TL;DR
Phishing remains the most common initial attack vector, responsible for over 80% of reported
security incidents. This guide covers every major phishing variant, teaches you to identify
red flags in URLs and email headers, explains technical prevention with DMARC/DKIM/SPF, and
provides a structured incident response procedure. Whether you're a security professional or
training employees, this is your comprehensive 2026 reference.
📑 Table of Contents
- Phishing Attack Types
- Red Flags Checklist
- URL Analysis Techniques
- Email Header Analysis
- Technical Prevention (DMARC/DKIM/SPF)
- Incident Response Procedure
- Employee Training Program
- Reporting Phishing
- Best Practices
- Common Mistakes
- Tools
- References
Phishing Attack Types
| Type | Vector | Target | Sophistication | Example |
|---|---|---|---|---|
| Email phishing | Mass / random | Low | Fake shipping notification from "FedEx" | |
| Spear phishing | Specific individual | Medium | Personalized email referencing a real project | |
| Whaling | C-suite executives | High | Fake board meeting invite with credential harvester | |
| BEC (Business Email Compromise) | Finance / HR teams | High | CEO impersonation requesting wire transfer | |
| Smishing | SMS | Mobile users | Medium | "Your bank account is locked" with a short URL |
| Vishing | Voice call | Individuals | Medium | Fake tech support requesting remote access |
| Pharming | DNS poisoning | Website visitors | High | Corrupted DNS redirects bank.com to fake site |
| Clone phishing | Previous recipients | Medium | Resent legitimate email with swapped attachment |
Red Flags Checklist
⚠️ Train yourself and your team to check for these signals before clicking any link or
opening any attachment.
☐ Sender mismatch: Display name says "PayPal" but email is
paypal-security@random-domain.com☐ Urgency or threat: "Your account will be suspended in 24 hours"
☐ Generic greeting: "Dear Customer" instead of your actual name
☐ Suspicious links: Hover reveals a different domain than displayed text
☐ Unexpected attachments: .zip, .exe, .docm, or password-protected files
☐ Grammar and spelling: Unusual errors, especially in "official" communications
☐ Request for credentials: Legitimate services never ask for passwords via email
☐ Mismatched Reply-To: Different from the visible From address
☐ Too good to be true: Prize winnings, unexpected refunds, lottery notifications
☐ Pressure to bypass process: "Don't tell anyone" or "Skip the usual approval"
URL Analysis Techniques
What to Check in a Suspicious URL
1. Domain Inspection
Identify the actual domain: login.microsoft.com.
evil.com — the real domain is evil.com. Look at the rightmost part before the first /.
2. Homograph Attacks
Attackers use lookalike characters (Cyrillic "а" vs
Latin "a"). Copy the URL and check for Punycode (e.g., xn-- prefix).
3. URL Shorteners
Services like bit.ly hide the actual destination. Expand
shortened URLs before clicking using preview features or expansion tools.
4. HTTPS Alone Is Not Enough
Free TLS certificates mean phishing sites
also show the padlock. HTTPS verifies encryption, not legitimacy.
💡 Use the Phishing Link Checker to scan suspicious
URLs against multiple threat intelligence databases before visiting them.
Email Header Analysis
Email headers reveal the true origin of a message. Key headers to inspect:
| Header | What to Check | Red Flag |
|---|---|---|
From: |
Display name vs. actual email address | Name says "Microsoft" but address is @outlook-verify.xyz
|
Return-Path: |
Bounce address | Different domain than From header |
Received: |
Server hops (read bottom to top) | Originates from unexpected country or datacenter IP |
Authentication-Results: |
SPF, DKIM, DMARC pass/fail |
spf=fail, dkim=fail, or dmarc=fail
|
Reply-To: |
Where replies are directed | Points to a different domain than From |
X-Mailer: |
Sending software | Outdated or unusual mail client |
# Example: Checking Authentication-Results header
Authentication-Results: mx.google.com;
dkim=pass header.d=example.com header.s=selector1;
spf=pass (google.com: domain of bounce@example.com designates 203.0.113.1 as permitted sender)
smtp.mailfrom=bounce@example.com;
dmarc=pass (p=REJECT) header.from=example.com
Technical Prevention (DMARC/DKIM/SPF)
Email authentication protocols prevent attackers from spoofing your domain to send phishing
emails to your customers, partners, and employees.
📖 Definition — Domain spoofing is the forging of the From: header in an
email to make it appear as if it was sent from a trusted domain. DMARC with p=reject
instructs receivers to block these fraudulent messages.
| Protocol | Prevents | Limitation |
|---|---|---|
| SPF | Unauthorized IPs sending as your domain | Breaks on forwarding; only checks envelope-from |
| DKIM | Message tampering after sending | Does not prevent spoofing alone; requires DMARC alignment |
| DMARC | Domain spoofing in the visible From header | Lookalike domains (typosquatting) are not covered |
💡 DMARC protects your exact domain, but not lookalikes like micros0ft.com. Monitor
for typosquatting with domain scanning tools.
Incident Response Procedure
When a phishing email is reported or a user clicks a malicious link, follow this procedure:
1. Contain
Isolate the affected device from the network. Disable
compromised credentials immediately. Block the sender/domain at the mail gateway.
2. Assess
Determine what was compromised: credentials, data, or
malware installation. Check if the user entered credentials or downloaded files.
3. Remediate
Force password resets for affected accounts. Revoke
active sessions and OAuth tokens. Scan the device for malware. Purge the phishing email
from all inboxes (admin search & destroy).
4. Notify
Inform the security team, affected users, and management.
If personal data was exposed, assess regulatory notification requirements (GDPR 72h).
5. Investigate
Analyze the phishing email headers and payload.
Check for lateral movement. Review login logs for suspicious access from new IPs or locations.
6. Report & Learn
File reports with IC3, CISA, and your sector
ISAC. Document the incident for future training. Update detection rules.
Employee Training Program
Technical controls catch most phishing, but humans are the last line of defense — and the most targeted.
| Component | Frequency | Method |
|---|---|---|
| Security awareness training | Quarterly | Interactive modules with real examples |
| Simulated phishing tests | Monthly | Realistic emails tracked for click rates |
| Reporting drills | Quarterly | Practice using the "Report Phishing" button |
| New hire onboarding | Day 1 | Phishing identification basics + reporting process |
| Executive briefings | Biannually | BEC/whaling scenarios specific to leadership |
⚡ Pro Tip: Reward employees who report phishing attempts rather than punishing those who fail simulations.
Positive reinforcement builds a security-first culture faster than fear.
Reporting Phishing
Internal: Use your organization's "Report Phishing" button or forward to your security team (e.g.,
phishing@yourcompany.com).FBI IC3: ic3.gov — Report internet crime including phishing and BEC.
CISA: Forward phishing emails to
phishing-report@us-cert.gov.APWG: Forward phishing emails to
reportphishing@apwg.org.Google: Use the "Report phishing" option in Gmail's three-dot menu.
Microsoft: Use the "Report Message" add-in in Outlook.
Best Practices
⚡ Pro Tip: Layer your defenses: email authentication stops domain spoofing, secure email gateways catch
known threats, user training catches novel attacks. No single layer is sufficient alone.
Deploy DMARC at
p=rejecton all domains, including non-sending domains.Enable multi-factor authentication (MFA) on all accounts — it neutralizes stolen credentials.
Implement conditional access policies that block logins from unusual locations or devices.
Use a secure email gateway (SEG) with URL rewriting and sandbox detonation.
Monitor for lookalike domain registrations with automated typosquatting detection.
Require out-of-band verification for financial transactions and credential changes.
Common Mistakes
Relying solely on user training: Even the best-trained users click occasionally — technical controls are essential.
No DMARC enforcement:
p=nonemonitors but doesn't prevent spoofing.Punishing phishing victims: Creates a culture of hiding incidents instead of reporting them.
Ignoring non-email vectors: Smishing, vishing, and social media phishing bypass email filters entirely.
No incident response plan: Scrambling during an active attack wastes critical containment time.
Trusting the padlock: HTTPS does not mean a site is legitimate, only that the connection is encrypted.
Tools
🔗 Phishing Link Checker — Scan URLs against threat intelligence databases for known phishing indicators.
🛡️ DMARC Checker — Verify your domain's DMARC policy prevents spoofing.
🌐 Domain Scanner — Detect typosquatting and lookalike domains targeting your brand.
References
📄 FBI IC3 — Internet Crime Report (Annual)
📄 APWG — Phishing Activity Trends Report
📄 CISA — Phishing Guidance
📄 RFC 7489 — DMARC Specification
📄 Verizon — Data Breach Investigations Report (DBIR)
📄 Google — Email Sender Guidelines
🎯 Key Takeaway: Phishing succeeds because it targets human trust, not just technical vulnerabilities. Defend
in layers: enforce DMARC to prevent domain spoofing, deploy email gateways to catch known threats,
train employees to recognize what filters miss, and maintain a practiced incident response plan.
Report every attempt — your report protects the next target.
Originally published on StarNomina ToolBox. Try our free online tools — no signup required.
Top comments (0)