Phishing is a social engineering attack where an attacker sends a fraudulent message - typically via email - designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. It is the most common initial access vector for cyberattacks..
What is Phishing?
Phishing is a social engineering attack where an attacker sends a fraudulent message - typically via email - designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. It is the most common initial access vector for cyberattacks.
How Phishing Works
An attacker crafts a message that impersonates a trusted entity - a bank, employer, software provider, or colleague. The message creates urgency (your account has been compromised, your password is expiring, your CEO needs a wire transfer) and directs the target to take an action. That action typically leads to a credential harvesting page, a malware download, or a fraudulent financial transaction. Modern phishing attacks increasingly use AI to generate convincing, personalized messages at scale.
Why Phishing Matters
Phishing remains the number one entry point for data breaches. According to Cofense, the median time from email delivery to first click is just 19 seconds - meaning employees have less than 20 seconds to recognize and resist an attack. The FBI's Internet Crime Complaint Center reported over $2.9 billion in losses from business email compromise alone in 2023. Despite decades of awareness training, phishing continues to work because it targets human psychology, not technology.
Types of Phishing
- Email phishing: Mass-distributed fraudulent emails impersonating trusted brands
- Spear phishing: Targeted attacks aimed at specific individuals using personalized information
- Whaling: Phishing targeting senior executives or high-value individuals
- Clone phishing: Duplicating a legitimate email and replacing links or attachments
- Lateral phishing: Attacks sent from compromised internal accounts
How to Protect Against Phishing
- Deploy multi-channel attack simulations that test employees with realistic phishing scenarios
- Implement email authentication protocols (SPF, DKIM, DMARC)
- Enable multi-factor authentication across all systems
- Monitor employee exposure for data that attackers use to personalize phishing
- Provide immediate, contextual training when employees fail simulations
Frequently Asked Questions
What is phishing in simple terms?
Phishing is a type of cyberattack where someone sends a fake message, usually an email, pretending to be from a trusted source like your bank or employer. The goal is to trick you into clicking a malicious link, downloading malware, or revealing sensitive information like passwords.
What is the difference between phishing and spear phishing?
Standard phishing casts a wide net with mass-distributed generic emails. Spear phishing is targeted, using personal details about the victim to craft a convincing, individualized message. Spear phishing has a much higher success rate because the messages appear legitimate.
How quickly do people fall for phishing emails?
According to Cofense, the median time from email delivery to first click is just 19 seconds. This means employees have less than 20 seconds to recognize and resist an attack, which is why training and simulations are critical.