Elena,
We detected an {f('unusual login', "Vague 'unusual location' is a scripted lever. Real alerts include specific geolocation + device.")} from Tbilisi, GE on your St. Luke account at 03:12 local time.
If this wasn't you, verify your identity in the next {f('30 minutes', 'Tight deadlines bypass rational thought. Legit processes give you days, not minutes.')} to prevent account suspension. Otherwise, all shift access will be revoked:
{f('➡ Verify account now', 'Hover: https://st-lukes-alert.com/verify?u=epapadaki — mismatched domain. The real portal is sso.stlukes.org.')}
— St. Luke's Security Operations · Do not reply to this automated message.
), clickConsequence: { headline: 'Credentials could have been harvested.', body: 'In reality, this would give an attacker access to roughly 2,340 patient records in Cardiology-3B.' }, ignoreMessage: 'Your silence means a colleague might still fall for it. Always report — the SOC uses every report to build blocklists.', }, { id: 'mailbox-quota', title: 'Mailbox quota exceeded', theme: 'Credential phishing', audience: 'All staff', difficulty: 'easy', summary: "Fake IT warning claiming your mailbox is full and will stop receiving lab results.", sender: 'IT Support', senderEmail: 'IT-Support@st-|ukes.org', senderTooltip: "The pipe character '|' replaces a lowercase 'l'. The real domain is st-lukes.org.", subject: 'URGENT: Mailbox quota exceeded — action required in 2 hours', time: '06:42', body: (f) => (<>Dear Elena,
Our system has detected your mailbox is {f('99.8% full and will stop receiving patient lab results within the next 2 hours', 'Fake urgency is the #1 phishing lever — real IT gives 24–72h windows, not 2 hours.')}. To prevent interruption in care, please verify your credentials immediately.
{f('👉 Verify mailbox quota here', "Hover reveals 'hxxps://stlukes-verify.cloud-mx[.]com' — not a St. Luke's domain.")}
{f('Failure to verify within 2 hours will result in loss of access and may delay patient care.', 'Pressure + consequences = classic phishing playbook. Real IT communicates through the ticketing portal, not threats.')}
— IT Support, St. Luke's
), clickConsequence: { headline: 'Your password would be captured.', body: 'Attackers chain this to mailbox-access attacks — reading your email, impersonating you, and pivoting to ePHI.' }, ignoreMessage: "Ignoring buys the attacker time — they'll try the same lure on the next shift.", }, { id: 'mri-chief', title: "Chief requesting urgent MRI export", theme: 'Clinical social engineering', audience: 'Radiology · Physicians', difficulty: 'medium', summary: "Look-alike domain impersonates the Chief of Radiology asking for a patient scan right now.", sender: 'Dr. Vakhtang Beridze (Chief Radiology)', senderEmail: 'chief.radiology@hosp1tal.com', senderTooltip: "The domain swaps an 'i' for a '1' — a typosquat. The real address is @stlukes.org.", subject: 'Re: Need Patient 448293 MRI export — do it now', time: '07:58', body: (f) => (<>Elena,
Patient {f('448293', "Real requests reference patient identifiers via the clinical portal — never via email in plain text.")} — I'm in surgery in 20 minutes and the consult just called.
Can you {f('export the full DICOM set and email it to my mobile', 'Attachments of PHI to external/mobile addresses are a policy breach regardless of the sender.')} in the next 10 minutes? I know it skips the protocol, but this is time-critical.
Use {f('this drop link if the attachment is too large', "Drop links outside the hospital EHR are a known phish mechanic — they often lead to credential screens.")}.
— V.B.
), clickConsequence: { headline: '2,340 patient records could have been exfiltrated.', body: 'Exporting PHI to an external drop site is a reportable HIPAA breach, regardless of who "asked" for it.' }, ignoreMessage: "Don't just ignore — attackers pivot to the next radiologist. Report so the SOC can quarantine the campaign.", }, { id: 'hr-w2', title: 'HR — tax form update for payroll', theme: 'HR / payroll phishing', audience: 'Admin · HR · All staff', difficulty: 'medium', summary: 'Fake HR email asking you to re-confirm your tax form details before the next payroll run.', sender: 'St. Luke Human Resources', senderEmail: 'payroll@stlukes-hr.com', senderTooltip: 'The real HR domain is @stlukes.org — this one prepends "hr-" and uses .com.', subject: 'Action required: re-confirm your tax form before April payroll', time: '09:04', body: (f) => (<>Hello Elena,
As part of our {f('annual payroll reconciliation', 'Real HR gives weeks of notice with calendar reminders — not next-day surprises.')}, we need you to re-confirm your tax form before April 21 to avoid delayed payment.
{f('Verify details in the HR portal', 'The link is stlukes-hr-login[.]com — not the real self-service portal at hr.stlukes.org.')}.
You'll need your SSN and direct-deposit bank details to complete the form.
— Payroll Operations
), clickConsequence: { headline: 'SSN and bank details would be harvested.', body: 'HR phishing is a top source of payroll fraud — attackers redirect salaries or commit identity theft.' }, ignoreMessage: "If you saw it, others did too. Report so HR can blast a correction notice to the whole staff.", }, { id: 'ehr-session', title: 'Epic EHR — session expired', theme: 'EHR impersonation', audience: 'Physicians · Nurses', difficulty: 'medium', summary: 'Imitation Epic login page reached via an email link — asks you to "re-authenticate".', sender: 'Epic Systems (auto)', senderEmail: 'notifications@epic-systems-login.com', senderTooltip: "Epic never sends login emails from external domains. Real in-product notifications are @epic.com.", subject: 'Your clinical session has expired — sign in to continue', time: '14:22', body: (f) => (<>Elena,
Your Epic clinical session at {f('St. Luke General (prod-east-3)', 'Real Epic instance names are internal identifiers — never mentioned in user-facing email.')} has expired after 30 minutes of inactivity.
To protect patient data, please {f('sign in again here', 'The link goes to epic-systems-login.com — a fake single-sign-on page. The real SSO is sso.stlukes.org.')} to resume your chart review.
If you do not re-authenticate within 15 minutes, any unsaved notes may be lost.
— Epic Systems Automated Notice · Do not reply.
), clickConsequence: { headline: 'Clinical credentials would be captured.', body: 'With Epic credentials an attacker can read every chart you can — often thousands of patient records.' }, ignoreMessage: "Report — this is how adversary groups map out clinical staff schedules by who clicks and when.", }, { id: 'vendor-invoice', title: 'Vendor invoice — updated payment details', theme: 'Business email compromise', audience: 'Admin · Billing', difficulty: 'hard', summary: 'A long-time supplier "changed their bank account" and wants the next wire redirected.', sender: 'Dr. Mikheil Beridze', senderEmail: 'm.beridze@stlukes-finance.com', senderTooltip: "The real internal finance domain is @stlukes.org. Notice the extra '-finance' and .com.", subject: 'Re: Paravaxis Medical Q2 invoice — updated bank info', time: '11:17', body: (f) => (<>Hi Elena,
Finance is cleaning up {f("the Paravaxis Q2 wire — their controller sent updated routing details this morning", "Classic vendor-switch pretext. BEC attackers monitor invoices for months before striking.")}. Please use the new IBAN attached and process as usual.
{f('New IBAN: GE74 CBAS 1234 5678 9010 (Bank of Cyprus, Nicosia branch)', "Route change to a foreign bank in a jurisdiction Paravaxis has never used before. Verify by phone with Paravaxis's known AP contact.")}
{f('Can you push this through today? They are threatening to pause shipments.', "Urgency + vendor-pressure tactic. Real vendors accept a 48h hold for verification.")}
Thanks — MB
), clickConsequence: { headline: 'The hospital could wire €840,000 to an attacker.', body: 'BEC is the #1 cybercrime by dollar value according to the FBI IC3 report. Always verify bank-change requests out-of-band.' }, ignoreMessage: "Do not ignore — report immediately so Finance can verify with the real Paravaxis AP contact by phone.", }, { id: 'conference-abstract', title: 'Conference abstract review', theme: 'Spearphishing · research', audience: 'Research staff', difficulty: 'medium', summary: 'Ostensibly from a cardiology conference, asking you to review an "abstract" attachment.', sender: 'European Cardiology Congress 2026', senderEmail: 'abstracts@ecc-2026.review', senderTooltip: "Conferences use .org / .eu / country domains — never .review. This TLD is a known phishing marker.", subject: 'Action needed: peer-review your assigned abstract (deadline Friday)', time: '10:38', body: (f) => (<>Dear Dr. Papadaki,
Thank you for accepting to peer-review for ECC 2026. Your assigned abstract is {f('attached (Abstract_448.docx)', "Unexpected Office documents from external senders are a major malware vector — even if they open normally, they can run macros.")}.
Please submit your score and written feedback by {f('Friday, April 24, 23:59 CET', "Pressure timeline designed to stop you from checking whether you actually agreed to review anything.")} to keep the conference schedule on track.
{f('Scoring portal link (requires your institutional login)', "Portal link hxxps://ecc-2026.review/submit?t= is a credential harvest page styled to look like a conference workflow.")}
— ECC 2026 Scientific Committee
), clickConsequence: { headline: 'Macro-embedded document or fake SSO.', body: 'Spearphishing targets researchers specifically — your institutional login grants access to grants, datasets, and the EHR.' }, ignoreMessage: "Report — the same lure usually targets several researchers in one department.", }, { id: 'device-firmware', title: 'Infusion pump firmware update', theme: 'Supply chain · medical device', audience: 'Biomed · IT / Security', difficulty: 'hard', summary: '"Urgent" firmware patch for the ward\'s infusion pumps — with a USB driver attached.', sender: 'MedTech Biomedical Updates', senderEmail: 'updates@medtech-biomedical-patches.net', senderTooltip: "MedTech notifications normally come from the vendor portal, not an email with an executable attached.", subject: 'CRITICAL: firmware 4.2.1 patch for Alaris-8100 pumps — apply today', time: '15:49', body: (f) => (<>Biomed team,
A {f('critical vulnerability', "Real device advisories link to ICS-CERT / MITRE CVE entries — never to a raw attachment.")} was disclosed this morning affecting Alaris 8100-series infusion pumps in your inventory.
Please apply firmware {f('4.2.1 (attached: alaris-update-421.exe)', "A .exe attachment is never the correct path for medical-device firmware. Real updates are signed .bin files loaded via the vendor portal.")} to all pumps on the cardiology and ICU wards by end of shift.
{f('Plug the attached USB installer directly into each pump.', "USB-to-medical-device is a textbook supply-chain attack path (BadUSB, Rubber Ducky).")}
— MedTech Global Patch Ops
), clickConsequence: { headline: 'Malware on clinical workstations and medical devices.', body: 'Compromised infusion pumps can drift dosing, freeze during delivery, or become network pivots — this is a patient-safety event.' }, ignoreMessage: 'Report immediately. Biomed needs to coordinate with the real vendor before anyone acts on the email.', }, { id: 'covid-roster', title: 'Occupational Health — booster roster', theme: 'Topical lure', audience: 'All clinical', difficulty: 'easy', summary: 'Asks you to confirm your vaccination booster slot by "logging into the portal".', sender: 'Occupational Health', senderEmail: 'occhealth@stlukes-bookings.co', senderTooltip: "Occ Health sits on the St. Luke intranet, never on an external .co domain.", subject: 'Your flu + COVID booster slot is on the roster — confirm by Thursday', time: '13:11', body: (f) => (<>Elena,
You've been {f('added to Thursday\'s 10:40 slot', 'Topical lures rely on things you\'re expecting anyway — flu/COVID boosters, training updates, payroll cycles.')} for the annual booster clinic.
Please {f('confirm or reschedule via the Occ Health portal', 'Portal link is stlukes-bookings[.]co — an external host, not the internal intranet where Occ Health actually lives.')} before end-of-day Thursday.
{f('If you do not confirm, your slot will be reassigned to a waitlist colleague.', "FOMO pressure plus social proof — attacker-crafted, not real policy.")}
— Occupational Health
), clickConsequence: { headline: 'Intranet password would leak.', body: 'Attackers harvest a generic intranet password and then try it against email, Epic, and the VPN.' }, ignoreMessage: "Don't ignore — the moment one colleague confirms, attackers pivot. Report so IT can block the bookings domain.", }, { id: 'gift-card-ceo', title: 'Gift card request from "Chief of Staff"', theme: 'CEO fraud', audience: 'Admin · Assistants', difficulty: 'easy', summary: "A 'senior' exec asks you to quietly buy store gift cards for an off-site.", sender: "Dr. N. Kakabadze (via mobile)", senderEmail: "n.kakabadze.office@gmail.com", senderTooltip: "A real hospital exec never emails staff from a personal Gmail — especially on a money matter.", subject: 'Quick favor — need this done before the 4pm meeting', time: '15:02', body: (f) => (<>Elena,
Are you at your desk? I'm {f("in back-to-back meetings and can't take calls", "Classic pretext — attacker preempts the obvious verification step (calling the sender) by claiming unavailability.")}.
I need a small favor — can you {f('pick up 6 Apple gift cards at $200 each', "Gift-card asks are the signature of a CEO-fraud scam. The organization never legitimately works this way.")} from the pharmacy across the street for the 4pm team retro? I'll expense it back tomorrow.
{f('Scratch off the codes and reply with photos when you have them.', "Photos of codes = the attacker drains the cards in minutes. No legitimate exec would ever ask this.")}
— N.K.
), clickConsequence: { headline: '$1,200 cash-equivalent lost.', body: "Gift-card fraud nets attackers real money fast — they burn the codes in minutes and the hospital rarely recovers." }, ignoreMessage: "Report — the SOC pins down which exec is being impersonated and sends a staff-wide alert before others fall for it.", }, ]; const active = scenarios.find(s => s.id === activeId); const difficultyColor = (d) => d === 'easy' ? 'var(--green)' : d === 'medium' ? 'var(--amber)' : 'var(--coral)'; const difficultyLabel = (d) => d === 'easy' ? 'Easy' : d === 'medium' ? 'Medium' : 'Hard'; const resultChip = (r) => { if (r === 'passed') returnTen scenarios across the threats actually seen in healthcare — pick one to run.
{active.theme} · {active.audience} · {difficultyLabel(active.difficulty)}