Email Security and Protection Against BEC Fraud: A Practical Guide
Email security and protection against BEC fraud: SPF, DKIM, DMARC, MFA, and internal procedures that protect your company from fraudulent pa
Read
Recognizing phishing means spotting an attempt at fraud in which an attacker poses as a trusted person or organization to trick you into revealing a password, clicking a malicious link or making a payment. The key warning signs are unexpected urgency, a mismatch between the displayed name and the sender's actual address, and a request for confidential information. The rule is simple: stop, verify the sender through another channel, and do not click until you are certain.
Our solution
24/7 SOC service - 24/7 monitoring that stops threats in time. You do not have to handle it alone; we take care of it for your company. Request a free assessment.
Phishing is today the most common entry vector for attacks on companies and businesses in BiH and the wider region. The reason is simple: it is cheaper and faster for an attacker than breaking through technical defenses, and it relies on human error. That is exactly why every employee is the first line of defense. This guide explains how to recognize phishing in practice, without technical jargon, and what specifically to do when you become suspicious.
What phishing is and why it targets employees specifically
Phishing is a form of social engineering in which an attacker sends a message (email, SMS, a message on Viber or WhatsApp, or even a phone call) that looks as if it comes from a legitimate source: a bank, a supplier, a colleague, the IT department or management. The goal is to get the recipient to do something they otherwise would not: enter a password on a fake page, open an infected attachment or approve a payment to the wrong account.
Employees are targeted because they have access to email, internal systems, finances and client data. For an attacker, it is enough for a single person in the company to make a mistake. Small and medium-sized businesses in the region often think they are too small to be a target, but automated phishing waves do not discriminate: they are sent to thousands of addresses at once.
The most common forms of phishing
- Classic phishing - mass emails sent to a broad pool of recipients (e.g. a fake notice from a bank or a parcel delivery service).
- Spear phishing - a targeted message tailored to a specific person, using their real name, role or the names of colleagues.
- CEO fraud (BEC) - the attacker poses as a director or owner and requests an urgent payment or a change to a supplier's bank account.
- Smishing - phishing via SMS or messages on Viber/WhatsApp, most often with a link to "track a shipment" or "verify an account".
- Vishing - a phone call in which the attacker falsely presents themselves as support, a bank or the IT department.
Six key signs of phishing
Most phishing messages, however convincing they may look, share the same patterns. If you learn to recognize these six signals, you will catch the vast majority of attempts.
1. Unexpected urgency and pressure
"Your account will be locked within 24 hours." "Approve this payment urgently before the end of the business day." Creating fear and time pressure is a classic tactic, and the goal is to make you react before you think. Legitimate organizations rarely demand immediate action under threat.
2. Mismatch between sender and address
The displayed name may read "NeoBit Support" or "Raiffeisen Bank", but the actual email address reveals the fraud. Check the domain after the @ symbol. Attackers use similar but incorrect domains: raifeisen-ba.com instead of the real one, or they add words such as -secure or -verify. On a mobile device, tap the sender's name to see the full address.
3. Suspicious links
Before clicking, hover your mouse over the link (without clicking) and look at the actual URL that appears at the bottom of your browser or email client. If the text says "banka.ba" but the actual link leads to an unknown domain or a URL shortener (bit.ly and similar), that is a red flag. On a mobile device, press and hold the link to see its destination.
4. Request for confidential information
No serious bank, government institution or IT department will ever ask you by email for a password, PIN, card number or one-time code (OTP). Treat every such request as fraud, without exception.
5. Errors, an odd tone and generic greetings
Spelling mistakes, poor translation, an unusual form of address ("Dear customer" instead of your name) or a tone that does not match the person supposedly writing - these are all indicators. Note: attackers increasingly use writing tools, so the absence of errors does not mean the message is safe.
6. Unexpected attachments
An attachment you did not request, especially .zip, .html, files with macros (.docm, .xlsm) or "invoice.pdf.exe", may contain malicious code. If you were not expecting a document, do not open it until you confirm with the sender through another channel.
A real-world example: what a phishing email looks like
Theory is useful, but a real example best shows how the signals add up. Imagine the following message arrives in your inbox:
From: Microsoft 365 Support <support@m365-secure-login.com>
Subject: Warning: your account will be deactivated
Dear customer,
We have detected unusual activity on your account. If you do not confirm your identity within 24 hours, your email access will be permanently disabled. Click here to confirm: Confirm account now.
At first glance the message seems convincing, but it contains at least four clear signs of phishing:
- The sender's domain is not microsoft.com, but m365-secure-login.com, a typical trick of adding the words "secure" and "login" to make the message sound official.
- A generic greeting, "Dear customer" instead of your name. A genuine service provider knows your name.
- Artificial urgency: a 24-hour deadline and the threat of permanently losing access create panic.
- A hidden link: the text "Confirm account now" almost certainly leads to a fake login page that steals your password.
The correct response is not to click, but to verify: open Microsoft 365 manually in your browser (by typing the known address, not via the link) and check the status of your account. If there really is a problem, you will see it inside your account, with no need for any link from the email.
Quick comparison: legitimate vs. phishing message
| Element | Legitimate message | Phishing message |
|---|---|---|
| Sender's address | The company's official domain (e.g. name@neobit.ba) | A similar but incorrect domain, or a public mailbox (gmail, outlook) for a supposedly official message |
| Tone | Calm, informative, without threats | Urgency, threat of a lockout, pressure to act quickly |
| Links | Lead to the expected, official domain | Hidden behind text, URL shorteners, unknown domains |
| Requested information | Does not ask for passwords or codes by email | Asks for a password, OTP, card number or an urgent payment |
| Greeting | Your name, context that makes sense | Generic ("Dear customer") or incorrect details |
How to check a suspicious message in three steps
When a message triggers even one of the signals above, stop and run a simple check before taking any action.
- Stop. Do not click, do not download attachments and do not reply. The urgency the message creates is exactly what the attacker wants.
- Verify through another channel. If it supposedly comes from the director, a colleague or a supplier, call them on a known number or ask them in person. Never use the contact details from the suspicious message itself.
- Report it. Forward the message to your internal IT department or security team and delete it only after agreeing with them. If your company uses an external SOC or MDR service, reporting it makes it possible to check whether the attack also reached other colleagues.
What to do if you have already clicked or entered information
Mistakes happen, and the most important thing is to react quickly, without shame or hiding it. The sooner you report it, the smaller the damage.
- Immediately change the password for the affected account, and if you use the same password elsewhere, change it there too.
- Notify the IT department or security team without delay, even if you think the damage is minor.
- If a payment is involved, contact the bank immediately. Sometimes a transaction can be stopped if you act within the first few minutes.
- Disconnect the device from the network if you opened a suspicious attachment, to prevent any potential spread.
A swift reaction and a coordinated response are crucial for limiting the damage. This is where a professional security incident response service helps, guiding the company through analysis, remediation and recovery.
How companies in Mostar and the region can reduce the risk
Individual vigilance is necessary, but it is not enough. Resilience to phishing is built at the level of the entire organization, through a combination of training, technical controls and clear procedures.
Regular employee training
A one-off lecture does not change habits. Continuous training and simulated phishing campaigns help employees practice recognition under real conditions and help the company measure its actual risk.
Technical controls
Two-factor authentication (2FA) drastically reduces the damage even when a password leaks. Email filtering, blocking dangerous attachments and domain verification (SPF, DKIM, DMARC) stop a large share of messages before they reach the inbox.
Testing your own resilience
The best way to find out how exposed your company is, is to test it. A controlled penetration test and security assessment reveal weak points, both technical and human, before real attackers exploit them. For companies and businesses in Mostar and the region, this is a cost-effective step toward compliance and more peaceful operations.
If you would like to discuss employee training, simulated phishing campaigns or continuous monitoring, the NeoBit team is at your disposal via our contact page.
Why a culture of reporting matters as much as technology
Technical controls stop a large share of threats, but no filter is perfect and some message always gets through. What distinguishes a resilient company from a vulnerable one is not the number of tools, but the speed and openness with which employees report suspicions.
In many businesses, an employee who falls for phishing stays silent out of fear of the consequences. That is the worst possible outcome: the attacker gains hours or days of advantage while the damage quietly grows. That is why a good security culture must clearly convey that reporting is not an admission of guilt, but the correct course of action that protects the entire organization. One person's mistake, reported in time, often saves the whole company.
Practical steps for building such a culture include:
- A simple reporting channel - e.g. a dedicated email address or a "Report phishing" button in the email client, so that reporting takes only seconds.
- Fast feedback - an employee who reports should receive confirmation and a short explanation, so they learn and feel that their effort was worthwhile.
- No punishment for those who report their own mistake - an approach oriented toward learning rather than finding someone to blame.
- Regular practice - periodic simulations maintain vigilance and demonstrate progress over time.
For companies in BiH and the region that want an objective picture of their exposure, an external phishing simulation and employee awareness assessment provide a measurable risk indicator and a clear improvement plan. This turns recognizing phishing from occasional luck into a systematic, measurable capability of the entire organization.
Frequently asked questions
How does phishing differ from ordinary spam?
Spam is mostly unwanted advertising content that is annoying but rarely dangerous. Phishing has a specific malicious goal, the theft of data, money or access to systems, and it deliberately presents itself as a trusted source. Recognizing phishing therefore requires more attention than simply deleting ads: look for signs of urgency, fake links and requests for confidential information.
Can I recognize phishing by poor spelling alone?
Not anymore. Spelling mistakes are a classic sign, but attackers today use advanced writing tools, so messages can be flawless. That is why you should never rely on a single signal, check the sender, the links and the context together.
Is it safe to open an email if I do not click on the link?
Simply opening an email in a modern client is generally safe, but the danger arises the moment you click a link, open an attachment or enable content (images, macros). The rule is simple: read, but do not touch anything until you are certain the message is legitimate.
What if the message really looks like it comes from my boss?
CEO fraud (BEC) relies on exactly that. If a message requests an urgent payment, a change of bank account or confidential information, confirm the request through another channel, call the person on a known number or ask them in person. Never reply using the contact details from the message itself.
Related guides: Cyber Security in BiH - A Complete Guide · Protection Against Hacker Attacks - 10 Steps for Companies · Ransomware Protection: How to Protect Your Company from Attacks
