How to Recognize & Defend Against Phishing Emails

Monday morning, 8:47 a.m. An email from the company's bank lands in the accountant's inbox: "Urgent security verification – please log in now." The link looks legitimate. So does the sender's address. She clicks. 21 seconds – that's all it takes for an attacker to gain access to the company network.

This isn't a worst-case scenario from a thriller. It's the median. According to the Verizon Data Breach Investigations Report 2025, employees click on a phishing link in just 21 seconds on average – but it takes nearly 30 minutes before anyone reports the incident. In that half hour, an attacker can exfiltrate data, deploy ransomware, or move laterally through your network.

Phishing is a solvable problem. But not with half-measures.

Why SMBs Are Squarely in the Crosshairs

87 percent of German companies were affected by cyberattacks in 2025 – up from 81 percent the previous year. The total damage to the German economy: 289 billion euros, according to Bitkom Research. And phishing is the most common entry point: IBM estimates it accounts for 16 percent of all data breaches – ranking first ahead of every other attack vector.

The assumption that cybercriminals only target large enterprises is dangerously wrong. SMBs are structurally at a disadvantage: smaller IT teams, tighter prevention budgets, and often no dedicated security department. The bottom line is clear – it's not a lack of caution that makes SMBs vulnerable, it's simply a lack of resources.

Scale those 289 billion euros down to your company's size: for a mid-sized business, a single successful phishing attack can generate costs in the five- to six-figure range – through operational downtime, data recovery, reputational damage, and potential GDPR reporting obligations.

What Modern Phishing Actually Looks Like

Forget the image of poorly worded emails riddled with spelling mistakes. Modern phishing emails are grammatically flawless, contextually precise, and visually nearly indistinguishable from legitimate messages. AI-powered tools make it easier than ever for attackers to craft convincing fakes.

The Most Common Attack Patterns

Spoofed sender domains: The email appears to come from accounting@your-bank.com – but it actually originates from accounting@your-bannk.com. One letter off, the kind of difference you miss under the pressure of a busy workday.

Urgency as a psychological trigger: "Your account will be suspended in 2 hours," "Immediate approval required," "Final notice before collections." The time pressure is designed to stop employees from thinking – and it works. The 21 seconds to a click proves just how well.

CEO fraud (Business Email Compromise): An email that appears to come from the CEO: "Please wire $47,000 to the following vendor immediately – confidential, do not discuss with accounting." This variant deliberately exploits organizational hierarchies and trust relationships.

QR code phishing (quishing): A newer trend – instead of a clickable link, the email contains a QR code. Many email security filters fail to detect malicious URLs embedded in QR codes. The employee scans the code with their smartphone – which is typically far less protected than their work computer.

Warning Signs That Still Hold Up

• The sender domain deviates slightly from the legitimate one
• The email creates artificial urgency
• You're asked to enter credentials via a link
• The greeting is generic ("Dear Customer") from a bank that normally addresses you by name
• Attachments in unexpected formats (.html, .iso, .zip with password protection)

The Training Trap – and What Actually Works

Here's where things get uncomfortable: most phishing guides end with the line "Train your employees!" That's true – but it's nowhere near enough on its own.

Why Training Alone Falls Short

The Bitkom figures paint a paradoxical picture: 79 percent of companies provide IT security training for their staff. Sounds good. But only 24 percent offer that training to all employees. 55 percent train only selected roles. And one in five companies – 20 percent – skips it entirely.

The problem: phishing attackers aren't targeting the IT director. They're targeting the accountant, the new intern, the field sales rep with access to the CRM. Selective training creates a dangerous illusion of security.

And even if you train every single employee: if an attacker sends 1,000 emails and only 0.3 percent click, that's enough for a successful breach. Human error cannot be trained down to zero.

The Right Three-Layer Approach: Technology, People, Incident Response

Layer 1 – Technical safeguards (non-negotiable):

• Multi-factor authentication (MFA): Even if a password is stolen through phishing, the second factor blocks access. MFA is the single most effective measure against credential phishing.
• Email authentication (SPF, DKIM, DMARC): These three protocols prevent attackers from sending emails on behalf of your domain. Many SMBs haven't configured them – it's the equivalent of leaving the front door wide open.
• DNS filtering and modern email security: Malicious links are blocked before employees ever see them. Solid solutions are available for small businesses at reasonable cost.

Layer 2 – Awareness training (regular, for everyone):

Training is the second line of defense. It works best when it's short, practical, and recurring – not as an annual checkbox exercise with a 60-slide presentation. Simulated phishing emails delivered during the normal workday are significantly more effective than classroom-style instruction.

Layer 3 – Incident response plan (the biggest blind spot):

39 percent of German companies have no incident management plan in place for a cyberattack. That means: even if someone spots and reports a phishing email, no one knows what to do next. Who's responsible? Who gets notified? Which systems get isolated? Without clear answers to these questions, you're handing attackers exactly the time they need.

Your Checklist for This Week

You don't have to tackle everything at once. But these seven measures can be prioritized – ordered by effort:

1. Enable MFA – for all business email accounts and cloud services. Right now. Today. This delivers the best return on investment of any single security measure.

2. Check SPF, DKIM, and DMARC – ask your IT provider or hosting company whether these protocols are configured for your domain. If not: get it done.

3. Define a reporting process – every employee needs to know: if an email looks suspicious, who do they report it to? A simple address like phishing@yourcompany.com is a solid first step.

4. Create an incident response plan – keep it to one page: what happens when an attack is detected? Who makes decisions? Which systems get disconnected? Who notifies customers and authorities?

5. Train all employees – not just the IT department. Short, practical formats, at least quarterly. Focus on current attack patterns, not theory.

6. Regularly audit SSL certificates and security configurations – expired certificates aren't just a security risk; they also erode customer trust.

7. Explore funding options – many IT security measures are eligible for subsidies. There are government programs that co-fund digitalization and security projects, especially for SMBs.

Phishing Protection Is a Leadership Issue

Phishing isn't an IT problem – it's a business risk. The decision about whether your company is protected isn't made in the server room; it's made in the boardroom. Technology, training, and incident planning must work together. No single layer is sufficient on its own.

The good news: you don't need a million-dollar budget or a 20-person security team. You need a clear plan, the right technical foundations, and a partner who understands your company's scale.

At Golle IT, we help SMBs and mid-sized businesses build an IT security and digitalization strategy that fits their resources – pragmatic, not overengineered. Whether it's technical hardening, process optimization, or selecting the right tools: get in touch with us before the next Monday morning becomes a crisis.