Defence Strategies

Think before you click

Three steps that work in almost every scenario — no technical knowledge required. These habits protect you whether you're dealing with an email, a phone call, a text, or a QR code.

1
Step One
Recognize
Verify the sender is who you think they are. Don't rely on the display name — check the actual email address and ask whether the request makes sense.
How to do it
  • Hover over or click the sender's name to reveal the real email address — does it match who it claims to be?
  • Check the domain after @: @amazon.com is real, @amazooms.me is not
  • Look for the [External] tag — if present, the email came from outside PAC
  • Ask: would IT, HR, or finance really contact me this way? Does this request make sense?
2
Step Two
Rethink
Before clicking anything, pause. Links can show one address and take you somewhere else entirely. Remember the phrase: hover to discover.
How to do it
  • Desktop: hover your mouse over any link without clicking — the real URL appears at the bottom of your browser
  • Mobile: long-press a link to preview the URL before it opens
  • Best practice: open a new tab and type the website address yourself — don't follow links from unexpected emails
  • Never open attachments from unverified senders — they're the most common malware delivery method
  • Never approve an MFA prompt you didn't initiate yourself
3
Step Three
Report
If something feels off — even slightly — report it. A false alarm costs nothing. A delayed report can cost millions. Your instinct is a security control.
How to do it
  • Use Report Message in Outlook — reports to PAC IT Security and Microsoft simultaneously
  • Email phishing@pacgroup.com directly — update this with your real internal address
  • Call or message IT directly if you need to act quickly
  • Even a false alarm is valuable — it helps IT track patterns across the organization

PAC emails will never ask you to

Treat any email claiming to be from PAC that requests any of the following as suspicious — and report it immediately.

Provide your Microsoft 365 password or credentials for any other platform

Buy gift cards for a client, colleague, or executive

Perform a wire transfer or financial transaction without a formal approval process

Validate your credentials via a PDF attachment or QR code

Provide sensitive personal information such as your SSN or banking details

Share or provide the login credentials of another employee

Quick reference — what to do right now

Got a suspicious email?
  • Don't click any links
  • Don't open any attachments
  • Don't reply to the sender
  • Use Report Message in Outlook
Already clicked a link?
  • Don't enter any information
  • Close the tab immediately
  • Contact IT straight away
  • Change your password as directed by IT
Entered credentials on a fake page?
  • Contact IT immediately — don't wait
  • Don't be embarrassed — it happens to everyone
  • IT will guide you through securing your account
  • Report so others can be warned

Ready to test yourself?

Take the quiz to prove your knowledge and earn your PAC IT Security certificate.

Take the Quiz › Read Real Stories