This hands-on tutorial equips undergraduate students with practical skills to spot, avoid, and report phishing attacks across email, SMS, social media, and QR codes. Participants will learn how modern attackers craft convincing lures (urgent language, spoofed domains, look-alike logins, “MFA fatigue,” malicious QR codes) and how to validate sender identity, inspect URLs safely, and identify payloads such as credential harvesters and malware droppers.

The session blends short explainers with interactive exercises, including dissecting real-world phishing samples, safely analyzing URLs, and practicing a step-by-step reporting workflow. We will also cover campus-friendly best practices: using password managers, enabling multi-factor authentication, recognizing OAuth consent traps, and verifying “support” outreach. A brief primer on email authentication (SPF/DKIM/DMARC) helps students understand why some messages get flagged and how to interpret those warnings.

By the end of the tutorial, attendees will be able to:

• Recognize common phishing patterns (spear-phishing, brand impersonation, QR-phishing, smishing).
• Inspect links and attachments safely (URL decoding, preview techniques, sandbox thinking).
• Validate sender identity and spot domain look-alikes.
• Respond correctly: do not click, capture evidence, report, and reset credentials if needed.
• Apply campus security tips: password manager hygiene, MFA resilience, and device hardening.
• Who should attend: Students and faculty interested in cybersecurity fundamentals and digital safety. No prior experience required.