Phishing - Best Practices

Adopt best practices against phishing: verify links, be cautious with attachments, and stay alert to manipulation techniques.

To be forewarned is to be forearmed!

Learn to outsmart Phishing traps

icon

Global
Checklist
icon

Links and
Attachments
icon

Urgency and
Pressure
icon

Passwords and
MFA
icon

Phishing in the
Workplace
icon

Evolving
Phishing

Don't fall into the trap: Check Links and Attachments

1. How to check a link (BEFORE clicking)

Hover with the mouse

On a computer, simply move your mouse cursor over the link WITHOUT clicking. The real URL address will usually be displayed at the bottom left of your browser.

Long press on mobile

On a smartphone or tablet, press and hold your finger on the link. A pop-up window will display the full URL.

  • Does it look exactly like the expected site? (e.g., `bank.com` and not `secure-bank.com` or `bank.com.info.net`)
  • Are there spelling mistakes? (e.g., `googlle.com` instead of `google.com`)
  • Does it use the secure HTTPS protocol (indicated by a padlock in the address bar once on the site)?

Analysez l'URL affichée

If in doubt

Do not open the link. Go directly to the relevant site by typing the address into your browser or using a saved favorite.

2. Precautions with attachments

Are you expecting the attachment?

If you were not expecting to receive a document from this sender, be extremely cautious.

Beware of suspicious file types

Be very vigilant with executable files (.exe), archives (.zip, .rar), or Office documents (.doc, .docx, .xls, .xlsx, .ppt, .pptx) if they come from an unexpected source, especially if they ask to enable macros.

Analyze the context

Does the content of the email justify the presence of an attachment? Is the file name logical?

If in doubt

Do not download or open the attachment. Contact the sender by another means (phone, new email typed manually) to confirm they sent it.

Your vigilance is your best protection against cyberattacks.

Phishing is Evolving: Know the Different Forms

1. Some common forms of Phishing

Spear Phishing

A highly targeted attack aimed at an individual or a small group within the company. The email is very personalized and uses specific information about the target to appear legitimate.

Whaling

Specifically targets senior executives or individuals with privileged access to financial or sensitive information.

Smishing

Phishing carried out via SMS. The message contains a malicious link or asks to call a fraudulent number.

Vishing

Phishing via phone call (Voice Phishing). The fraudster pretends to be a trusted contact (bank, technical support, administration) to extract information from you.

Pharming

A technique that redirects traffic from a legitimate website to a fake site without the victim even clicking a link, often by modifying system files on the computer.

Business Email Compromise (BEC)

CEO fraud or supplier fraud. The attacker impersonates a manager or a business partner to order an urgent bank transfer.

Stay informed about new tactics to better thwart them.

Checklist: How to check if an email is legitimate?

1. Some common forms of Phishing

Sender

Check the full email address. Is it the official address of the organization, or are there subtle variations?

Spelling and Grammar

Does the email contain spelling mistakes, grammatical errors, or strange phrasing?

Salutation

Is it impersonal ("Dear customer", "Hello user") or does it use your name?

Link Destination

Hover over the link (without clicking!) to see the real URL. Does it match the expected official site?

Attachments

Are you expecting this attachment? Is the file type suspicious?

Urgency or Threat

Does the message create a sense of urgency or contain threats to push you to act quickly?

Unusual Request

Is the request (transfer, information, action...) strange or unexpected in this context?

Request for sensitive data

Does the email ask for your password, bank details, or other confidential information?

External Verification

If in doubt, verify the information by contacting the organization directly via their official website or by phone (do not reply to the suspicious email).

Reporting

If the email seems suspicious, report it to your IT department.

By applying these checks, you will significantly increase your ability to identify phishing attempts.

Phishing Incident in the Company: The Right Reaction

1. Steps to follow IMMEDIATELY

Don't panic, but act fast

Time is a key factor in limiting the damage.

Report the incident WITHOUT DELAY

  • Inform your line manager immediately.
  • Contact the IT department or the security officer (CISO) of the company. Use official communication channels (phone, internal reporting tool) and not the potentially compromised email.
  • Describe precisely what happened (click, attachment opened, information entered, etc.).

Isolate your device

Disconnect from the company network (unplug the Ethernet cable, disable Wi-Fi). Do not turn off your computer unless instructed by IT, as this could prevent evidence collection.

Do not delete anything

Do not delete the suspicious email or any potentially downloaded files. They are important for incident analysis.

Change your passwords

If you have entered your session password or any other professional password, change it immediately. Ideally, do it from another secure device if possible.

Be ready to cooperate

Does the message create a sense of urgency or contain threats to push you to act quickly?

Unusual request

The IT team will need your cooperation to investigate and clean the systems if necessary.

2. Why reporting is essential

Identification

Allows for quick identification and blocking of the threat to protect other employees.

Propagation

Limits the spread of potential malware on the company's network.

Help

Helps the security team understand the tactics used and strengthen defenses.

Your honesty and responsiveness are essential for collective security.

Your Line of Defense: Strong Passwords and MFA

1. Strong Passwords

Length

A password should ideally contain at least 12 characters.

Complexity

Mix uppercase, lowercase, numbers, and special characters (!@#$%^&*).

Uniqueness

NEVER use the same password for different accounts, especially professional and personal ones.

Avoid personal information

Do not use your name, date of birth, a relative's name, a pet's name...

Use a passphrase

A phrase that is easy for you to remember but hard to guess (e.g., "MyCatLovesBlueKibble!7").

Consider a password manager

A secure tool to generate and store your complex passwords.

Découvrez en vidéo

Comment créer un mot de passe fort et incassable.

Comment les hackers cassent vos mots de passe.

2. Multi-Factor Authentication (MFA)

What is it?

MFA requires at least two proofs of your identity to log in (something you know - password, something you have - phone/token, something you are - fingerprint/facial recognition).

Why is it crucial?

Even if a fraudster gets your password (through phishing, for example), they will not be able to log in without the second authentication factor.

Enable it everywhere

Enable MFA on all your professional and personal accounts that offer it (email, VPN, apps, banks, social networks...).

Strong passwords + MFA = Greatly enhanced security.

Beware of Phishing Tactics: Urgency and Pressure

1. How to recognize this tactic

Very short deadlines

"You have 24 hours to respond", "Your account will be deleted soon if you do not act".

Threats

"Your account has been compromised", "You risk a fine", "Your delivery cannot be completed".

Unusual and urgent requests

A supervisor requesting an urgent bank transfer by email, an immediate gift card request, etc.

Alarmist tone

Use of capital letters, excessive exclamation marks, dramatic phrasing.

2. How to react to urgency

Take your time

An important email generally does not require immediate action under penalty of disastrous consequences. Breathe and calmly analyze the message.

Do not click

Avoid clicking on links or opening attachments if you feel pressured.

Verify through another channel

If the message claims to be from a person or organization you know, contact them directly through a usual means (phone, official app, website) to verify the information. DO NOT use the contact details provided in the suspicious email.

Talk about it

If you have any doubt about an email, talk to a colleague or contact your IT department before acting.

Don't let pressure make you make a mistake. Verification is key.

faq.title

faq.q1

faq.a1

faq.q2

faq.a2

faq.q3

faq.a3

faq.q4

faq.a4

faq.q5

faq.a5

faq.q6

faq.a6

faq.q7

faq.a7

faq.q8

faq.a8

faq.q9

faq.a9
faq.a1
faq.a2
faq.a3
faq.a4
faq.a5
faq.a6
faq.a7
faq.a8
faq.a9
Train your teams

Train your teams with PhishTrainer.

With PhishTrainer, transform your employees into the first line of defense against phishing. Simulate, raise awareness, and secure your company for the long term with realistic and engaging phishing campaigns.

See the demonstration