Phishing is the most ordinary attack and, at the same time, the most frequent doorway into serious incidents. A single click by a single employee is often enough to give an attacker the foot in the door that leads to a data breach, a wire-transfer fraud or ransomware. In Morocco as elsewhere, it is not an individual problem: it is a business security risk. This guide explains how to recognize an attempt, what to do if you fell for one, and how an organization actually reduces this risk — beyond the awareness poster.
What is phishing?
In one sentence: phishing is a social engineering technique in which an attacker impersonates a trusted party — a bank, a supplier, a colleague, an administration — to push you into disclosing information (credentials, banking details) or performing an action (clicking a link, opening an attachment, approving a payment).
The attack does not target a technical flaw: it targets the person. That is what makes it both so widespread and so hard to block with technology alone. It works because a credible message lowers the guard that a suspicious one would raise.
What are the different types of phishing?
Direct answer: the principle is single — usurp trust — but the channels and targets vary.
- Bulk phishing. The generic email sent to thousands of addresses, betting on volume.
- Spear phishing. A targeted, personalized message that cites your name, your role or a real matter to gain credibility.
- Whaling. Spear phishing aimed at an executive — the “big catch”.
- Smishing. Phishing by SMS: a fake delivery, bank or administration message with a link.
- Vishing. Phishing by phone (voice), where the attacker poses as IT support or the bank.
- Business email compromise (BEC). Compromising or impersonating a corporate mailbox to order an urgent transfer in an executive’s name — one of the costliest frauds for companies in Morocco.
- Quishing. Phishing by QR code, which bypasses filters by hiding the link in an image.
How to recognize a phishing email? The signals
Direct answer: no single signal is decisive, but their accumulation is.
The most reliable signals:
- A sender address that does not match the displayed name, or an almost-right domain (a changed letter, a “.com” that became something else).
- A sense of urgency or threat: blocked account, penalty, final deadline — to make you act before you think.
- A link whose real destination differs from the displayed text (hover over it, without clicking, to see the URL).
- A request for credentials, payment or sensitive data by message — a legitimate institution does not work that way.
- An unexpected attachment, especially a document that asks you to “enable macros”.
- A generic greeting, unusual phrasing, or a tone that does not match the supposed sender.
When in doubt about a business message, the golden rule is verification through another channel: call the person or institution on a known number, never the one provided in the message.
What to do in a phishing case?
Direct answer: it depends on what you did — received, clicked, or entered your information.
- You received the message without clicking. Do not click, do not reply. Report it (to your security team in a company, to the impersonated institution), then delete it.
- You clicked or entered your credentials. Act fast: immediately change the affected password — and any other account that shared it — enable multi-factor authentication (MFA), and notify your IT department or your bank. Watch for suspicious logins and transactions.
- It happened on a work device. Notify your security team without delay: a stolen credential is often the first link in a larger attack. Better one report too many than an access left open.
Never hide an unlucky click out of embarrassment. The time between the click and the report is exactly the window the attacker needs.
How to protect a company against phishing?
Direct answer: an organization reduces this risk through a combination of human and technical measures — no single one is enough.
- Multi-factor authentication (MFA) everywhere. Even a stolen password becomes far less usable. It is the measure with the best effort-to-effect ratio.
- Email anti-spoofing. SPF, DKIM and DMARC correctly configured block a share of the messages impersonating your domain.
- Filtering and detection. An email gateway that blocks malicious links and attachments upstream.
- Out-of-band verification of payments. Any transfer request or change of banking details confirmed through a known channel — the direct counter to BEC.
- Continuous employee awareness. Not a poster once a year, but a regular practice that teaches people to recognize and report.
- Phishing simulations. Simulated campaigns, without humiliating traps, that measure the real click rate and turn awareness into reflex — the gap between “we trained the teams” and “we know how they actually react”.
- A simple reporting procedure. A button or an address to report in one gesture: the simpler it is, the earlier teams report.
Phishing is not an individual problem, it is a business risk
An employee’s click is not a moral failing: it is a predictable security event you must design to absorb. Phishing is the leading initial-access vector of serious attacks — it precedes most ransomware incidents and carries the business email compromise that costs companies in Morocco dearly. That is why the right question is not “are our employees careful enough?” but “what happens, concretely, when one of them clicks?”. A resilient organization assumes someone will click, and makes sure that click is not enough — through MFA, segmentation, detection and fast reporting.
Phishing awareness and simulations: what we bring
Measuring your teams’ real reaction beats assuming their vigilance. As part of a red teaming and attack simulation engagement, we include social engineering — including simulated phishing campaigns, under strict rules of engagement — to reveal how a realistic attack would spread from a first click, and where your detection and response hold or give way. A broader security assessment situates phishing within your whole exposure, and GRC advisory helps embed awareness into durable governance rather than a one-off event. Every engagement is senior-led and ends with evidence and an action plan — not a report of alarm.
The Moroccan context: who to report phishing to?
In Morocco, administrations, public bodies and vital infrastructure are invited by maCERT — the national incident response team, attached to the DGSSI — to report any incident, including phishing, to incident@macert.gov.ma. If personal data is compromised, Law 09-08 and the CNDP may impose distinct obligations, and Law 05-20 governs the entities in scope. For a private company, the first step remains internal — security team, leadership — and with the impersonated institution (your bank, for instance). We do not provide legal advice: the exact extent of your obligations is for your counsel.
Where to start
If you want to know how your teams would really react to an attack — and where a first click would lead inside your information system — a scoped red teaming engagement or a security assessment gives you a measured answer, not a guess.
Request a scoping call · See red teaming
Frequently asked questions
What is phishing?
A social engineering technique in which an attacker impersonates a trusted party to push you into disclosing information (credentials, banking details) or performing an action (clicking, paying, opening an attachment). Phishing targets the person, not a technical flaw.
How do you recognize a phishing email?
By the accumulation of signals: a sender address that does not match, urgency or threat, a link whose destination differs from the displayed text, a request for credentials or payment, an unexpected attachment, a generic greeting. When in doubt about a business message, verify through another known channel.
What should you do if you clicked a phishing link?
Immediately change the affected password and any that shared it, enable multi-factor authentication, and notify your IT department or your bank. If it was a work device, report it to your security team without delay — a stolen credential is often the first link in a larger attack.
What are the main types of phishing?
Bulk phishing aims wide by email; spear phishing is a targeted, personalized message; smishing is phishing by SMS. Variants include vishing (by phone), whaling (aimed at an executive) and business email compromise (BEC).
How do you protect a company against phishing?
Through several layers: MFA everywhere, email anti-spoofing (SPF, DKIM, DMARC), message filtering, out-of-band verification of payments, continuous awareness, phishing simulations and a simple reporting procedure. Technology alone is not enough; people and detection complete the setup.
What is business email compromise (BEC)?
An attack where a corporate mailbox is impersonated or compromised to order an urgent transfer in an executive’s name. The most effective counter is systematic verification of any payment request or change of banking details through a known channel.
Who do you report phishing to in Morocco?
Administrations, public bodies and vital infrastructure can report incidents, including phishing, to maCERT (attached to the DGSSI) at incident@macert.gov.ma. A private company reports first internally and to the impersonated institution; if personal data is compromised, CNDP obligations may apply — to confirm with your counsel.
Related services
- Red teaming and attack simulation — social engineering and simulated phishing campaigns, to measure your teams’ real reaction.
- Security assessments — situate phishing within your whole exposure.
- Penetration testing — verify where a first access obtained by phishing would lead.
- GRC advisory — embed awareness into durable governance.
Read next: Ransomware in Morocco: what to do and how to protect. Operating in Morocco? See how we work: Cybersecurity in Morocco.