Phishing attacks are one of the first types of attacks in the history of the internet. Phishing attack types, unlike other known attack types, are attacks that are made by sending a message to the victim via e-mail or other communication methods and clicking on the attached file or link in the message. In these attacks, a message is prepared as if it comes from an institution (usually from institutions such as the bank or telecom operator that actually send the message) in order to gain the trust of the victim. In some cases, content that appeals to individuals' specific hobbies, beliefs or interests is used as bait. The victim believes that this e-mail really comes from the relevant institution, and after opening the file, he actually gives the attackers the authority to run the code remotely with his own hand.

A phishing attack can be carried out with very simple tools and quickly. So what kind of precautions should we take in order not to be "hooked fish"? First of all, a level of awareness should be provided for our employees and this level should be maintained through regular training. In this way, the employees of the institution; They will learn to check who an email is coming from (with a clear view of the sender's email address) before accepting it as genuine, and to be cautious when clicking on links and opening attached files. In addition, with regular phishing simulations, awareness on an employee basis can be measured and evaluated as a metric, and planning can be made based on these results.

Topics to take a quick look at when we receive an email:

• Spelling Rules: While paying attention to spelling rules in e-mails from a corporate company, an attacker can make mistakes at this point.
• Fake Links: No corporate company will ask you for your password, credit card number (especially expiration date, CVV information) or TR ID card information through the links in the e-mail.
• Psychological Expressions: Since phishing attacks are focused on activating the victim, the message that comes to the victim may include expressions that activate the victim. For example “You must confirm your e-mail within 2 hours!”.
• Bender Links: It is the easiest form of attack, but it works very well. An attacker can deceive the victim by creating a link very similar to a corporate company's web address. For example: A domain name like “oguzbank.corn instead of oguzbank.com”.
• E-Mail Templates: Corporate companies pay close attention to their email templates. While playing on these email templates, the attacker may have misplaced some things or turned them into a format that seems inappropriate to our eyes.