Phishing - Best Practices

This practical guide gives you the essential reflexes to identify and thwart phishing attempts — for yourself, your colleagues, and your company. 91% of cyberattacks start with a phishing email (Proofpoint 2024): knowing how to recognise warning signs is the first line of defence.

To be forewarned is to be forearmed!

Learn to outsmart Phishing traps

icon

Global
Checklist
icon

Links and
Attachments
icon

Urgency and
Pressure
icon

Passwords and
MFA
icon

Phishing in the
Workplace
icon

Evolving
Phishing

Don't fall into the trap: Check Links and Attachments

1. How to check a link (BEFORE clicking)

Hover with the mouse

On a computer, simply move your mouse cursor over the link WITHOUT clicking. The real URL address will usually be displayed at the bottom left of your browser.

Long press on mobile

On a smartphone or tablet, press and hold your finger on the link. A pop-up window will display the full URL.

  • Does it look exactly like the expected site? (e.g., `bank.com` and not `secure-bank.com` or `bank.com.info.net`)
  • Are there spelling mistakes? (e.g., `googlle.com` instead of `google.com`)
  • Does it use the secure HTTPS protocol (indicated by a padlock in the address bar once on the site)?

Analysez l'URL affichée

If in doubt

Do not open the link. Go directly to the relevant site by typing the address into your browser or using a saved favorite.

2. Precautions with attachments

Are you expecting the attachment?

If you were not expecting to receive a document from this sender, be extremely cautious.

Beware of suspicious file types

Be very vigilant with executable files (.exe), archives (.zip, .rar), or Office documents (.doc, .docx, .xls, .xlsx, .ppt, .pptx) if they come from an unexpected source, especially if they ask to enable macros.

Analyze the context

Does the content of the email justify the presence of an attachment? Is the file name logical?

If in doubt

Do not download or open the attachment. Contact the sender by another means (phone, new email typed manually) to confirm they sent it.

Your vigilance is your best protection against cyberattacks.

Phishing is Evolving: Know the Different Forms

1. Some common forms of Phishing

Spear Phishing

A highly targeted attack aimed at an individual or small group. The email is personalized with real information about the target (manager's name, ongoing project, known supplier) to appear legitimate. Spear phishing accounts for 66% of confirmed data breaches (Verizon DBIR 2025) — less frequent in volume, but far more effective.

Whaling

Specifically targets senior executives or individuals with privileged access to financial or sensitive information.

Smishing

Phishing carried out via SMS. The message contains a malicious link or asks to call a fraudulent number.

Vishing

Phishing via phone call (Voice Phishing). The fraudster pretends to be a trusted contact (bank, technical support, administration) to extract information from you.

Pharming

A technique that redirects traffic from a legitimate website to a fake site without the victim even clicking a link, often by modifying system files on the computer.

Business Email Compromise (BEC)

CEO fraud or supplier fraud: the attacker impersonates a manager or business partner to order an urgent bank transfer or obtain confidential information. BEC caused reported losses of 2.9 billion USD in 2023 (FBI IC3 2024) — it is the most financially costly cyber threat. No malware required — manipulation alone suffices.

Stay informed about new tactics to better thwart them.

Checklist: How to check if an email is legitimate?

1. Some common forms of Phishing

Sender

Check the full email address. Is it the official address of the organization, or are there subtle variations?

Spelling and Grammar

Does the email contain spelling mistakes, grammatical errors, or strange phrasing?

Salutation

Is it impersonal ("Dear customer", "Hello user") or does it use your name?

Link Destination

Hover over the link (without clicking!) to see the real URL. Does it match the expected official site?

Attachments

Are you expecting this attachment? Is the file type suspicious?

Urgency or Threat

Does the message create a sense of urgency or contain threats to push you to act quickly?

Unusual Request

Is the request (transfer, information, action...) strange or unexpected in this context?

Request for sensitive data

Does the email ask for your password, bank details, or other confidential information?

External Verification

If in doubt, verify the information by contacting the organization directly via their official website or by phone (do not reply to the suspicious email).

Reporting

If the email seems suspicious, report it to your IT department.

By applying these checks, you will significantly increase your ability to identify phishing attempts.

Phishing Incident in the Company: The Right Reaction

1. Steps to follow IMMEDIATELY

Don't panic, but act fast

Time is a key factor in limiting the damage.

Report the incident WITHOUT DELAY

  • Inform your line manager immediately.
  • Contact the IT department or the security officer (CISO) of the company. Use official communication channels (phone, internal reporting tool) and not the potentially compromised email.
  • Describe precisely what happened (click, attachment opened, information entered, etc.).

Isolate your device

Disconnect from the company network (unplug the Ethernet cable, disable Wi-Fi). Do not turn off your computer unless instructed by IT, as this could prevent evidence collection.

Do not delete anything

Do not delete the suspicious email or any potentially downloaded files. They are important for incident analysis.

Change your passwords

If you have entered your session password or any other professional password, change it immediately. Ideally, do it from another secure device if possible.

Be ready to cooperate

The IT team will need your full cooperation to investigate and clean the systems if necessary.

Cooperate fully

The IT team will need your cooperation to investigate and clean the systems if necessary.

2. Why reporting is essential

Identification

Allows for quick identification and blocking of the threat to protect other employees.

Propagation

Limits the spread of potential malware on the company's network.

Help

Helps the security team understand the tactics used and strengthen defenses.

Your honesty and responsiveness are essential for collective security.

Your Line of Defense: Strong Passwords and MFA

1. Strong Passwords

Length

A password should ideally contain at least 12 characters.

Complexity

Mix uppercase, lowercase, numbers, and special characters (!@#$%^&*).

Uniqueness

NEVER use the same password for different accounts, especially professional and personal ones.

Avoid personal information

Do not use your name, date of birth, a relative's name, a pet's name...

Use a passphrase

A phrase that is easy for you to remember but hard to guess (e.g., "MyCatLovesBlueKibble!7").

Consider a password manager

A secure tool to generate and store your complex passwords.

Découvrez en vidéo

Comment créer un mot de passe fort et incassable.

Comment les hackers cassent vos mots de passe.

2. Multi-Factor Authentication (MFA)

What is it?

MFA requires at least two proofs of your identity to log in (something you know - password, something you have - phone/token, something you are - fingerprint/facial recognition).

Why is it crucial?

Even if a fraudster obtains your password via phishing, they cannot log in without the second factor. MFA blocks 99.9% of automated account attacks (Microsoft 2024). It is the security measure with the best effort-to-protection ratio available today.

Enable it everywhere

Enable MFA on all your professional and personal accounts that offer it (email, VPN, apps, banks, social networks...).

Strong passwords + MFA = Greatly enhanced security.

Beware of Phishing Tactics: Urgency and Pressure

1. How to recognize this tactic

Very short deadlines

"You have 24 hours to respond", "Your account will be deleted soon if you do not act".

Threats

"Your account has been compromised", "You risk a fine", "Your delivery cannot be completed".

Unusual and urgent requests

A supervisor requesting an urgent bank transfer by email, an immediate gift card request, etc.

Alarmist tone

Use of capital letters, excessive exclamation marks, dramatic phrasing.

2. How to react to urgency

Take your time

An important email generally does not require immediate action under penalty of disastrous consequences. Breathe and calmly analyze the message.

Do not click

Avoid clicking on links or opening attachments if you feel pressured.

Verify through another channel

If the message claims to be from a person or organization you know, contact them directly through a usual means (phone, official app, website) to verify the information. DO NOT use the contact details provided in the suspicious email.

Talk about it

If you have any doubt about an email, talk to a colleague or contact your IT department before acting.

Don't let pressure make you make a mistake. Verification is key.

Frequently asked questions about phishing

Are smishing (SMS) and vishing (phone) as dangerous as email phishing?

Yes, and they can be more effective, precisely because people expect them less.

Smishing (SMS): SMS have an open rate above 90%, compared to 20 to 30% for emails. Messages typically imitate a delivery alert (postal service, DHL), a banking warning, or a government message. The link redirects to a fake login page. On mobile, the URL is often truncated and difficult to verify.

Vishing (voice): the attacker calls their victim directly, posing as IT support, a bank, or Microsoft. Real-time pressure and the human voice bypass the usual defenses. AI-generated voice deepfakes can now imitate the voice of a known colleague or manager.

The golden rule in both cases: never provide sensitive information following an unsolicited message or call — call the organization back directly via a known official number.

Does MFA (multi-factor authentication) really protect against phishing?

Yes, in the vast majority of cases. Even if an attacker obtains your password via a phishing page, they cannot log in without the second factor (SMS code, authenticator app, physical key). MFA blocks 99.9% of automated account attacks (Microsoft 2024). The only exception is real-time phishing (MITM / Adversary-in-the-Middle attack) which intercepts the MFA code in the same instant — this vector remains marginal for SMEs. The recommendation: enable MFA on all professional accounts without exception.

How do you effectively train teams against phishing?

Theoretical training alone is not enough: studies show that employees forget 70% of training content within the week following the session (Ebbinghaus, replicated in numerous e-learning studies). The most effective approach combines simulation and corrective training: send real simulated phishing campaigns (via PhishTrainer), identify employees who click, then automatically redirect them to targeted training (Bexxo Academy). This method reduces the click rate by 60 to 70% in six months (Proofpoint 2024). Regular simulations (4 to 6 per year) maintain the level of vigilance over time.

How do you recognize a phishing email?

The main warning signs are: a sender address slightly different from the original (e.g. support@rnazonl.com instead of @amazon.com), a sense of urgency or threat pushing you to act quickly, a request for your password or banking information, a link URL that does not match the expected site (hover before clicking), spelling or formatting errors. Warning: AI-generated emails are now perfectly written — grammar alone is no longer enough to detect them.

How is artificial intelligence transforming phishing attacks?

Generative AI has radically changed the phishing threat since 2023. Three major developments:
  • Perfectly written emails — gone are the spelling mistakes that used to help detect phishing. LLMs generate flawless emails in perfect English, adapted to the tone of the targeted company. AI-generated emails have a click rate four times higher than manually crafted ones (APWG / Keepnet 2025).
  • Personalization at scale — AI can analyze a target's LinkedIn profile, public posts, and company website to create an ultra-realistic spear phishing in seconds. What used to take a human attacker hours now takes seconds.
  • Voice and video deepfakes — vishing calls imitating a manager's voice, or entire video conferences with deepfake avatars, have already been used to trigger fraudulent bank transfers (documented cases in 2024 in Hong Kong: 25 million USD lost).
The direct consequence: human vigilance alone is no longer sufficient. Regular simulation (PhishTrainer) and continuous training (Bexxo Academy) are indispensable to maintain a level of defense adapted to the current threat.

What are the different forms of phishing to know about?

There are 6 main forms of phishing:
  • Classic phishing — mass emails imitating a bank, a delivery service, or a government agency. More than 3.4 billion fraudulent emails sent every day (Forbes 2024). Often recognizable by errors and artificial urgency.
  • Spear phishing — targeted attack on a specific person, with real information (manager's name, ongoing project). Accounts for 66% of confirmed breaches (Verizon DBIR 2024).
  • Whaling — variant of spear phishing specifically targeting executives and managers, to access finances or strategic decisions.
  • Smishing — phishing via SMS. Typically imitates a banking alert, a parcel delivery, or a public service. SMS open rates exceed 90% — this vector is growing rapidly.
  • Vishing — voice phishing by phone. The fraudster impersonates IT support, a bank, or a government agency to extract information or trigger immediate action.
  • BEC (Business Email Compromise / CEO fraud) — identity impersonation of a manager or partner to order a bank transfer or obtain sensitive data. The primary source of financial losses related to cybercrime: 2.9 billion USD in 2023 (FBI IC3 2024).

What is phishing?

Phishing is an online fraud technique that involves sending emails, SMS, or messages that imitate legitimate communications (bank, government agency, employer) to trick the victim into revealing confidential information — passwords, banking details, professional credentials. Phishing is the most widely used attack vector: 91% of cyberattacks start with a fraudulent email (Proofpoint 2024).

What is spear phishing and why is it more dangerous?

Spear phishing is a targeted variant of classic phishing: instead of sending millions of generic emails, attackers personalize the attack using real information about the victim (manager's name, ongoing project, supplier name). This targeting makes the email far more credible. Spear phishing accounts for 66% of confirmed data breaches (Verizon DBIR 2024). With AI, attackers can now generate these personalized emails at scale — the cost of a targeted attack has dropped considerably.

What should I do if I clicked on a phishing link?

Act immediately: (1) disconnect from the company network (Wi-Fi, cable); (2) report the incident to your IT department or security officer without delay — by phone, not by email; (3) change your password from another secure device; (4) do not delete the suspicious email, it is needed for forensic analysis; (5) enable MFA if not already done. The faster you act, the more the damage can be limited.
Yes, and they can be more effective, precisely because people expect them less.

Smishing (SMS): SMS have an open rate above 90%, compared to 20 to 30% for emails. Messages typically imitate a delivery alert (postal service, DHL), a banking warning, or a government message. The link redirects to a fake login page. On mobile, the URL is often truncated and difficult to verify.

Vishing (voice): the attacker calls their victim directly, posing as IT support, a bank, or Microsoft. Real-time pressure and the human voice bypass the usual defenses. AI-generated voice deepfakes can now imitate the voice of a known colleague or manager.

The golden rule in both cases: never provide sensitive information following an unsolicited message or call — call the organization back directly via a known official number.
Yes, in the vast majority of cases. Even if an attacker obtains your password via a phishing page, they cannot log in without the second factor (SMS code, authenticator app, physical key). MFA blocks 99.9% of automated account attacks (Microsoft 2024). The only exception is real-time phishing (MITM / Adversary-in-the-Middle attack) which intercepts the MFA code in the same instant — this vector remains marginal for SMEs. The recommendation: enable MFA on all professional accounts without exception.
Theoretical training alone is not enough: studies show that employees forget 70% of training content within the week following the session (Ebbinghaus, replicated in numerous e-learning studies). The most effective approach combines simulation and corrective training: send real simulated phishing campaigns (via PhishTrainer), identify employees who click, then automatically redirect them to targeted training (Bexxo Academy). This method reduces the click rate by 60 to 70% in six months (Proofpoint 2024). Regular simulations (4 to 6 per year) maintain the level of vigilance over time.
The main warning signs are: a sender address slightly different from the original (e.g. support@rnazonl.com instead of @amazon.com), a sense of urgency or threat pushing you to act quickly, a request for your password or banking information, a link URL that does not match the expected site (hover before clicking), spelling or formatting errors. Warning: AI-generated emails are now perfectly written — grammar alone is no longer enough to detect them.
Generative AI has radically changed the phishing threat since 2023. Three major developments:
  • Perfectly written emails — gone are the spelling mistakes that used to help detect phishing. LLMs generate flawless emails in perfect English, adapted to the tone of the targeted company. AI-generated emails have a click rate four times higher than manually crafted ones (APWG / Keepnet 2025).
  • Personalization at scale — AI can analyze a target's LinkedIn profile, public posts, and company website to create an ultra-realistic spear phishing in seconds. What used to take a human attacker hours now takes seconds.
  • Voice and video deepfakes — vishing calls imitating a manager's voice, or entire video conferences with deepfake avatars, have already been used to trigger fraudulent bank transfers (documented cases in 2024 in Hong Kong: 25 million USD lost).
The direct consequence: human vigilance alone is no longer sufficient. Regular simulation (PhishTrainer) and continuous training (Bexxo Academy) are indispensable to maintain a level of defense adapted to the current threat.
There are 6 main forms of phishing:
  • Classic phishing — mass emails imitating a bank, a delivery service, or a government agency. More than 3.4 billion fraudulent emails sent every day (Forbes 2024). Often recognizable by errors and artificial urgency.
  • Spear phishing — targeted attack on a specific person, with real information (manager's name, ongoing project). Accounts for 66% of confirmed breaches (Verizon DBIR 2024).
  • Whaling — variant of spear phishing specifically targeting executives and managers, to access finances or strategic decisions.
  • Smishing — phishing via SMS. Typically imitates a banking alert, a parcel delivery, or a public service. SMS open rates exceed 90% — this vector is growing rapidly.
  • Vishing — voice phishing by phone. The fraudster impersonates IT support, a bank, or a government agency to extract information or trigger immediate action.
  • BEC (Business Email Compromise / CEO fraud) — identity impersonation of a manager or partner to order a bank transfer or obtain sensitive data. The primary source of financial losses related to cybercrime: 2.9 billion USD in 2023 (FBI IC3 2024).
Phishing is an online fraud technique that involves sending emails, SMS, or messages that imitate legitimate communications (bank, government agency, employer) to trick the victim into revealing confidential information — passwords, banking details, professional credentials. Phishing is the most widely used attack vector: 91% of cyberattacks start with a fraudulent email (Proofpoint 2024).
Spear phishing is a targeted variant of classic phishing: instead of sending millions of generic emails, attackers personalize the attack using real information about the victim (manager's name, ongoing project, supplier name). This targeting makes the email far more credible. Spear phishing accounts for 66% of confirmed data breaches (Verizon DBIR 2024). With AI, attackers can now generate these personalized emails at scale — the cost of a targeted attack has dropped considerably.
Act immediately: (1) disconnect from the company network (Wi-Fi, cable); (2) report the incident to your IT department or security officer without delay — by phone, not by email; (3) change your password from another secure device; (4) do not delete the suspicious email, it is needed for forensic analysis; (5) enable MFA if not already done. The faster you act, the more the damage can be limited.
Train your teams

Train your teams with PhishTrainer.

With PhishTrainer, transform your employees into the first line of defense against phishing. Simulate, raise awareness, and secure your company for the long term with realistic and engaging phishing campaigns.

See the demonstration