What it is
Phishing is a social engineering tactic where attackers impersonate trusted entities to manipulate recipients into disclosing credentials, financial information, or executing malicious actions. Campaigns range from broad, template-driven emails to highly tailored spear-phishing that references real relationships and projects. Attackers exploit psychological triggers—urgency, fear, curiosity—to prompt clicks on malicious links, open weaponized attachments, or approve fraudulent multi-factor prompts. Modern phishing extends beyond email to SMS (smishing), phone calls (vishing), collaboration platforms, and social media. Credential harvesting sites mimic legitimate login portals with convincing branding and TLS certificates. Meanwhile, malware-laden attachments deploy remote access trojans or ransomware. Because phishing targets human judgment, technical defenses must be paired with education and resilient authentication controls. Even security-aware users can be deceived when attackers compromise legitimate suppliers or hijack ongoing conversations.
Why it matters
Phishing remains the leading initial access vector for data breaches and ransomware incidents. Successful campaigns can bypass perimeter defenses, compromise trusted accounts, and cascade through supply chains, resulting in financial loss and reputational harm.
How to reduce risk
- Implement email security gateways, DMARC/DKIM/SPF policies, and URL rewriting to block or flag suspicious messages.
- Require multi-factor authentication across critical services to limit credential reuse success.
- Conduct regular, contextual security awareness training that covers emerging lures and reporting procedures.
- Provide rapid reporting channels and automate response workflows to contain compromised accounts swiftly.