’s a real problem, you’ll see it in your actual account settings.

Scenario 3: Package Delivery Scam

FedEx Delivery
Subject: Delivery Exception - Action Required

Your package (Tracking: 794644732349) could not be delivered due to an incomplete address.

To avoid return to sender, please update your delivery details within 48 hours.

Update Address

If not updated, your package will be returned and a restocking fee may apply.

PUSHED Analysis

U - Urgency ("48 hours") H - High-stakes (lose package, restocking fee) S - Surprise (unexpected notification)

VERIFY Analysis

  • V: Domain is “fedex-notifications.net” not fedex.com ❌
  • E: Are you actually expecting a FedEx package? Check your orders.
  • R: Requesting personal/address information through a link
  • I: Can you check fedex.com directly? Yes.
  • F: Don’t click the link
  • Y: Generic tracking number could be fake

Correct Action

Do NOT click the link. If you’re expecting a package, go to fedex.com directly and enter the tracking number. If you’re not expecting anything, this is definitely fake — ignore it.

Scenario 4: Legitimate Alert (For Comparison)

Chase
Subject: Your statement is ready

Your September statement for account ending in 4729 is now available.

You can view your statement by signing in to chase.com or the Chase Mobile app.

Thanks for being a Chase customer.

PUSHED Analysis

No strong PUSHED tactics present:

  • No urgent deadline
  • No threatening consequences
  • No unusual requests
  • Just informational

VERIFY Analysis

  • V: Domain is chase.com ✓
  • E: Expected monthly notification ✓
  • R: Just informing you a statement is ready — no action demanded
  • I: No urgency to verify, but safe to check via the app anyway
  • F: Nothing to freeze — you’d log in normally
  • Y: Feels routine and normal

This Is Legitimate

This email isn’t trying to manipulate you. It’s just a notification. But even for legitimate emails, it’s good practice to log in directly rather than clicking links — it builds the habit.

Key Patterns to Remember

Attack Type Common PUSHED Tactics Key Red Flags
BEC (Boss Fraud) Pressure, Urgency, Surprise “Confidential,” unusual requests, email-only contact
Account Alerts High-stakes, Urgency Fake domains, login links, scary language
Delivery Scams Urgency, High-stakes Wrong domains, unexpected packages, deadline pressure
Prize/Reward Excitement Too good to be true, fees required, personal info requests

Key Takeaways

  1. Business Email Compromise is one of the costliest scams — always verify financial requests
  2. Account security alerts should be checked by going directly to the real site
  3. Delivery notifications should be verified on the actual carrier’s website
  4. Legitimate emails typically don’t use aggressive PUSHED tactics
  5. When in doubt, verify through a separate channel you trust