# Phishing Knowledge Base

## Common Phishing Indicators
1. **Urgency and Threats**: Phishing emails often use urgent language (e.g., "Account Suspended", "Immediate Action Required") to panic users into clicking without thinking.
2. **Mismatched URLs**: The visible link text (e.g., "paypal.com") does not match the actual destination URL (e.g., "paypal-secure-login.com").
3. **Generic Greetings**: Legitimate organizations usually use your name. Phishing emails often use "Dear Customer" or "Dear User".
4. **Request for Personal Information**: Legitimate companies rarely ask for sensitive info (passwords, SSN) via email.
5. **Suspicious Domains**: Look for misspellings (e.g., "goog1e.com", "paypaI.com") or unusual TLDs.

## URL Analysis Techniques
- **Typosquatting**: Attackers register domains that look similar to popular domains (e.g., "faceboook.com").
- **Subdomain Abuse**: Using long subdomains to hide the actual domain (e.g., "paypal.com.security-check.com" - the real domain is "security-check.com").
- **URL Shorteners**: Using bit.ly or tinyurl to hide the destination.

## Social Engineering Tactics
- **Authority**: Impersonating CEOs, IT support, or government agencies.
- **Scarcity**: "Only 24 hours left to claim your prize".
- **Curiosity**: "Look at these photos of you".

## Example Cases
- **PayPal Phishing**: Emails claiming unauthorized transactions, asking to click a link to "dispute" the charge.
- **Google Docs Phishing**: Fake login pages that look like Google Drive login screens.
- **Bank Fraud**: SMS messages (Smishing) claiming a bank account is locked.