Recognizing Phishing: The Complete Protection Guide for Businesses

Just a few years ago, phishing emails tended to be impersonal and relatively clumsily worded. They would casually ask for account details, or fake requests would land in your inbox that were immediately obvious—whether due to poor German phrasing or because they were dubious requests that were relatively easy to spot. Umlauts were often misrepresented, which served as a clear giveaway.

Those days are over. Today, phishing emails have become sophisticated and are usually very personally tailored. Letterheads and company logos are meticulously forged, salutations often already include the recipient’s name, and spelling errors are rare. Furthermore, AI tools like ChatGPT enhance such attacks: attackers no longer even have to choose the right wording themselves.

This guide summarizes what you really need to know—from the first warning signs to immediate steps to take after clicking a link.

---

1. Why Phishing Is the Biggest Threat on the Internet

A study by Google, conducted in collaboration with the University of California, Berkeley, and presented at CCS, shows that the greatest danger online is falling victim to a phishing attack. Google uses the findings from this study to protect approximately 67,000,000 Google accounts.

The term “phishing” is derived from the English word “fishing” and describes the attempt to obtain sensitive data. You may encounter phishing attacks in various forms: via text message (smishing), via phone call (vishing), and most commonly via email. In December 2021 alone, the Anti-Phishing Working Group recorded around 320,000 attacks.

Why does phishing particularly target small and medium-sized businesses today?

Current attacks are professionally designed, featuring company logos, real names, and deceptively authentic sender addresses. The risk is particularly high for SMEs because they are attractive targets but often lack the same security resources as large corporations.

There are three main types of attacks:

• Mass phishing – a broad net is cast, with each message kept as general as possible.
• Spear-phishing – individual targets are specifically addressed using personal details. Attackers research names, hobbies, and interests via social media.
• Business Email Compromise (BEC) – Attackers use information about contacts or internal processes to manipulate payment approvals or supply chain communications.

The combination of personalization and knowledge of internal processes is particularly dangerous: An email with the subject line “It’s me, your boss—please transfer funds to this account immediately” appears credible at first glance and exploits both pressure and authority. Scenarios like this happen every day.

A single click on a manipulated link or attachment is enough to compromise sensitive data or grant access to entire systems.

---

2. Recognizing Phishing Emails: The Key Signs (Checklist)

Despite increasing sophistication, there are five patterns that consistently give phishing emails away:

Sign 1: Artificial Pressure

A strong indicator is artificially created time pressure. Phishing emails primarily revolve around the need for you to confirm data or accept new terms and conditions at short notice. The pressure is usually heightened by threats of cancellations or account closures if confirmation is not provided within 24 hours.

Rule of thumb: No reputable company sets such short deadlines or requires consent in such a short time. The more time pressure is created in the text, the more likely it is a phishing email.

Sign 2: Request for personal data

A typical feature of phishing emails is the request for personal data. This isn’t just about your name and address, but usually also includes usernames, passwords, and other confidential information. In the worst-case scenario, they specifically ask for an online banking PIN or credit card numbers with security codes. You should also never send scanned ID cards without hesitation due to the risk of identity theft.

Rule of thumb: Reputable providers do not request such data via email. If an email asks for this kind of personal information, it is almost always a phishing attempt.

Sign #3: Manipulated Links

There is essentially no phishing email that doesn’t attempt to redirect you to a manipulated site via an external link. Such sites are usually fake and sometimes include all the original logos—but they can be identified by the actual URL. Even if the company name is included there, the URL usually has unusual suffixes appended to it.

Rule of thumb: As a general rule, do not click on links or buttons in emails if you are not expecting such a message. On a mobile phone, you can press and hold a link to see where it actually leads—tapping it briefly will open the page immediately.

Sign 4: Threats

If you’re being threatened, something is definitely wrong. No legitimate company will threaten you—not even the tax office threatens, but merely issues a warning. Whenever specific threats are involved—account freezes, account deletions, legal consequences—it’s almost always a phishing email.

Rule of thumb: Threats combined with time pressure are a clear red flag. Threats with no prior business relationship to the alleged sender are a red flag regardless.

Sign 5: Fake Identities and Legitimacy

Phishing emails often contain many different logos and company names, even though they have nothing to do with the actual company. They use the correct fonts, logos, and colors—only the content seems off. Attackers pose as your boss, a colleague, or a business partner. The emails seem familiar because they include names you recognize. But if you take a closer look at the sender, you’ll often realize that the person behind the address isn’t who they claim to be.

Rule of thumb: If an email comes from a supposedly familiar person or large company, but the request seems highly unusual, remain skeptical. When in doubt, check personally—through a channel you know, not via the number provided in the email.

Quick checklist: How to spot a phishing email

Ask yourself these three questions before taking action:

1. Do I personally know the sender, and does the address seem plausible?
2. Does the subject line make sense, and were you expecting an attachment or link?
3. Is pressure being applied, are you being asked for personal information, or are you being threatened?

If you answer “No” to either of the first two questions or “Yes” to the third, treat the email as suspicious.

---

3. Recognizing and Verifying Phishing Links

Understanding how a URL is structured is crucial for identifying phishing links. It’s worth learning this, as the structure of web addresses won’t change in the long term—regardless of whether the link is sent via an app, messenger, email, or another method.

A URL consists of five components:

• Protocol – specifies how the server communicates. https (with s for secure) indicates SSL/TLS-encrypted communication; http without s transmits everything in plain text, including passwords.
• Subdomain – appears before the actual domain, separated by a dot. It allows different services to be addressed under the same domain.
• Domain (Second-Level Domain) – the core of the address, indicating which website you are on. A domain may only be assigned once per top-level domain.
• Top-Level Domain - the highest level (e.g., .de, .com). DENIC is responsible for .de, and ICANN for .com.
• Path - indicates which part of a website is being accessed, similar to a folder structure.

The key trick with phishing links lies in the subdomain. In the example www.amazon.de.evil.com, evil.com is the actual domain—www.amazon.de is just the subdomain. If you’re not careful, you might easily mistake evil.com for the path of the URL and end up on a page you didn’t intend to visit.

AWARE7 has developed phishing-erkennen.de, a free tool that automatically breaks down URLs into their components. Simply paste the link, click “split”—and the real domain becomes immediately visible.

Additional verification methods:

• Hover over the link (Desktop): The actual destination address appears in the browser’s status bar before you click.
• Long-press the link (Mobile device): Displays the destination URL without opening the page.
• Take browser warnings seriously: Google Safe Browsing warns against known phishing websites in Chrome, Firefox, and Safari. Websites that repeatedly distribute malware are blocked by Google for up to 30 days.

---

4. Phishing email opened – what to do? (Immediate actions)

The level of risk varies depending on exactly what happened. Here is a clear breakdown:

Level 1: Email only opened – low risk

If you have only opened the phishing email, you are exposed to low to no risk. If the sender is unknown to the email program, images are often not loaded—thus, no connection is established between the user and the attacker. Action: Permanently delete the email. Notify the IT department so that the email filter can be adjusted and the email is not forwarded to colleagues.

Level 2: Images loaded – low risk

Clicking “Show images” establishes a connection to a server. These could also be invisible tracking pixels that notify the attacker that the email account is active. The attacker also receives information about the email client used and the IP address. Action: Notify IT; do not load images from unknown senders in the future.

Level 3: Link clicked – medium risk

Even though modern browsers are well-secured, an attacker can now exploit additional attack vectors, such as executing code in the browser. Antivirus software detects such attacks—but not always reliably.

Immediate actions:

1. Close the phishing website immediately if detected.
2. Check whether files were downloaded unintentionally—if so, cancel the download and delete the file.
3. Contact the IT department immediately.
4. Consider whether sensitive information has already been entered.

Level 4: Attachment opened – high risk

Phishing attachments can be Word, PDF, or executable files. Document-based files may contain malicious code that is executed through security vulnerabilities in programs such as Microsoft Word or Adobe Acrobat Reader. Executable files can be executed directly without requiring a security vulnerability in external software. Some malware runs in the background and waits; others—such as ransomware—encrypt all data on the hard drive.

Immediate actions:

1. Disconnect the device from the network immediately.
2. Change all passwords on a different device—immediately.
3. Contact IT experts to have the device examined.
4. Only a complete reinstallation offers full security.
5. Check backup status—is the latest backup up to date?

Level 5: Data entered on a phishing site—extreme danger

This is the most dangerous scenario. The attacker now has full access to the account. Even two-factor authentication can be bypassed by entering data on the phishing site.

Immediate actions – act faster than the attacker:

1. Change your password immediately on another device – don’t just add a character, but set a completely new password.
2. Change the password everywhere else where the same or a similar password was used.
3. Enable two-factor authentication if you haven’t already.
4. For banking: use a secure TAN procedure and monitor account activity. The mTAN procedure via SMS should no longer be used.
5. Contact your bank or service provider directly.
6. If identity theft has occurred, file a police report.

---

5. What kind of damage can you expect?

The range of potential damage is considerable:

Financial damage occurs when attackers gain access to online banking or payment services. In BEC attacks, payment approvals are manipulated—a brief call to the boss or the accounting department that fails to come through can make an entire attack possible in the first place.

Data loss and ransomware: Attackers targeting internal systems often install Trojans that run in the background or ransomware that encrypts all existing data. In such cases, only a clean reinstallation offers complete security—provided a recent backup is available.

Identity theft: Scanned IDs, login credentials, and personal information are traded on the dark web or used directly for further fraudulent activities. Between March 2016 and March 2017, researchers found over 25,000 tools in well-known underground forums used to collect account credentials—in addition to 788,000 records stolen via keyloggers and 12,000,000 via phishing.

Reputational damage: Compromised accounts are used to launch further attacks on contacts. In a Facebook phishing campaign, stolen login credentials were checked fully automatically, and upon successful login, messages were immediately sent to the entire friends list—which made the campaign exceptionally successful.

System Compromise: A single attachment can cause malware to run in the background, waiting for the user to log in to relevant sites to steal credentials or redirect transactions.

---

6. 7 Tips for Phishing Defense in the Workplace

Tip 1: Enable two-factor authentication

Strong passwords are essential: long, with no personal references, and containing uppercase and lowercase letters, special characters, and numbers. When supplemented by a second factor—a smartphone or hardware key—login without this second factor is impossible. Even if a password is stolen through phishing, the account remains protected.

Tip 2: Keep email addresses private

Company email addresses should not appear on public websites or in social media profiles. Simple crawlers automatically scan websites for email addresses. Sharing email addresses only with those who need direct contact significantly reduces the risk of phishing.

Tip 3: Plain text instead of HTML emails

If security is a top priority, you should disable HTML emails. Plain text is usually perfectly sufficient. The advantage: No malicious code can hide in plain text. Plain text emails are more secure and ensure clearer communication.

Tip 4: Avoid public Wi-Fi

Anyone going online via public Wi-Fi should avoid accessing secure systems or business emails. Attackers use public Wi-Fi networks to gain access to connected devices. If unavoidable, use a VPN.

Tip 5: Do not click on links in emails

Employees should be made aware that they should not click on any links in emails—and that they should not insert any links either. Any link in an email can be malicious: it can trigger malware downloads, redirect to a phishing website, or inject other harmful code. Links within emails should be strictly off-limits.

Tip 6: Do not use third-party email apps

Employees tend to check work emails using personal email programs. A strict policy prevents this. Third-party apps may have security vulnerabilities that make it easier for attackers to access emails.

Tip 7: Clear processes for financial transactions

Especially in SMEs: financial transactions are not approved via email alone. A quick call to the boss or the accounting department through a known channel—not the number provided in the email—can thwart an entire BEC attack. It’s better to double-check than to click too quickly.

---

7. Technical Protective Measures

Keep email filters up to date: Attackers come up with new methods every day to bypass email filters. IT teams should update filters regularly. No software can guarantee that no phishing emails will ever reach your inbox—but up-to-date filters block many of them.

Implement multi-factor authentication (MFA) company-wide: Technology does not replace vigilance, but it does reinforce it. Spam filters block many standard attacks; secure email gateways analyze suspicious content. MFA remains one of the most effective technical safeguards.

Use browser protection: Google Safe Browsing blocks known phishing websites in Chrome, Firefox, and Safari. Websites that repeatedly deliver malware are blocked for up to 30 days. Users should not ignore or bypass browser warnings.

Make URL analysis routine: The tool phishing-erkennen.de automatically breaks down URLs into their components—protocol, subdomain, domain, top-level domain, and path. This provides certainty before a link is clicked.

Antivirus Software and Endpoint Security: Antivirus programs can detect and block malicious code in attachments—but not always reliably. They are an important layer of defense, but they do not replace trained employees.

---

8. The Role of Security Awareness

People remain the most important line of defense—and at the same time the biggest vulnerability. In the daily work routine, there isn’t always time to scrutinize every email. A quick glance at the subject line, a scan of the formatting: You quickly form a rough impression—which professional phishing emails specifically exploit.

The Japanese safety method “Pointing and Calling” (Japanese: Shisa kanko) demonstrates how conscious action prevents errors: In Japanese rail transport, train drivers point to everything that is important for their work and speak aloud what they see. This reduced the error rate in Japanese rail transport by 85%. AWARE7 has conducted a study on how this method can be applied to the detection of phishing emails—actively and aloud identifying the sender’s address, links, and requests significantly sharpens conscious awareness.

What constitutes effective security awareness:

• Training sessions and workshops not only impart knowledge but also train attention in real-life situations.
• Phishing simulations are particularly effective: employees find fake emails in their inboxes and thus practice for a real emergency. Those repeatedly confronted with such tests develop a routine for handling suspicious messages.
• Security awareness training sensitizes teams to the psychological tricks behind phishing—emotional manipulation through urgency or authority, fake identities, and technical deceptions.
• Regular repetition is crucial. Security awareness does not develop on its own: It grows through practice, experience, and regularly refreshing knowledge. Phishing methods and deception strategies are constantly evolving.

When teams learn to interpret warning signs and actively report suspicious situations, information security becomes an integral part of the corporate culture. The awareness that it can happen to anyone makes it easier for employees to report immediately when in doubt—rather than hiding the mistake.

---

9. FAQ

Is it dangerous just to open a phishing email?

If you only open the email in your email program without loading images, clicking links, or opening attachments, the risk is low to nonexistent. Delete the email and notify your IT department.

What should I do if I clicked on a phishing link?

Close the webpage immediately. Check whether any files were downloaded unintentionally—if so, cancel and delete them. Notify the IT department and consider whether any sensitive information has already been entered.

I entered my password on a phishing website. What now?

Change your password immediately on a different device—choose a completely new password; don’t just add a character. Also change the password everywhere you’ve used a similar one. Then enable two-factor authentication.

How can I spot phishing links on my smartphone?

Press and hold the link (a long press instead of a quick tap). This shows where the link actually leads—without opening the page.

What is the difference between phishing, spear phishing, and BEC?

Mass phishing casts a wide net; all wording is kept general. Spear phishing targets specific individuals using personal details. Business Email Compromise (BEC) specifically manipulates business processes such as payment approvals by using information about internal procedures and contacts.

Does HTTPS protect against phishing?

No. HTTPS only means that the connection to the website is encrypted—not that the website itself is legitimate. Phishing sites can also use HTTPS. The domain remains the decisive verification criterion.

Why do even experienced employees fall for phishing?

In the day-to-day work routine, there isn’t always time to scrutinize every email. Professional phishing emails are linguistically flawless, personalized, and specifically target emotional triggers such as urgency and authority. It’s like April Fools’ jokes: You know they exist, and yet you sometimes fall for them anyway—you only have to believe it once to become a victim.

What specific steps can companies take to reduce the risk?

Seven measures are most effective when combined: implement two-factor authentication, keep email addresses private, disable HTML emails, avoid public Wi-Fi, never click on links in emails, do not use third-party email apps, and establish clear processes for financial transactions. Supplemented by regular phishing simulations and security awareness training, this creates a robust defense.