Simulated phishing campaigns are one of the critical areas of security awareness education that help protect you and our organization. The consequences of being fooled by a real phishing email can lead to disastrous consequences both at home and at work, making you more prone to identity theft. For example, cybercriminals use phishing emails to trick you into sharing the usernames and passwords of your personal and/or work accounts. How? They send you an email link to a fake but legitimate looking login page. If you submit your username and password, they are sent directly to the attacker. From there, they can log into your accounts and steal your sensitive information to apply for credit cards, bank loans or even make social security, medical, and unemployment claims.

Combining education with phishing simulations not only teaches you how to identify a suspicious email, but also gives you the opportunity to experience firsthand (in a safe and controlled environment) how to respond to a real phishing attack.   

Did you see the latest simulated phishing email?

So, did you spot the simulated phishing email that was sent out last week? If not, it's okay. Here are details about the training exercise.

The phishing email had the subject line "Costco Rewards – Our Thanks To You" and was sent from the email address "". The message asked email recipients to click on the link "GIFT" so they would have the opportunity to choose from several electronic, health, and skin care products. This phishing email was specifically designed to pique your curiosity enough that you would react immediately.  

Emails that make you curious or provide an enticing offer are common tactics cybercriminals use to trick you into clicking on malicious links or attachments. A strategy we can all use when confronted with a suspicious email is, THINK BEFORE WE CLICK. When we take a few moments to analyze the email sender, link or attachment, signature, etc. we often see if there are warning signs. For example, this phishing simulation contained the following: 

  1. The "" email domain is not consistent with the Costco Wholesale business name.
  2. Hovering your mouse over the link reveals the real location: ""; a site that is not associated with the Costco Wholesale branding (if researched online), and could therefore be a malicious website.
  3. Missing business contact information is suspicious. Most professional businesses use signatures to showcase the multiple ways you can contact them (e.g. phone number, email address, etc.).

Click here to learn more about our phishing simulations.

What to do if you receive a simulated (or real!) phishing email 

Although your first instinct might be to delete or ignore the suspicious email, we ask that you: 

DO NOT click on any links or attachments within it;

Forward it to our Information Security team at; and

Delete the email from your Inbox, Sent and Deleted Items folders immediately.

 If you receive a phishing email, chances are your co-workers have as well. So, by taking a proactive stance and learning how to spot and report potentially dangerous emails, we can keep our organization safer, together!

And the Winner is…???

Last week, dozens of names were entered into a prize draw for the "Spot the Phish" contest. The winner of that draw is...

Maggie Ho:

If this is you, please email us your work address so we can mail your prize there. More contests to come, so stay tuned!

To learn more about Security Awareness, visit our Security Awareness Hub. If you have any questions, please email us at

Written by Joseph Tesoro, education awareness specialist, security awareness program and Sabrina Young, education awareness specialist, information security.

This page last updated Feb 23, 2021 5:45pm PST