HomeArticles › Phishing Prevention
Threat Awareness

Phishing Prevention
in the Workplace

Published: 20 March 2026 · Updated: 13 May 2026 · 6 min read · Exorretal Editorial Team
Phishing attack methods infographic

Phishing is the most frequently reported category of cybersecurity incident in Poland. CERT Polska processed 25,625 phishing-related incidents in 2023, representing approximately 62 percent of all reported cases. The vast majority of these targeted employees at small and medium businesses — not enterprise accounts with dedicated security teams.

Unlike technical vulnerabilities, phishing exploits decision-making under time pressure. This makes purely technical defences insufficient: they must be combined with clearly defined internal procedures for what employees do when a suspicious message arrives.

How Phishing Campaigns Target SME Employees

The generic "click here to reset your password" phishing message has largely given way to more contextually accurate attacks. Current campaigns documented by CERT Polska and Polish incident responders include:

  • Business Email Compromise (BEC) — the attacker impersonates a supplier, client, or senior employee to request a payment or data transfer. In 2023, BEC accounted for 38 percent of financially motivated incidents at Polish SMEs reported to CERT.
  • Invoice fraud — fake invoices sent from domains visually similar to known suppliers (e.g. suppIier.pl versus supplier.pl). Often accompanied by a phone call to verify "payment details have changed."
  • Credential harvesting via Microsoft 365 / Google Workspace lookalike pages — the most common entry method for initial access brokers operating in the Polish market.
  • Spear phishing targeting finance and HR staff — personalised messages referencing real company data obtained from LinkedIn, company websites, or previously compromised accounts.

Email Authentication: SPF, DKIM, and DMARC

Three DNS-based email authentication standards form the primary technical barrier against domain spoofing. All three require DNS record changes and configuration at the mail server level:

SPF (Sender Policy Framework)

An SPF record lists the IP addresses and mail servers authorised to send email on behalf of a domain. A message from an unlisted source fails SPF validation. For most Polish SMEs using Microsoft 365 or Google Workspace, SPF records are documented in the provider's setup guides and take under an hour to configure correctly.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing email headers, allowing receiving servers to verify that the message was authorised by the domain owner and was not modified in transit. A missing or invalid DKIM signature does not automatically cause message rejection, but its absence reduces the message's spam filter score positively.

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM by specifying a policy for how receiving servers should handle messages that fail authentication. The three DMARC policy values are:

  • p=none — monitoring mode, no rejection. Appropriate for the initial configuration period while reviewing DMARC reports.
  • p=quarantine — failing messages are delivered to spam folders. Reduces exposure while accommodating legitimate but improperly configured mail flows.
  • p=reject — failing messages are not delivered. The maximum protection level, requiring that all legitimate mail flows are correctly authenticated before activation.

An analysis by the Polish internet registry NASK found that as of early 2024, approximately 44 percent of .pl domains used for email had no DMARC record, including a significant proportion of SME domains.

CERT Polska publishes a free DMARC analysis tool at mxtoolbox.com and through their own assessment portal, enabling businesses to check their current email authentication status without technical expertise.

Email Filtering and Gateway Controls

Beyond authentication records, email filtering at the gateway level reduces the volume of phishing messages that reach employee inboxes:

  • Microsoft Defender for Office 365 (Plan 1 and Plan 2) — included at various tiers of Microsoft 365 Business plans. Safe Links rewrites URLs to scan at click time; Safe Attachments detonates attachments in a sandbox before delivery.
  • Google Workspace Advanced Protection — enhanced scanning for Google Workspace users, including pre-delivery message analysis.
  • Third-party email security gateways — Proofpoint Essentials, Mimecast, and Barracuda Email Security Gateway are the most commonly deployed in Polish mid-market SME environments. These supplement rather than replace built-in platform controls.

Internal Procedures for Suspicious Messages

Technical controls reduce the volume of phishing messages but cannot eliminate them entirely. A documented internal procedure for what employees do when they receive a suspicious message is a distinct and necessary control layer.

Effective procedures documented in Polish SME incident response playbooks typically specify:

  1. Do not click links or open attachments in any message with unexpected urgency or unusual payment/data requests.
  2. Report the message to the IT contact or designated person using a method other than email (phone, internal chat) — not by forwarding the suspicious message.
  3. If a link was clicked or credentials were entered on an unexpected page: report immediately, change the affected password from a separate device, and note the URL.
  4. Finance staff: verify any payment instruction change from a known supplier by calling a pre-established contact number, not one provided in the email.

Multi-Factor Authentication

MFA on email accounts eliminates the primary outcome of most credential phishing attacks. Even when credentials are compromised, the attacker cannot access the account without the second factor. The following contexts are documented as high-priority MFA targets in Polish SME audits:

  • Microsoft 365 and Google Workspace accounts
  • VPN access
  • Banking and financial portals
  • Administrative access to hosting, DNS registrar, and cloud accounts

TOTP authenticator apps (Microsoft Authenticator, Google Authenticator, Aegis) provide stronger protection than SMS-based MFA, which is vulnerable to SIM swap attacks. Conditional Access policies in Microsoft 365, which require MFA only from unfamiliar locations or devices, reduce friction for employees while maintaining protection at higher-risk access events.

Further incident statistics and current phishing campaign patterns are published by CERT Polska and tracked by the Anti-Phishing Working Group.