Cyber Awareness Course
A short introduction to the cyber security fundamentals everyone should know — written in plain English for people without a tech background.
Recognising social engineering
The single most common way people get hacked has nothing to do with technology. It’s manipulation.
Social engineering is the art of manipulating people into giving up confidential information or taking actions that compromise their security. Unlike traditional hacking, it targets human psychology rather than technical vulnerabilities — which is exactly why it works so well.
Real-world scenario
You receive a phone call from someone claiming to be from your IT department. They say there’s been a security breach and they need your password immediately to “secure your account.” They sound urgent, professional, and they know your full name.
Remember: Your IT department will never ask for your password over the phone. This is a classic pretexting attack.
Knowledge check
What should you do if someone calls claiming to be IT support and asks for your password?
Spot the phishing email
Hover over the highlighted parts of this fake email to see the red flags. Then decide what you’d do.
Dear Employee,
We have detected unusual activityVague threat to create panic on your account. To prevent unauthorised access, you must reset your password immediately.
Please click the link below to verify your identity and reset your password within the next 2 hoursArtificial time pressure to prevent careful thinking, or your account will be permanently locked.
If you did not request this change, please ignore this emailContradicts the urgency — a sign of a poorly crafted phish.
Regards,
The IT TeamGeneric sign-off — real IT teams include specific contact details
You spotted the suspicious domain, the urgency tactics, and the generic sign-off. In real life, reporting phishing emails (using your email client’s “Report” button) helps protect everyone you work with.
Red flags: a suspicious sender domain (company-helpdesk.net), urgency language (“next 2 hours”), a vague threat (“unusual activity”), and a generic sign-off. Always verify by contacting IT or the supposed sender through an official channel you already know.
What to do next
Five practical things to lock in this week. Each one takes minutes; the impact lasts years.
Turn on multi-factor authentication everywhere
Email, banking, social media, work accounts. App-based codes (Authy, Microsoft Authenticator) or a hardware key are stronger than SMS — but SMS is still better than nothing.
Use a password manager
1Password, Bitwarden, or your browser’s built-in one. Generate a unique long password for every site — you only need to remember one master password.
When in doubt, slow down and verify
Urgency is the scammer’s favourite tool. Hang up and call back on a number you know. Open a new browser tab and type the URL yourself instead of clicking the link.
Keep your devices up to date
Phone, laptop, browser. Most updates patch security holes. Turn on auto-update so you don’t have to think about it.
If something feels off, it probably is
A weird email, a too-good-to-be-true offer, an unexpected text from your bank: trust the instinct. Verify through an independent channel. Tell someone if you’re not sure.
That’s the course.
If you found it useful, the best next steps are to read a couple of articles on topics that are relevant to you, and to subscribe to the newsletter so new pieces land in your inbox.