Sir David — here’s a clean DocuWiki edit-page version tailored for all incoming emails (includes your two “Am I expecting…” checks). Paste directly into your wiki.

```

Audience: End users.\ Purpose: 60-second decision guide for any email you receive.\ Last updated: @@2025-10-17@@

• Asks for passwords, 2FA codes, remote access, or confidential data.
• Urgent payment / bank change / gift cards / crypto.
• You were not expecting this email or request.

• Am I expecting anything right now?
• Am I expecting anything from these people/company?
• Do I actually have an account or relationship with the named company?

If No to any → treat as suspicious and go to 8) If Suspicious.

• Display name matches someone you know or a real department.
• Email address uses the real domain (no look-alikes like `rnicrosoft.com`, no extra words).
• Reply-To matches the From address (no domain switch).

• Hover links: target stays on the brand’s real domain (e.g. `https://accounts.google.com/…`, not `https://google.secure-login.example.com/…`).
• No link shorteners (bit.ly, tinyurl) or random strings.
• Avoid scanning QR codes from emails.

• You were expecting an attachment from this sender.
• Block risky types: `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm`
• Office/PDF should not ask to “Enable Content/Macros”.

• Uses your correct name and specific details you recognise.
• No threats, pressure, giveaways, or too-good-to-be-true offers.
• Branding looks normal (not blurry; footer/legal details look standard).

• No “External Sender” or “SPF/DKIM/DMARC failed” banners.
• Not auto-flagged as suspicious by your mail client.

• Open the website/app yourself from a saved bookmark or by typing the address.
• Call/message the sender using a known number/channel (not the email’s number/link).
• For payment/bank-detail changes: perform a voice check with your contact.

• Do not click. Do not reply. Do not forward (except to IT/security).
• Use “Report phishing” in your mail app, then delete.
• If you clicked or entered details: change password, enable MFA, notify IT/bank, run a malware scan.
• Optional: forward a copy to reportphishing@apwg.org or report at Scamwatch (ACCC).

1. Expecting? → From these people? → Account exists?\
2. Check From + Reply-To domain → Hover every link → Attachment type safe?\
3. Read tone/grammar/branding → Client banners OK?\
4. Verify via bookmark/known number → If doubt, report and delete.

• Add your internal report address here: security@yourdomain.tld\
• Add your policy page link here: Email Security Policy\
• Train users to screenshot headers when reporting.

Phishing can (and does) originate from every country and from generic TLDs (.com, .net, .xyz, .top, etc.). If you still want a country→URL code map for filtering/awareness, use this rule plus the few exceptions below.