Skip to content
cyber-security.eu
DEEN

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Who this page is for

This page is for IT and security leaders, awareness owners, end users and managers who want to understand how phishing works today and how it is addressed effectively.

What phishing is

Phishing describes attempts to make people disclose credentials, approve an action or execute malicious content via deceptive messages. Phishing relies on trust and time pressure - not sophisticated technology.

Variants

- Email phishing: classic mails, often at scale
- Spear phishing: targeted, with personal context
- Smishing: phishing via SMS
- Vishing: phone phishing, often combined with fake IT support
- OAuth or consent phishing: a user grants permissions to a malicious app
- QR phishing: QR codes leading to phishing pages
- Business email compromise (BEC): compromised or spoofed business identities, often around invoices or payments

How to recognise phishing

Signals include:

- Unusual time pressure
- Mismatching sender or reply addresses
- Unusual links or shortened URLs
- Demands for atypical actions, for example payment changes
- Unexpected login prompts

Note: even professional-looking mails can be phishing. Language and layout are often flawless today.

Why modern phishing looks professional

Current attacks use the right brands, contextual content and sometimes publicly available company information. Language and layout are often high quality. 'Bad spelling' is no longer a reliable indicator.

Controls for organisations

- Email security with DMARC, SPF and DKIM correctly configured
- MFA, ideally phishing-resistant
- Conditional access and sensible login policies
- Simple report button in the mail client
- Awareness with fair phishing simulations
- Detection for unusual logins and OAuth consents
- Clear processes for invoice and payment changes

Reporting and awareness

Employees should be able to report suspicious mails simply and without fear. A positive reporting culture acknowledges reports and provides feedback rather than punishing.

A simple report button in the mail client is often the most effective organisational control.

First steps after a click

If someone clicked or entered credentials:

1. Contact security or the reporting path immediately.
2. Stop further actions with the account.
3. Lock the account or rotate password and tokens centrally.
4. Check the MFA state and enforce it if needed.
5. Review logs for logins and mail rules.
6. Document the incident and capture lessons learned.

Reporting helps. Blame destroys future reports.

Checklist

  • DMARC, SPF and DKIM correctly configured
  • Phishing-resistant MFA where possible
  • Report button available in the mail client
  • Regular, fair phishing simulations with learning value
  • Reliable processing pipeline for reported mails
  • Detection for unusual logins and OAuth consents
  • Clear processes for payment and invoice changes

Frequently asked questions

+Is it the employee's fault if they click?

No. Blame harms reporting culture. The goal is preparation, easy reporting and fast response.

+Is awareness alone enough?

No. Awareness is important, but technical measures such as MFA, mail security and detection matter just as much.

+What to do about BEC?

Stop any payment, secure the account, involve bank and authorities, review and disable malicious mail rules and document the case cleanly.

Related topics

Security awareness

Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.

Cybersecurity for SMEs

SMEs do not need enterprise security architecture, but they do need the right basics. This page shows which measures deliver the most impact on a limited budget and which common mistakes are easy to avoid.

What is a SOC?

A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.

Business email compromise

Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.

Account compromise

A compromised account is one of the most common incident types today. This page outlines causes, early signs and reasonable first actions.

Multi-factor authentication

MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.

Microsoft 365 security

Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.