Phishing Attack¶

Someone in your organization clicked a malicious link, opened a dangerous attachment, or entered credentials on a fake website. Phishing is often the first step in a larger attack.

Types of Phishing¶

Email phishing - Mass emails with malicious links/attachments
Spear phishing - Targeted emails personalized to the victim
Whaling - Targeting executives specifically
Smishing - Phishing via SMS/text messages
Vishing - Phishing via voice calls
QR code phishing - Malicious QR codes leading to fake sites

Immediate Actions¶

If Credentials Were Entered¶

Change password immediately - On the compromised account AND any accounts using the same password
Enable/reset 2FA - Remove old 2FA, set up new one
Check account activity - Login history, sent messages, forwarding rules
Revoke sessions - Force logout from all devices
Alert IT/security - Others may have received the same phishing email

If Link Was Clicked (No Credentials Entered)¶

Disconnect from network - If malware might have been downloaded
Don't enter any information - Close the browser
Scan the device - Run antivirus scan
Clear browser cache - Remove any cached malicious content
Report the email - Forward to IT/security team

If Attachment Was Opened¶

Disconnect from network immediately
Do NOT turn off the computer - Evidence in memory
Assume malware infection - See Malware Infection guide
Alert IT/security

Report Phishing¶

Report to Email Provider¶

Gmail: Click three dots → "Report phishing"
Outlook: Select email → "Report message" → "Phishing"
Apple Mail: Forward to reportphishing@apple.com

Report to Authorities¶

Sweden (CERT-SE): cert.se - For significant incidents
Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish
Microsoft: microsoft.com/reportphishing
APWG: apwg.org/reportphishing - Anti-Phishing Working Group

Report Phishing URLs¶

PhishTank: phishtank.org - Community phishing database
URLhaus: urlhaus.abuse.ch - Malicious URL database

Analyze Suspicious Emails¶

Check URLs Before Clicking¶

VirusTotal: virustotal.com - Paste URL to check reputation
URLScan.io: urlscan.io - See what a URL does without visiting
CheckPhish: checkphish.ai - Phishing URL detection

Analyze Email Headers¶

Full headers reveal the true sender: - MXToolbox Header Analyzer: mxtoolbox.com/EmailHeaders.aspx - Google Admin Toolbox: toolbox.googleapps.com/apps/messageheader

Analyze Attachments (Safely)¶

VirusTotal: Upload file for scanning (⚠️ files become public)
Hybrid Analysis: hybrid-analysis.com - Sandbox analysis
Any.Run: any.run - Interactive analysis

Evidence to Preserve¶

[ ] Original phishing email (with full headers)
[ ] Screenshot of fake login page (if applicable)
[ ] URL of phishing site
[ ] Any files that were downloaded
[ ] Timestamp of when link was clicked
[ ] Logs showing account access after compromise

Prevention: Technical Controls¶

Email Security¶

DMARC, DKIM, SPF - Prevent email spoofing
External email banners - Warn users of external emails
URL rewriting - Scan links at click time
Attachment sandboxing - Analyze attachments before delivery

User Training¶

Simulated phishing tests - Regular exercises
Clear reporting process - Make it easy to report suspicious emails
No punishment for reporting - Encourage a security culture

Technical Protections¶

Multi-factor authentication - Limits damage from stolen credentials
Password managers - Won't autofill on fake domains
Web filtering - Block known phishing domains

Guides & Documentation¶

CISA Phishing Guidance¶

Website: cisa.gov/secure-our-world/recognize-and-report-phishing
Recognition and reporting

KnowBe4 Phishing Resources¶

Website: knowbe4.com/phishing
Training and awareness resources

EFF Phishing Guide¶

Website: ssd.eff.org
How to avoid phishing attacks

Security in a Box - Phishing¶

Guide: securityinabox.org/en/communication/phishing
Recognition and protection

Need Help?¶

If your Swedish organization has been targeted by a sophisticated phishing campaign:

Apply to HackAid - We can help investigate the extent of compromise.

Last updated: 2026-01