Phishing Detection and Reporting: A Practical Guide for Employees and IT

Why phishing still works

There is hardly an attack that receives as much coverage as phishing — and hardly one that still works so reliably despite it. The BSI has classified phishing as one of the greatest threats to organizations for years. Analyses from insurers show that over 80 percent of all successful cyberattacks begin with some form of social engineering, and phishing is the most common variant.

The reason is not that employees are careless or unintelligent. The reason is that phishing attacks evolve. The poorly written email from the Nigerian prince with obvious typos still exists, but it has become the exception. Modern phishing attacks are contextual, linguistically flawless, and often nearly indistinguishable from legitimate communication. They use real sender names, reference actual business transactions, and create exactly the time pressure that causes recipients to react before they think.

This article is a practical guide for two audiences simultaneously: for employees who want to recognize phishing and respond correctly, and for the IT department that must create the organizational and technical framework to minimize the damage phishing attacks cause.

The varieties of phishing

Phishing is no longer limited to emails. Attackers use every communication channel available to them. Anyone who only watches for suspicious emails overlooks half the attack surface.

Email phishing (the classic)

The most common variant. The attacker sends an email intended to make the recipient click a link, open an attachment, or disclose confidential information. The email can be sent in bulk to thousands of recipients (spray-and-pray) or targeted at a single person.

Typical pretexts:

• "Your account will be locked if you don't confirm your data within 24 hours."
• "Invoice No. 2026-4712 attached. Please review and approve."
• "Your package could not be delivered. Click here for tracking."
• "The IT team has reset your password. Please set a new password."

Spear phishing (the targeted variant)

Spear phishing targets specific individuals or departments and uses personal information to increase credibility. The attacker has researched in advance: LinkedIn profiles, company website, press releases, social media. They know who the CEO is, who works in accounting, and which suppliers the company uses.

An example: accounting receives an email that looks like it came from the CEO. The sender name and signature match, the tone fits, and the request sounds plausible: "Please transfer 38,000 euros to the following supplier today. It's urgent, I'm in a meeting and unreachable." This is CEO fraud, a special form of spear phishing that costs organizations millions every year.

Vishing (Voice Phishing)

Phishing by phone. The attacker calls and poses as IT support, a bank advisor, a Microsoft employee, or a colleague from another branch. The conversation is often professionally conducted; the caller sounds competent and friendly.

Typical scenarios:

• "This is IT. We've detected unusual activity on your account. I need your password briefly to check it."
• "Good day, this is [name] from your bank. We noticed a suspicious transaction. Can you give me your PIN for verification?"
• "This is the help desk. We're migrating your mailbox. Please give me your login credentials so I can perform the migration for you."

Vishing is particularly dangerous because personal interaction creates trust, and time pressure is perceived as greater in a phone call than in an email, where you can think in peace.

Smishing (SMS Phishing)

Phishing via SMS or messenger. Short messages with a link, often disguised as package notifications, bank messages, or appointment confirmations. Smishing exploits the fact that SMS is perceived as more trustworthy than email and that on smartphones, the URL is often not fully visible in the preview.

Examples:

• "DHL: Your package is being returned. New delivery at: [link]"
• "Sparkasse: Suspicious account activity. Check here: [link]"
• "Your appointment tomorrow at 2:00 PM has been rescheduled. Confirm new time: [link]"

QR code phishing (Quishing)

A newer variant that has been increasing sharply since 2023. The attacker replaces links with QR codes — in emails, on posters, in postal mail, or even on manipulated parking meters. The advantage for the attacker: QR codes bypass many email security solutions that only check links, and the target URL is not visible to the recipient before they scan the code.

A concrete example: a letter bearing the logo of the recipient's bank requests them to scan the enclosed QR code to activate the new security app. The QR code leads to a fake login page that captures credentials.

Identification characteristics: the five most important warning signs

Phishing attacks differ in channel and presentation, but they all follow the same psychological patterns. Anyone who knows these patterns can also recognize well-crafted attacks.

1. Urgency and time pressure

The most reliable warning sign. Phishing messages almost always create time pressure: "Within 24 hours," "immediately," "today," "your account will be locked." The time pressure is meant to prevent you from thinking, asking a colleague, or contacting IT. Every time you receive a message demanding immediate action, an internal alarm bell should ring.

This does not mean every urgent message is phishing. But genuine urgent requests can almost always be verified through a second channel: a quick call, a follow-up in Teams chat, a look at the ticket system.

2. Unexpected sender or unusual context

An email from a supplier you have not been in contact with for months. An SMS from a bank where you do not have an account. A call from IT support even though you did not open a ticket. Any communication you do not expect and that does not fit your usual work routine deserves additional scrutiny.

For emails: check the actual sender address, not just the displayed name. The display name can be set to anything (e.g., "Max Mustermann, CEO"), but the email address behind it often reveals the fraud (e.g., m.mustermann@company-support-de.com instead of m.mustermann@company.de).

3. Call to action

Phishing messages always demand a concrete action: click a link, open an attachment, enter a password, make a transfer, scan a QR code, install software. Legitimate communication rarely asks you to enter sensitive information through a link or open unsolicited attachments.

A sensible baseline rule: if an email asks you to enter your credentials somewhere, open the corresponding website manually through your browser instead of using the link in the email. If your bank actually needs to contact you, you can reach them through the known phone number on the back of your bank card.

4. Suspicious links and attachments

Before clicking: hover your mouse over the link (without clicking) and check the target URL in the status bar of your browser or email client. Watch for:

• Typos in the domain: microsfot.com instead of microsoft.com, arnazon.de instead of amazon.de
• Additional subdomains: login.sparkasse.de.attacker.com (the actual domain is attacker.com)
• Unusual top-level domains: company.de.tk, account-security.xyz
• URL shorteners: bit.ly, tinyurl.com, or similar services that obscure the actual target address

For attachments: be especially careful with file types like .exe, .bat, .cmd, .scr, .js, .vbs, but also with Office documents containing macros (.docm, .xlsm) and with password-protected ZIP archives (the password protection prevents the email security solution from scanning the content).

5. Unusual greeting, tone, or language

Mass-sent phishing emails often use generic greetings like "Dear Customer" or "Dear User" instead of your name. In spear phishing, the greeting may be correct but the tone does not match: your CEO, who normally writes briefly and directly, suddenly sounds formal and long-winded. Or a colleague who always uses informal address suddenly uses formal language.

Linguistic anomalies such as unusual phrasing, missing special characters, strange punctuation, or a writing style that does not match the supposed sender can also be indicators. However: with AI-generated text, these linguistic markers are becoming increasingly unreliable. The content and contextual warning signs (urgency, unexpected sender, call to action) remain the more robust indicators.

What to do if you clicked

Despite all precautions, it can happen. You clicked the link, opened the attachment, or entered your credentials on a fake page. The most important thing now: do not panic and do not try to cover up the mistake. The speed of your response determines how great the damage will be.

Immediate measures for employees

1. Change your password immediately. If you entered credentials, change the password of the affected account right away. If you used the same password for other services (which you should not, but in case you did), change it there too. Use a strong, unique password and activate multi-factor authentication if not already enabled.

2. Inform the IT department. Report the incident immediately to the IT department or the information security officer. Describe what happened: which email was it? When did you click? What did you enter or download on the target site? The more information IT has, the faster they can respond.

3. Do not self-remediate. Do not try to fix the problem yourself by deleting files, uninstalling programs, or restarting the computer. This could destroy forensic evidence important for analyzing the attack.

4. Disconnect from the network if malware is suspected. If you opened a suspicious attachment and your computer is behaving unusually (the same immediate measures as for a ransomware attack apply here) — becoming slower, unknown windows popping up, files changing — disconnect from the network: pull the network cable, disable WiFi. This prevents potential malware from spreading across the network.

What the IT department does after a report

When an employee reports a phishing incident, the IT department initiates a defined process:

Immediate analysis: Review the email, link, and attachment. Was malware downloaded? Were credentials captured? Is this a targeted attack or a mass campaign?

Check for broader impact: Did other employees receive the same email? Did additional people click? Email logs and the security gateway provide the answers.

Lock affected accounts and force password resets: If credentials were compromised, affected accounts are immediately locked and a password reset is enforced. Active sessions are terminated.

Check systems: The affected employee's computer is scanned for malware (EDR scan, forensic analysis). If compromise is suspected, the computer is isolated and, if in doubt, reimaged.

Notify all employees: If the email was sent to multiple recipients, IT sends a warning to all employees with a description of the phishing email and instructions not to open it and to delete it.

The reporting process in the organization

A functioning reporting process is the prerequisite for phishing attacks being detected and contained early. The best process is useless if employees do not know about it or are afraid to use it.

The basic principles

Simplicity: The reporting path must be as simple as possible. Ideally a single click: a report button in the email client that automatically forwards the suspicious email to a defined address. The more steps the reporting path has, the fewer employees will use it.

Low barrier: Better one harmless email reported too many than one phishing email too few. The IT department should positively acknowledge every report, even when the email turns out to be harmless. A brief "Thanks for the report, the email is non-critical" is enough.

No consequences for mistakes: Anyone who falls for a phishing email and reports it must not face negative consequences. Not in the form of warnings, not through public shaming, not even through an annoyed comment from an IT colleague. An employee who fears consequences will cover up the incident — and that is vastly more dangerous than the original click.

Quick feedback: Anyone who reports an email should receive initial feedback within 30 minutes. If the analysis takes longer, an interim response suffices: "We're looking into it, thanks for the report."

Reporting process in practice

A proven workflow:

Step 1: Employee clicks the report button in the email client or forwards the email to phishing@company.com.

Step 2: The IT department or SOC (Security Operations Center) receives the report and analyzes the email: check headers, test links in a sandbox, analyze attachments.

Step 3: Assessment: is it phishing? If yes: who else received the email? Were links clicked?

Step 4: Initiate measures: remove the email from all recipients' mailboxes (if the email system allows this), block the sender domain, check affected accounts.

Step 5: Feedback to the reporting employee. For confirmed phishing: warning to all employees.

Step 6: Document the incident in the incident management system.

Tracking reporting metrics

Track the number and quality of reports to evaluate the effectiveness of your awareness program. In ISMS Lite, phishing incidents, simulation results, and reporting rates can be centrally evaluated and incorporated into awareness reporting. The key metrics:

• Reporting rate: How many of the received phishing emails are reported?
• Reporting time: How quickly after receiving the email does the first report come in?
• False positive rate: How many of the reported emails were actually harmless?
• Click rate vs. reporting rate: How many employees click, how many report?

A rising reporting rate with a simultaneously declining click rate is the best sign that your awareness program is working.

Phishing simulation as a training tool

Phishing simulations are the most effective instrument for training phishing email detection. Controlled, harmless phishing emails are sent to employees to test their reaction and provide targeted feedback afterward.

Why simulations are more effective than classroom training

Knowledge and behavior are two different things. An employee can list all characteristics of phishing emails in a training session and still fall for a well-crafted phishing email in everyday work because they are distracted, under time pressure, or simply inattentive. Phishing simulations train behavior in the real situation: during normal daily work, in the familiar inbox, under the usual conditions.

What a good simulation looks like

Realistic scenarios: The simulated emails should mirror current phishing campaigns and fit the company context. A phishing email pretending to be from the company's actual parcel service is more effective than a generic "your account has been locked" email.

Graduated difficulty: Start with easily recognizable phishing emails and increase the difficulty level over the quarters. This builds competence step by step and avoids frustrating employees in the first simulation.

Immediate feedback: Anyone who clicks the link in the simulated phishing email is immediately redirected to a learning page. This page explains how the email could have been identified as phishing and provides tips for the future. The feedback must be factual and helpful — not shaming.

Regularity: Individual simulations have a short-term effect. Effectiveness only develops through regularity. One simulation per quarter is a good rhythm.

No punishment: Phishing simulations are learning measures, not performance tests. Employees who clicked receive training, not punishment. If you use simulations as a control instrument and publicly shame clickers, you destroy the reporting culture you are trying to build.

Interpreting results correctly

The click rate of the first simulation in many organizations falls between 15 and 30 percent. This is not cause for panic — it is a baseline measurement. What matters is the trend over time: is the click rate declining? Is the reporting rate increasing? Is the time to first report decreasing?

Results should be evaluated at the department level, not the individual level. Record the results as training evidence so you can present them in an audit. Which departments have an above-average click rate? They may need additional training or adjusted simulation scenarios. Individual results remain between the employee and the IT department.

Technical safeguards: the foundation

Awareness training and reporting processes are one side of the coin. The other is the technical protection that ensures as many phishing emails as possible never reach employees in the first place.

SPF, DKIM, and DMARC: email authentication

These three protocols together form the foundation of email security. They prevent attackers from sending emails that appear to come from your domain.

SPF (Sender Policy Framework): Defines which mail servers are authorized to send emails on behalf of your domain. When an email server receives an email from your domain, it can check the SPF record to verify whether the sending server is authorized.

DKIM (DomainKeys Identified Mail): Adds a digital signature to every outgoing email. The receiving server can use the signature to verify that the email actually originated from the specified sender and was not altered in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance): Builds on SPF and DKIM and defines what should happen with emails that fail verification (e.g., reject or quarantine). Additionally, DMARC delivers reports showing who sends emails on behalf of your domain — whether authorized or not.

Implementing SPF, DKIM, and DMARC requires technical expertise but is not rocket science. Start with a DMARC record in monitoring mode (p=none), analyze the reports, and gradually tighten the policy to p=reject. This ensures no legitimate emails are blocked before you activate the rejection policy.

Email gateway with sandbox analysis

An email security gateway filters incoming emails for known threats: spam, malware, known phishing URLs. Modern gateways supplement this with sandbox analysis: suspicious attachments are executed in an isolated environment to observe their behavior before they reach the recipient.

Configure the gateway to generally block certain file types (.exe, .bat, .cmd, .scr, .js, .vbs, .wsf) and quarantine Office documents with macros unless they come from trusted senders.

Link rewriting and URL scanning

Many email security solutions offer link rewriting: every link in incoming emails is replaced with a link to the security platform, which re-checks the target link at the time of click. This protects against time-delayed attacks where the link is harmless at the time of delivery but is redirected to a phishing page hours later.

Browser isolation

For particularly at-risk user groups (executive management, finance department, IT administrators), browser isolation can be a sensible addition. Links from emails are opened in an isolated browser environment so that any malware present cannot access the local computer.

Conditional access and MFA

Multi-factor authentication is the most important protection against compromised credentials. Even if an employee enters their credentials on a phishing page, the attacker lacks the second factor. Implement MFA for all cloud services, VPN access, and admin accounts. Supplement this with conditional access policies that additionally secure logins from unusual locations, unknown devices, or unusual times.

Building phishing resilience: the holistic approach

Technical measures, awareness training, and reporting processes do not work in isolation but as a system. Technology reduces the number of phishing emails that arrive. Training enables employees to recognize those that remain. The reporting process ensures that detected attacks are quickly escalated. And phishing simulations measure whether the overall system is working.

Building this system is not a one-time project but a continuous process. Phishing techniques evolve, new attack vectors like QR code phishing emerge, and employee awareness must be regularly refreshed. Plan fixed cycles: quarterly simulations, semi-annual training sessions, annual review of technical safeguards.

Ultimately, it is about creating a culture where security is not an obstacle but a shared concern. Where employees report suspicious emails because they know it is the right thing to do and no one will blame them. Where the IT department treats reports as valuable information, not as a disturbance. Where phishing simulations are understood as learning opportunities, not as traps.

This culture does not emerge from a single measure. It emerges from constant, consistent action over months and years. But every organization that takes this path will see the results: fewer successful phishing attacks, faster detection, and less damage.

Further reading

• Building a Security Awareness Program: What Employees Really Need to Know
• Sicherheitsvorfälle erkennen und melden: Der richtige Prozess
• Die 10 größten Sicherheitsrisiken im Mittelstand
• Ransomware Attack: Immediate Response, Communication, and Recovery
• Multi-Faktor-Authentifizierung (MFA) einführen: Strategie, Rollout und Akzeptanz