The School of Phish

Learning to spot phishing emails

Phishing Email Training

Welcome to The School of Phish! In this training module, you'll be presented with a series of emails. Your task is to determine whether each email is legitimate or a phishing attempt. Click the buttons below each email to make your choice and receive immediate feedback on your decision. Let's get started and sharpen your phishing detection skills!

Email Preview

From: email@domain.com

Subject: Email Subject Here

Email body content goes here...

Make your choice above to see if you're correct!

Score: 0

Phishing Detection Tips

Phishing emails are designed to trick you into giving away personal information or clicking malicious links. Here are the key things to look out for.

Check the sender's address

Phishers often use domains that look legitimate at a glance. Look closely; paypa1.com is not the same as paypal.com. Legitimate organisations will always email you from their official domain.

Watch for generic greetings

Emails that start with "Dear Customer" or "Dear User" instead of your actual name are a red flag. Companies you have an account with will usually address you directly.

Be wary of urgency

Phrases like "act immediately", "your account will be suspended", or "you have 24 hours" are designed to panic you into clicking before you think. Legitimate organisations rarely demand instant action via email.

Hover over links before clicking

The text of a link and where it actually goes can be completely different. Always hover first and check the URL in your browser's status bar; if it looks unfamiliar or doesn't match the supposed sender, don't click it.

Scrutinise the domain name

Look for subtle misspellings, extra words, or unusual extensions. microsoft-support.net, amazonsecurity.co, and nhs-patient-portal.co are all fake; the real domains are microsoft.com, amazon.co.uk, and nhs.uk.

Be suspicious of unexpected attachments

Unsolicited attachments; especially .zip, .exe, or Office files, can contain malware. If you weren't expecting a file, don't open it, even if the sender looks familiar.

HTTPS doesn't mean safe

A padlock icon in your browser just means the connection is encrypted; it says nothing about whether the site itself is malicious. Phishing sites can and do use HTTPS.

About The School of Phish

The Project

The School of Phish is an interactive phishing awareness trainer built as a single page application. It presents realistic email scenarios and challenges you to identify phishing attempts from legitimate correspondence; with the goal of making you a harder target for cybercriminals.

Each scenario is based on real phishing tactics and provides feedback explaining the tell-tale signs in the email, so you learn not just whether you were right, but why.

The Developer

Built by Sam Vincent; an IT professional and Computer Science (Cybersecurity) undergraduate at the University of Plymouth. With over six years of experience across IT support, logistics, and regulated environments including the NHS and Ministry of Defence, Sam brings a practical, security-aware perspective to everything he builds.

As a dad of two, the motivation behind this project goes beyond the academic. Phishing remains one of the most common and damaging attack vectors in cybersecurity; building tools that help everyday people recognise and resist it is exactly the kind of work that matters.

The School of Phish was developed as part of COMP1004 Computing Practice, using vanilla HTML, CSS, and JavaScript.