Phishing is still the most common start of a serious incident in a company. Not because it is technically sophisticated, but because it targets a person in a hurry. In the cases I handle, an attack almost never starts with breaking into a server. It starts with an email someone opened between one meeting and the next. The good news is that anyone can be taught to recognise phishing, not just the IT department.

What phishing actually is

Phishing is an attempt to get you to do something harmful under the influence of a seemingly credible message. Most often it is about three things: entering a password on a fake page, opening a malicious attachment or making a transfer to someone else’s account. There are several variants and it is worth knowing the names.

  • Mass phishing. Thousands of identical emails, usually pretending to be a bank, a courier or a mail provider.
  • Spear phishing. A message prepared for a specific person, with their name, position and real context.
  • BEC, or CEO fraud. An email supposedly from management with a request for an urgent transfer or a change to a contractor’s account number.
  • Smishing and vishing. The same, only by text message or phone.

How to spot a suspicious email

There is no single warning sign, but there is a set of signals. The more of them at once, the higher the risk.

  1. Time pressure and emotions. Your account will be blocked, the invoice is overdue, an urgent transfer is needed today. Haste is the fraudster’s most common tool.
  2. The sender’s address, not just the name. The displayed name may sound familiar, but the real address is sometimes on a foreign domain or contains a typo, for example an i swapped for an l.
  3. Links that lead elsewhere. Hover over a link without clicking and check where it really goes. Shortened links and odd domains are a warning sign.
  4. Attachments you are not expecting. An invoice in a file with macros, a supposed document in a zip archive, a file with a double extension.
  5. A request for data no one normally asks for by email. A password, a code from an app, full card details.
  6. Small mistakes. Odd language, a logo in the wrong resolution, an unusual signature.

In most cases the victim says the same thing afterwards: something did not feel right, but I was in a rush. The reflex of pausing for three seconds protects better than many a system.

A concrete three-second test

Before anyone clicks, it helps to ask three questions.

  • Was I expecting this message from this person.
  • Is the request normal, or is something telling me to act immediately.
  • Do the sender’s address and the link match what I know.

If any answer raises doubt, the rule is one: do not click, verify through another channel. Call the contractor on a known number, not the one from the email. With a request for a transfer or a change of account, that one phone call can save tens of thousands of zloty.

How to teach your team

A single training once a year does not work. A reflex is built repeatedly and in practice.

  • Short, concrete training based on real examples from your industry, not generalities. People remember stories, not definitions.
  • Controlled test campaigns. You send the team a safe, simulated phishing message and check who clicked. Not to punish, but to know where to reinforce.
  • A simple reporting path. One button or one address to which anyone can forward a suspicious message without fear of looking naive.
  • A culture without shame. An employee who reports their mistake at once is worth more than one who hides a click for two days. A response in the first hour changes everything.

This area is worth organising systematically. Regular security awareness training with simulations delivers a measurable drop in the number of clicks over the following months, visible in the reports.

The technical layer that catches what a person misses

An aware team is the foundation, but do not leave it alone. A few mechanisms take away the risk before an email even arrives, or before a click can do harm.

  • DNS filtering, which blocks connections to known malicious domains. Even if someone clicks, the site simply does not open. This is the role of DNS filtering.
  • A spam filter and link checking at the moment of clicking, not only on delivery.
  • MFA on accounts, so that a phished password alone is not enough to sign in.
  • Restricting macros in documents from the internet, because they are a classic carrier of malicious code.

People and technology play on one team. Filters reduce the number of attempts, and a trained team catches what squeezes through them.

Where to start

If you want to measurably lower the risk of phishing, the order is simple. Start by turning on MFA and DNS filtering, then run a short training with real examples, and finally introduce recurring tests and an easy way to report. This is not a year-long project, but a matter of a few weeks.

If you want to build a lasting reflex in your team and close it off with a technical layer, we will help plan the whole thing for your company. Start with a conversation about what your email looks like today and where the biggest risk is.