Phishing is a form of cybercrime where criminals impersonate trusted sources — such as your bank, supplier or colleague — to steal sensitive data like passwords or credit card numbers.

How do you recognise phishing?

Check the sender and email domain, hover over links to verify the actual URL, watch for artificial urgency or unusual requests, and verify that attachments make sense. Note that AI-generated phishing no longer contains the grammar mistakes that traditionally gave it away.

What is spear phishing?

Spear phishing is a targeted attack where criminals use personal information about the victim — such as name, job title or recent activities — to craft a more convincing message. AI tools now allow attackers to do this at scale.

How does Attic protect against phishing?

Attic provides multiple layers of protection: Bouncer blocks phishing emails before delivery, Attic FREE displays a red warning screen on fake login pages and an authenticity seal on real Microsoft 365 pages, and Fixer automates incident response when an employee does click.

What is an AiTM phishing attack?

In an Adversary-in-the-Middle (AiTM) attack, criminals place a proxy server between you and the real login page. This lets them intercept not just your password, but also your MFA token — effectively bypassing multi-factor authentication.

What should I do if an employee clicked a phishing link?

Change the password immediately, revoke all active sessions in Entra ID, check for mail forwarding rules, review sent emails from the account, and notify the organisation if shared systems were accessible. Attic Fixer automates these steps within seconds of detection.

Threat

Phishing

Recognise and prevent phishing attacks

Three quarters of all cyber attacks start with phishing. And while most employees think they can spot it, 1 in 4 still click. That’s because the attacks have changed: AI now writes flawless, personalised messages. Training alone no longer cuts it.

Protect Your Business Explore Attic FREE

By the Attic Lab security team Updated April 2026

3 in 4

Dutch citizens encountered cybercrime attempts including phishing in 2024 (Alert Online 2025, Min. of Economic Affairs).

77%

of SMBs were hit by cybercrime in the past two years (SMB Cybersecurity Monitor, Motivaction/Vodafone 2024).

1 in 5

business owners suffered direct damage from a cyber attack in 2024 (ABN AMRO research, via NOS 2024).

Types of phishing attacks

The badly written email from a ‘Nigerian prince’ still exists, but the methods have come a long way since. These are the variants we see most often in practice.

Email phishing

Emails that are indistinguishable from real messages from your bank or supplier. Same logo, same tone of voice, sometimes even the same sender address. One click and you’re on a fake login page.

How Bouncer blocks this →

Spear phishing

Not mass spam, but targeted messages based on your name, job title and recent LinkedIn posts. AI tools now let criminals generate these at scale, without the grammar mistakes that used to give phishing away.

More about CEO fraud →

Whaling

Specifically targeting directors and senior management. Criminals sometimes invest weeks researching a single person to craft one perfect message. Closely related to CEO fraud.

Read about CEO Fraud →

Vishing (Voice phishing)

Scammers posing as ‘bank employees’ or ‘IT helpdesk’ over the phone. Responsible for the largest share of financial damage, because people trust a voice faster than an email.

Smishing (SMS phishing)

The classic WhatsApp from your ‘son’ who urgently needs money, or a delivery service with a tracking link. On a small screen, telling these apart from real messages is almost impossible.

Social media phishing

Fake login pages for Instagram or LinkedIn to take over accounts. Once in, criminals use the compromised account to reach contacts with even more convincing messages.

Phishing via Microsoft 365 itself

Microsoft 365 is the most popular target for phishing attacks on businesses. The messages appear to come from real Microsoft infrastructure and slip past standard spam filters.

Fake SharePoint notifications

‘John shared a document with you.’ The notification looks exactly like a real SharePoint email, but the link leads to a fake login page.

Teams messages from compromised accounts

A compromised colleague’s account sends a link via Teams. Familiar face, real interface, no reason to doubt. Until you click.

Fake Microsoft login pages (AiTM)

Looks exactly like the real Microsoft login, complete with your company logo. But behind the scenes, a proxy intercepts your session token. MFA won’t help.

Standard email filters try to stop phishing before delivery. But what if a message slips through? Attic FREE recognises fake login pages the moment an employee visits them and blocks the page with a warning screen.

Learn more about AiTM attacks

How to recognise phishing

Healthy scepticism is your first line of defence. Run through these checks before you click anything or enter your details.

Sender

Is this someone you normally communicate with?
Does the email domain look correct, or is it a variant (e.g. rab0bank-mail.com)?
Have you had prior contact with this person or organisation?

Recipient

Are you the only recipient, or was it sent to an unfamiliar distribution list?
Do all addresses in the list start with the same letter?

Content

Is there artificial urgency pushing you to act immediately?
Does the request make sense for this sender and your working relationship?

Attachments

Does the attachment make sense, and has this person sent files before?
Is it a standard file type (.pdf, .docx) rather than .exe or .zip?

Subject & Timing

Does the subject match the sender and your working relationship?
Was the message sent at a reasonable time (not the middle of the night)?
Is it a reply to a message you never sent?

MFA is not enough. And attackers know it

NCSC, CISA, every government cybersecurity body recommends MFA as a baseline. Rightly so. But attackers are already a step ahead.

MFA protects against stolen passwords. But not when the attacker hijacks your session before you even log in.

In AiTM attacks, you complete the login on the fake server yourself, which forwards your MFA token to the real server.

Result: the attacker has active access to your Microsoft 365 environment. You see nothing unusual.

Attic goes beyond MFA. Attic FREE recognises fake login pages the moment an employee visits them and displays a red warning screen. Before the login takes place.

MFA active

Two-factor authentication enabled

Session hijacked via AiTM

MFA token intercepted by proxy

Attacker has full access

Email, files, Teams. Everything open

How Attic protects you

From blocking phishing emails to automated response when someone does click.

Bouncer blocks phishing emails before delivery

Bouncer analyses incoming emails and blocks phishing messages before they reach the inbox. Employees never even see them.

More about Bouncer →

Red warning screen on fake login pages

When an employee lands on a phishing site impersonating Microsoft 365, a prominent red warning screen appears, preventing them from entering their credentials.

Authenticity seal on real Microsoft 365 pages

On the official Microsoft login page, Attic displays a recognisable green seal, so employees always know they are on the genuine page.

Admin notifications on fake page visits

IT administrators get an immediate notification when anyone in the organisation visits a phishing page. So you can act before it escalates.

More about Attic FREE View all packages

Someone in your organisation clicked. Now what?

Panic doesn’t help, speed does. Follow these steps to limit the damage.

1 Change the password immediately for the account that was compromised.
2 Revoke all active sessions in Microsoft 365 (Entra ID → revoke all sign-ins).
3 Check for forwarding rules in the mailbox. This is the first thing attackers set up.
4 Review sent emails. Were any messages sent from the account in the minutes after the click?
5 Notify the organisation if the account had access to shared systems or sensitive data.

Fixer automates steps 2 through 5 and executes them within seconds of detection. Even outside office hours.

More about Fixer

Phishing and NIS2 compliance

Article 21 of the NIS2 Directive requires organisations to implement technical and organisational measures against cyber threats, including phishing. Awareness alone isn’t enough: you need demonstrable protection for email and identity. Attic helps you get there.

Learn more about NIS2 compliance

Stop phishing before it causes damage

Protect your employees and your organisation with Attic. Start free and activate advanced protection when you are ready.

Activate Attic FREE View Packages