Blackbox Intelligence Group
Sign in
← All modules

Starter · Module 3

Module 3: Phishing Investigation

Students dissect three real-style phishing emails, identify the indicators, and write the SOC ticket like a junior analyst would.

Length
60 min
Level
beginner
Track
Starter
Cadence
Free preview

Career paths

SOC AnalystFoundations
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Module 3 - Phishing Investigation

Lesson at a glance

| Field | Value | | ------------------- | -------------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes | | Difficulty | Beginner | | Required materials | Printed email packet (3 emails included below), worksheet, projector | | Lab access | None - analysis is paper-based for safety | | Standards alignment | NICE Framework K0177, CISA Cyber Essentials, CSTA 3A-NI-05 |

Safety: All three emails in this packet are fictional. Do not have students click, open, or test real phishing emails - even reported ones - outside an isolated sandbox supervised by IT.

Learning objectives

By the end of this lesson students will be able to:

  1. Identify at least 4 phishing indicators across header, body, and link layers of an email.
  2. Distinguish phishing from legitimate-but-clumsy email by examining sender, urgency, and the requested action.
  3. Write a brief, structured SOC ticket for a reported email that includes verdict, indicators, and recommended action.
  4. Explain why hovering and inspecting a link beats clicking it, and demonstrate how to inspect a link from a printed email.

Vocabulary

  • Phishing - a social-engineering attempt to get a victim to act (click, log in, reply, pay) by impersonating a trusted source.
  • Spear phishing - phishing tailored to a specific person or role.
  • Indicator of compromise (IOC) - observable evidence - a sender domain, URL, hash, IP - that ties to malicious activity.
  • Display name spoofing - putting a trusted name in the From field while the actual address is unrelated.
  • Look-alike domain - a domain crafted to resemble a real one (e.g., rnicrosoft.com, paypa1.com).
  • Header analysis - reading the Received, Return-Path, SPF, DKIM, DMARC fields to verify origin.
  • SOC ticket - the short, structured note an analyst writes to capture the verdict and rationale.

Why this module (teacher background)

If Module 2 taught defense at the credential layer, Module 3 teaches defense at the human layer. Phishing is the most common initial-access technique in real incidents, and the cohort that goes home tonight able to spot a look-alike domain is materially safer than they were this morning. The skill is observable and trainable: you read the email, you list the indicators, you write the verdict.

The exercise output - a SOC ticket - is real. Real analysts at real companies write notes that look exactly like the ones students will produce here. We are not pretending. We are doing a small version of the actual job.

Materials checklist

  • [ ] Printed email packet (the three emails below) - one per pair.
  • [ ] Worksheet (table for indicators and SOC ticket template).
  • [ ] Projector or board for the indicator chart.
  • [ ] Highlighters in two colors (one for indicators, one for legitimate-looking elements).

Pacing - minute-by-minute

| Time | Block | What happens | | ----- | ----------- | -------------------------------------- | | 0–5 | Opener | Real or fake? Show one email; vote | | 5–18 | Mini-lesson | The 6 indicator categories | | 18–40 | Activity | Three-email investigation in pairs | | 40–50 | Discussion | Build the indicator chart on the board | | 50–58 | SOC ticket | Each student writes one ticket | | 58–60 | Exit ticket | One indicator + one action |

0–5 min · Opener - real or fake?

Project the subject line and From of Email #1 (below). Ask: real or phishing? Take the count, do not yet reveal. Tell them by the end of class they will have written the verdict and rationale.

5–18 min · Mini-lesson - the six indicator categories

Write across the board:

  1. Sender - display name vs. actual address vs. domain age.
  2. Subject and tone - urgency, fear, authority, novelty.
  3. Greeting - generic vs. personal; correct vs. wrong role.
  4. Body content - grammar, formatting, branding, requested action.
  5. Links - display text vs. actual destination, look-alike domains.
  6. Attachments and asks - unexpected files, password-protected docs, payment requests.

Teacher script:

“No single indicator proves phishing. A real email from a real vendor can be poorly written. A phishing email can be perfectly polished. Your job as an analyst is to count indicators, weigh them, and write a verdict you can defend. We don’t guess. We document.”

Demonstrate one link inspection technique on the board:

The hover trick. On a real email, hover the link without clicking. The browser or mail client shows the actual URL at the bottom. If you can’t hover (e.g., on a phone), do not tap - pull the email up on a desktop or report it. On a printed email, the actual URL is what you read on the page; the display text is the name. We will treat the URLs printed on the packet as if they were the hovered destination.

18–40 min · Activity - investigate the three emails (22 minutes)

Pair students up. Give each pair the printed packet and the worksheet. For each email they fill in:

| Indicator category | Observation | Verdict-affecting? | | ------------------ | ----------- | ------------------ |

…then write a one-sentence verdict: Phishing, Legitimate, or Needs more information. And a recommended action: Report to IT, Reply normally, Quarantine and confirm out-of-band, etc.

The three emails follow. The full annotated answer key is in the Answer Key PDF.

Email #1

From: IT Help Desk it-helpdesk@yourschoool-district.org To: student@yourschool-district.org Subject: ACTION REQUIRED: Your mailbox storage is 99% full - verify within 24 hours Date: Tuesday, 03:14 a.m.

Dear User,

Our records indicate that your mailbox is approaching its limit and incoming mail will be REJECTED within 24 hours. To prevent service interruption, please verify your account immediately by clicking the secure link below and signing in with your district credentials.

Verify mailbox now

Failure to verify will result in permanent loss of email access.

Sincerely, IT Help Desk Office of Information Technology

Email #2

From: Mr. Lassiter jlassiter@yourschool-district.org To: classlist-period3@yourschool-district.org Subject: Friday’s field trip - permission slip attached Date: Wednesday, 4:08 p.m.

Hi class,

Attached is the permission slip for Friday’s trip to the regional cybersecurity career day. Please have a parent or guardian sign and return by Thursday morning. If you can’t print at home, see me before homeroom and I’ll print one for you.

Thanks, Mr. Lassiter Computer Science Department

📎 field-trip-permission.pdf (124 KB)

Email #3

From: Principal Walsh principal-walsh@yourschool-district-admin.com To: student@yourschool-district.org Subject: Quick favor - gift cards for staff appreciation Date: Saturday, 9:47 a.m.

Hello,

Are you available? I’m in a meeting and can’t take calls. I need a quick favor - please pick up four $100 Apple gift cards from the nearest store, then scratch off the back and reply with the codes. I’ll reimburse you Monday. This is for staff appreciation; please keep this confidential as I want it to be a surprise.

Thanks for your help, Principal Walsh Sent from my iPhone

40–50 min · Discussion - build the chart

For each email, take volunteers to fill the indicator chart on the board. Push for category names, not just observations. Reinforce that no single indicator is a verdict - but for emails like #1 and #3, the indicators stack so heavily there is no ambiguity.

Watch for these student traps:

  • “Email #2 has an attachment, so it’s suspicious.” Attachments alone are not indicators. The pattern matters: who, what, when, why.
  • “Email #1 is from the IT Help Desk, so it must be real.” Display names are free to forge. Read the domain.
  • “Email #3 is from the principal, so it must be real.” Read the actual domain. yourschool-district-admin.com is not the school’s domain. Plus the request itself - gift cards, urgency, secrecy - is the textbook gift card scam pattern.

50–58 min · SOC ticket - each student writes one

Project the ticket template:

Ticket #: [auto] Reporter: [user] Email subject: […] Verdict: Phishing / Legitimate / Needs more info Top 3 indicators:

  3. Recommended action: Quarantine and notify district IT / Mark legitimate / Confirm out-of-band Analyst notes: (one or two sentences)

Each student picks one of the three emails and writes the ticket. Collect with the worksheet.

58–60 min · Exit ticket

Name one indicator you will look for the next time you receive a suspicious email, and what action you will take when you see it.

Differentiation and supports

  • Below grade level / EL: Provide a partially completed indicator chart for Email #1 as a worked example. They complete #2 and #3.
  • Above grade level: Extension - write a 4th email that is legitimate but suspicious-looking (clumsy IT email that is actually real). Class debates whether to report it.
  • IEP/504: Allow verbal SOC ticket dictated to the partner, who writes it down.

Common student misconceptions

  • “Bad grammar means phishing.” Sometimes. But polished phishing exists, and clumsy real emails exist. Grammar is one indicator, not a verdict.
  • “If the link is https:// it’s safe.” HTTPS only means the connection is encrypted, not that the destination is trustworthy.
  • “If I recognize the sender’s name, it’s real.” Display names are free to forge. Read the domain.

Career connection

  • SOC Tier 1 analyst - $55K–$75K. Triages reported emails and writes the exact ticket students wrote today.
  • Email security engineer - $90K–$140K. Tunes the filters that catch most of these before users see them.
  • Threat intel analyst - $85K–$130K. Tracks the campaigns these emails belong to.

Assessment

  • Formative: Indicator chart accuracy across the three emails.
  • Summative: SOC ticket - verdict correct, top 3 indicators named, recommended action appropriate. Rubric in the Answer Key.

Answer Key (summary - full version in the Answer Key PDF when generated)

  • Email #1 - Phishing. Indicators: typosquatted domain yourschoool-district.org (note the triple-o); 3:14 a.m. send time; urgency (“24 hours”); fear (“permanent loss”); link to non-school domain weebly.com; generic “Dear User”. Action: quarantine; notify district IT; do not click.
  • Email #2 - Legitimate. Indicators: real school domain; sent during school hours; expected context (a known field trip); plausible attachment from a known teacher; reasonable ask. Action: treat normally; if unsure, confirm with Mr. Lassiter in person before opening.
  • Email #3 - Phishing (gift card scam / executive impersonation). Indicators: lookalike domain yourschool-district-admin.com; weekend send time; secrecy and urgency; gift-card pattern; “sent from my iPhone” signature mimic; emotional pressure. Action: quarantine; notify district IT; do not reply or buy anything.

Ready to use this in class?

Unlock the full Starter edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum