function LessonPage({ onNavigate }) { const [section, setSection] = useState(2); const [howtoOpen, setHowtoOpen] = useState(() => { try { return !localStorage.getItem('medishield_lesson_howto_seen'); } catch { return true; } }); useEffect(() => { try { localStorage.setItem('medishield_lesson_howto_seen', '1'); } catch {} }, []); const sections = [ { title: 'Why phishing matters in healthcare', done: true }, { title: 'The anatomy of a clinical phishing email', done: true }, { title: 'Red flags in sender and domain', done: false, current: true }, { title: 'Safe reporting workflow', done: false }, { title: 'Knowledge check', done: false }, ]; return (
{e.preventDefault(); onNavigate('dashboard');}}>Dashboard Training Recognizing phishing in clinical email

Recognizing phishing in clinical email

Module PHI-201 · 12 minutes · Assigned by Compliance · Required for Cardiology-3B

Progress · 40%
setHowtoOpen(e.target.open)}> How this lesson works
Read each section, then take the short quiz at the end. You need 80% to pass. You can retake it as many times as you need. Your progress is saved automatically — leave and come back anytime.
Section 3 of 5

Red flags in sender and domain

Attackers impersonate internal IT, senior physicians, and EHR vendors. The fastest tell is almost always in the sender address — a swapped character, an extra hyphen, a look-alike domain. Train your eye to read the address bar-by-bar, not as a word.

Below is a real example reported by the St. Luke's SOC last quarter. Hover the highlighted terms to understand why each one is suspicious.

URGENT: Mailbox quota exceeded — action required in 2 hours
From: IT-Support <IT-Support@st-|ukes.org> To: elena.papadaki@stlukes.hospital Date: Today, 06:42

Dear Elena,

Our system has detected your mailbox is 99.8% full and will stop receiving patient lab results within the next 2 hours. To prevent interruption in care, please verify your credentials immediately.

👉 Verify mailbox quota here

Failure to verify within 2 hours will result in loss of access and may delay patient care.

— IT Support, St. Luke's

This is an automated message. Please do not reply.

Red flag
The sender domain uses a pipe (|) in place of a lowercase L. Real typefaces make the swap nearly invisible at a glance. Always copy-paste suspicious addresses into a monospace font to verify.
What to check
(1) Hover the link without clicking — does the URL preview match the claimed sender? (2) Is there artificial urgency? (3) Does the tone match how IT actually communicates with you?
Safe action
Use the Report phishing button in Outlook, or forward to soc@stlukes.org. If in doubt, phone IT at x4400 — never use a number from the suspicious email itself.
); } window.LessonPage = LessonPage;