Phishing
Phishing is a social-engineering method where attackers try to steal sensitive data such as passwords or payment details via fake emails, websites or messages.
Phishing is the most common entry method for cyber attacks and causes billions in damage yearly. Methods are increasingly sophisticated: from mass spam to highly personalized spear-phishing against executives. Despite technical controls, humans remain the weak link – so awareness training is as important as technology. Understanding phishing helps protect yourself and your organization.
What is Phishing?
Phishing is a cyber attack where attackers pose as a trusted party to get victims to reveal sensitive information. Variants include email phishing (mass fake emails), spear-phishing (targeted at specific people), whaling (targeting executives), smishing (SMS), vishing (phone) and pharming (DNS manipulation to redirect to fake sites). Modern phishing uses AI for more convincing text and convincing copies of real sites. Goals range from credentials and payment data to installing malware.
How does Phishing work?
A typical attack starts with a fake email that appears to come from a bank, cloud provider or colleague. The email urges action – e.g. password change or account verification. A link leads to a fake site where the victim enters credentials, which go directly to the attacker. In spear-phishing the attacker researches the target and personalizes the message to build trust.
Practical Examples
CEO fraud: A fake email from the 'CEO' instructs accounting to make an urgent transfer to a 'new supplier account'.
Microsoft 365 phishing: Email warns of 'expiring password' and links to a perfect copy of the Microsoft login page that captures credentials.
Bank phishing: SMS or email in the bank’s name asks for 'verification' including TAN on a fake banking page.
Delivery phishing: Fake DHL or UPS notifications about a 'package' contain links to malware.
LinkedIn spear-phishing: Personalized messages to employees referring to real projects or colleagues to get them to open infected documents.
Typical Use Cases
Security awareness: Simulated phishing campaigns test and train staff to recognize phishing
Email security: SPF, DKIM and DMARC to prevent email spoofing
Incident response: A reporting process so staff can quickly report suspicious email
Multi-factor authentication: Even with a stolen password, MFA blocks unauthorized access
Advantages and Disadvantages
Advantages
- Awareness: Understanding phishing methods is the first step to effective protection
- Technical defence: Modern email filters detect and block most phishing automatically
- MFA as safety net: Multi-factor authentication protects even when phishing succeeds
- Measurable improvement: Regular phishing simulations show progress in staff awareness
Disadvantages
- Human factor: No technical control is 100% as long as people can be tricked
- Constantly new methods: Attackers keep developing more sophisticated techniques
- AI-generated phishing: AI enables more convincing, personalized phishing
- High damage cost: A single successful phishing attack can cause millions in damage
Frequently Asked Questions about Phishing
How do I recognize a phishing email?
What should I do if I clicked a phishing link?
How can a company protect itself from phishing?
Related Terms
Want to use Phishing in your project?
We are happy to advise you on Phishing and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.