How to Recognize a Phishing Attack — 7 Checkpoints
Email, SMS, and voice phishing types, URL analysis, email header inspection, and what to do after clicking. SPF/DKIM/DMARC enterprise protection explained.
Email, SMS, and voice phishing types, URL analysis, email header inspection, and what to do after clicking. SPF/DKIM/DMARC enterprise protection explained.
İçindekiler ▾
- Checkpoint 1: Sender Address
- Checkpoint 2: Urgency and Threats
- Checkpoint 3: URL Inspection
- Checkpoint 4: Attachments
- Checkpoint 5: Grammar and Formatting
- Checkpoint 6: Request for Sensitive Information
- Checkpoint 7: Email Headers
- Types of Phishing
- Email Phishing
- Spear Phishing
- Smishing (SMS Phishing)
- Vishing (Voice Phishing)
- What to Do After Clicking
- Enterprise Protection: SPF, DKIM, DMARC
- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Message Authentication)
- Phishing Simulation for Training
Phishing is the #1 method attackers use to breach organizations. Not because it’s technically sophisticated — but because it exploits the one thing you can’t patch: human behavior. According to the Verizon 2024 DBIR, 74% of breaches involved a human element, and phishing was the initial attack vector in 36% of all breaches (IBM X-Force 2024).
Here are 7 checkpoints to recognize phishing before it’s too late.
Checkpoint 1: Sender Address
The display name says “Microsoft Support” — but the actual email address is [email protected]. Always check the full sender address, not just the display name.
Red flags:
- Domain doesn’t match the company (microsoft.com vs micr0soft-security.com)
- Free email providers for “official” communications (gmail.com, yahoo.com)
- Extra characters, numbers replacing letters (0 instead of o, 1 instead of l)
✅ [email protected]
❌ [email protected]
❌ [email protected]Checkpoint 2: Urgency and Threats
“Your account will be suspended in 24 hours.” “Unauthorized login detected — verify immediately.” Phishing emails create artificial urgency to bypass rational thinking.
Legitimate companies:
- Don’t threaten immediate account suspension via email
- Don’t ask you to “verify” by clicking a link
- Provide multiple contact channels for verification
Checkpoint 3: URL Inspection
Hover over links without clicking. The URL shown in the tooltip reveals the actual destination.
How to analyze:
https://login.microsoft.com/oauth ← ✅ Legitimate
https://login.microsoft.com.evil.site/ ← ❌ Subdomain trick
https://microsoft-login.phishsite.com/ ← ❌ Different domain entirely
https://bit.ly/3xK9Yz ← ⚠️ Shortened URL, verify firstThe domain is what matters — everything before the first / after ://. Read from right to left: .com → evil → microsoft.com is just a subdomain of evil.site.
Checkpoint 4: Attachments
Unexpected attachments are dangerous. Especially:
| Extension | Risk Level | Why |
|---|---|---|
| .exe, .scr, .bat | 🔴 Critical | Direct executable |
| .docm, .xlsm | 🔴 High | Macro-enabled Office files |
| .zip, .rar | 🟡 Medium | Can contain anything |
| 🟡 Medium | Can contain exploit code | |
| .html | 🟡 Medium | Local phishing page |
Rule: If you didn’t request it, don’t open it. If it’s from a known contact but unexpected, verify via a different channel (phone call, separate message).
Checkpoint 5: Grammar and Formatting
While AI has made phishing emails more polished, many still contain:
- Generic greetings (“Dear Customer” instead of your name)
- Inconsistent formatting (different fonts, sizes, colors)
- Unusual phrasing or translations
- Low-resolution logos
However, don’t rely on this alone — AI-generated phishing is increasingly indistinguishable from legitimate communication.
Checkpoint 6: Request for Sensitive Information
No legitimate service will ask you to:
- Send your password via email
- Provide credit card details through an email link
- Share MFA codes or recovery keys
- Download and run “security verification” software
If an email asks for any of these: it’s phishing. Full stop.
Checkpoint 7: Email Headers
For advanced verification, inspect email headers:
Received-SPF: pass (domain matches sender IP)
DKIM-Signature: v=1; d=microsoft.com (valid signature)
Authentication-Results: dmarc=passIf SPF fails, DKIM signature is invalid, or DMARC reports failure — the email is likely forged.
Types of Phishing
Email Phishing
Classic mass-targeting. Sent to thousands, hoping some will click.
Spear Phishing
Targeted attack using personal information (name, company, role). Much harder to detect.
Smishing (SMS Phishing)
“Your cargo is waiting for delivery. Track here: bit.ly/xxx” — clicking downloads malware or leads to a credential harvesting page.
Vishing (Voice Phishing)
Phone calls claiming to be from your bank, tax authority, or IT department.
What to Do After Clicking
If you already clicked a phishing link:
- Change your password immediately — on that site and anywhere you used the same password
- Enable MFA if not already active
- Scan your device with updated antivirus/EDR
- Notify your IT team — they need to check if credentials were compromised
- Monitor your accounts for unusual activity for the next 30 days
- If banking info was entered — call your bank immediately and block the card
Enterprise Protection: SPF, DKIM, DMARC
For businesses, configuring these three protocols is essential:
SPF (Sender Policy Framework)
Specifies which servers are authorized to send email for your domain.
v=spf1 include:_spf.google.com include:mail.yourdomain.com -allDKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to outgoing emails, proving they haven’t been tampered with.
DMARC (Domain-based Message Authentication)
Tells receiving servers what to do when SPF or DKIM checks fail.
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100Impact: With all three configured, spoofing your domain becomes nearly impossible. Your emails land in inbox instead of spam, and you receive reports on who’s trying to impersonate your domain.
Phishing Simulation for Training
Technical controls alone aren’t enough. Regular phishing simulations train employees to recognize attacks:
- GoPhish — open source, self-hosted
- KnowBe4 — enterprise platform with training modules
- Microsoft Attack Simulator — built into Microsoft 365 E5
Run simulations quarterly. Measure click rates. Provide immediate training for those who click. The goal isn’t punishment — it’s awareness.
Kaynaklar
- 74% of breaches involved a human element — Verizon DBIR (2024)
- Phishing is the initial attack vector in 36% of breaches — IBM X-Force Threat Intelligence (2024)
Sıkça Sorulan Sorular
I clicked a phishing email, what should I do? +
Change your password immediately (on that site and any others where you used the same password). If MFA is active, you're already protected. Notify IT or your security team. If you entered banking info, call your bank.
What are SPF, DKIM, and DMARC? +
SPF verifies which servers can send email on your domain's behalf. DKIM adds a digital signature to prove the email wasn't altered. DMARC combines both and tells receiving servers what to do with failures — reject or quarantine.
Can phishing emails bypass spam filters? +
Yes. Sophisticated phishing uses legitimate-looking domains, clean HTML, and social engineering that bypasses technical filters. That's why human awareness training is equally important.
How do I protect my company from phishing? +
Configure SPF, DKIM, and DMARC on your email domain. Train employees with regular phishing simulations. Enable MFA on all accounts. Use email security gateways for advanced filtering.
Profesyonel Destek mi Lazım?
Bu konuda yardıma ihtiyacın varsa yanındayız. Kurulum, konfigürasyon ve sorun giderme için ulaş.
