Catch a Phish: Investigate a Suspicious Email
Maps to: Cybersecurity Analyst · SOC Analyst · Incident Responder · Threat Intelligence Analyst · Security Engineer
Ever gotten an email that felt *off*? Catching that feeling and proving it is the actual day job for a huge slice of cybersecurity. You'll triage a batch of suspicious emails the way a brand-new security analyst does on day one: pull apart the hidden headers, check the links and senders against threat databases (without ever clicking them), and make the call: is this a real attack, something sketchy worth escalating, or a harmless false alarm? You'll walk away with a reusable "is this phishing?" checklist and a written investigation, the exact kind of thing that gets a beginner noticed. One honest heads-up: this is *defensive* security, catching attacks, not the movie-hacker stuff (breaking in). That's not the boring version. It's where most real cyber jobs actually are.
How this shows up on a resume or college app
I investigated [N] suspicious emails the way an entry-level security analyst does, analyzing hidden headers, sender authentication (SPF/DKIM/DMARC), and link/file reputation to separate real phishing attacks from false alarms, then built a reusable triage checklist and published an investigation report. I learned that most of cybersecurity is patient, careful evidence-gathering, and that the hard part is making a call you can defend when the evidence is incomplete.
When you finish, BuildMe drafts your Common App activity description from what you actually built.
The plan
- 1
Step 1
First look: make the call before you have the tools
Don't set anything up yet. Get a small batch of suspicious emails in front of you and just... read them, the way the scammer hopes you won't. For each one, write a one-line gut verdict (looks malicious, looks sketchy, or looks harmless) and what tipped you off. You'll be wrong on some. That's the point: this first-pass note is the thing you'll test and defend later.
- 2
Step 2
Gather the evidence: headers, senders, links, files
Now you go from 'feels off' to 'here's the proof.' This is the patient, methodical part, and it's most of real cyber work. Every email carries hidden headers that show where it actually came from, whether it faked its identity, and where its links really go. You'll read those with tools that do the heavy lifting, and you'll check links and files against threat databases without ever opening them.
- 3
Step 3
The hard call, and your reusable checklist
Most of your batch is now obvious. But there's almost always one email the evidence doesn't fully settle: passed some checks, failed others, link looks weird but not confirmed bad. That's the real job: making a defensible call when you can't be 100% sure, and deciding whether to escalate it or close it. You'll make that call yourself, then have an AI play a skeptical senior analyst and try to poke holes in it, then make your FINAL call. Then you'll turn everything you learned into a checklist you (or anyone) could reuse.
- 4
Step 4
Write it up, ship it, and what this says about you
Analysts live and die by the write-up: a clear report is half the job. Pull your evidence and verdicts into one short investigation report, attach your checklist and the list of bad indicators you found, and publish it. Then send it to one real person who'd actually use it. That published report is a real beginner-analyst portfolio piece. And here's why it's worth doing: cybersecurity is growing fast, but the entry-level door is tighter than it used to be: the people who get in are the ones who can *show* they've done real work, not the ones with the longest list of certs. A real investigation someone can actually read beats a line on a resume. You just made one.
Sign up and this plan gets personalized to your level, interests, and goal in about 15 seconds.