Reply to the email and ask if they intended to send it to you before you open it.

Review the link carefully before taking any other action and notify IT/Security if it seems suspicious.

Click on the link; it's ok because the message came from someone you work with.

Ignore the request; they most likely accidentally typed the wrong email address.

Complete the transfer; it's from someone you trust.

Ignore the message; let someone else report it.

Call your co-worker using a phone number you know is correct and ask if they sent this message.

Complete the transfer, then confirm if the request was legitimate.

Never reuse the same password.

Use numbers and special characters.

Use a familiar password, but change a character or two to make it unique.

Create a unique, complex password with at least 16 characters.

Follow you organization's policy for reporting suspicious behavior.

Listen closely to their phone call to get the definitive proof you need.

Ignore it; whatever is going on does not impact your work.

Reach out to them to find out what is really going on and if you can help them with anything.

It's a phish

It's real

Disinformation

It's real

Misinformation because it's an example of someone not bothering to research or think critically about what they share.

Disinformation because it's intentionally spread to maliciously influence public opinion.

Neither causes much harm and are not something to worry about.

They are equally dangerous because they both spread false information.