Phishing Basics

What is phishing?

Phishing is a type of cyberattack in which an attacker impersonates a trusted person, organization, or brand. The purpose is to deceive victims into handing over sensitive information such as passwords, financial details, or login credentials, or into taking an action that compromises their security, such as clicking a malicious link or downloading malware. The term is derived from “fishing,” reflecting the idea that attackers cast a wide net hoping that enough victims will take the bait.

Phishing is primarily a social engineering attack. It exploits human psychology rather than technical vulnerabilities. Attackers rely on urgency, fear, authority, and trust to pressure targets into acting quickly and without scrutiny. A message might claim that a bank account has been compromised, a package cannot be delivered, or that immediate action is required to avoid a penalty. The goal is always the same: to manipulate the recipient into complying before they stop to think critically.

Phishing is one of the most prevalent forms of cybercrime. It serves as the entry point for many of the most damaging attacks on record — including ransomware deployments, business email compromise fraud, and large-scale data breaches. Because it targets people rather than systems, even organizations with strong technical defenses remain vulnerable if their employees are not trained to recognize and report phishing attempts.

What are the different types of phishing attacks?

Phishing has evolved well beyond the generic mass-email campaigns of the early internet. Today’s attackers use a wide range of delivery methods and targeting strategies, each designed to maximize the likelihood that a specific victim or organization will be deceived. Understanding the major variants is essential to building effective defenses.

Email phishing:

The most common form. Attackers send fraudulent emails at scale, impersonating well-known brands such as banks, cloud service providers, government agencies, and shipping companies. The purpose is to lure recipients into clicking malicious links or providing credentials on fake login pages. Volume is the strategy: even a low success rate across millions of messages yields significant returns.

Spear phishing:

A targeted variant in which the attacker researches a specific individual or organization and crafts a highly personalized message. Rather than a generic alert, the victim might receive an email that references their name, role, a colleague, or a recent business event. Spear phishing is significantly harder to detect and is the method of choice for nation-state actors and sophisticated threat groups targeting high-value organizations.

Whaling:

A form of spear phishing that targets senior executives, also known as the “big fish”. These are CEOs, CFOs, and board members. Because these individuals have authority to authorize wire transfers and access sensitive data, a successful whaling attack can result in catastrophic financial or reputational damage. Attackers often impersonate legal counsel, regulatory bodies, or other executives to create pressure.

Business Email Compromise (BEC):

BEC attacks involve impersonating a trusted internal figure — a manager, CEO, or vendor — to redirect financial transactions or extract sensitive data. The FBI consistently reports BEC as one of the costliest forms of cybercrime, with losses in the billions annually. A common scenario involves an attacker posing as a CFO instructing an employee to wire funds to an account the attacker controls.

Smishing (SMS phishing):

Phishing delivered via text message. Attackers pose as delivery services, banks, or government agencies and send urgent messages with malicious links. Mobile devices often obscure the full URL of a link, making it harder for users to spot the deception. Smishing exploits the immediacy with which most people respond to text messages.

 Vishing (voice phishing):

Phishing conducted over the phone, where attackers pose as bank representatives, tech support agents, or government officials. The rise of voice-over-IP technology has enabled mass vishing campaigns at low cost. More sophisticated attacks now use AI-generated voice cloning to impersonate real individuals — including executives — with alarming accuracy.

Quishing (QR code phishing):

A newer technique in which attackers embed malicious URLs inside QR codes. Because QR codes are not immediately readable by humans, they bypass email security filters and are less likely to trigger suspicion. Quishing codes appear in emails, printed materials, and even on physical stickers placed over legitimate QR codes in public spaces.

AI-powered phishing:

Generative AI has lowered the barrier to creating convincing phishing content dramatically. What once took a skilled attacker hours to craft manually can now be produced in minutes, with correct grammar, contextually appropriate detail, and personalization at scale. AI tools are also enabling deepfake audio and video impersonations, making voice and video-based phishing attacks significantly more convincing than they were just a few years ago.

The common thread across all of these variants is deception. Whether delivered by email, text, phone, or QR code, every phishing attack depends on convincing the target that the communication is legitimate and that action is required.

How do phishing attacks work?

Phishing attacks follow a recognizable pattern, even as their methods grow more sophisticated. Understanding how an attack unfolds — from initial contact to exploitation — helps organizations identify both technical and human-layer defenses that can interrupt the chain.

1. Target selection and reconnaissance

In mass phishing campaigns, target selection is minimal. Attackers simply send messages to as many addresses as possible. In spear phishing and BEC attacks, the attacker first researches the target. They mine LinkedIn, company websites, social media profiles, and public records to build a profile: Who does this person work with? What systems does their organization use? What recent events — mergers, audits, personnel changes — could be used to create a plausible pretext?

2. Building the lure

The attacker constructs the deceptive message or fake asset — a spoofed email address, a cloned login page, a fraudulent invoice, a malicious attachment. The goal is to make the communication appear entirely legitimate. Attackers register domains that closely resemble real ones (a practice called typosquatting), copy the branding and formatting of trusted organizations, and craft pretexts that are plausible in the context of the target’s life or work.

3. Delivery and psychological manipulation

The phishing message is delivered and engineered to trigger a specific psychological response. Common manipulation techniques include:

• Urgency: “Your account will be locked in 24 hours.” Urgency reduces the time a target has to think critically.
• Authority: “This is your IT department” or “Legal counsel requires your immediate response.” Authority pressure makes targets less likely to question the request.
• Fear: Threats of financial loss, account suspension, or legal consequences trigger an emotional response that overrides careful thinking.
• Trust: Impersonating a known contact, brand, or institution lowers the target’s guard. In barrel phishing, attackers send an initial benign email to establish rapport before following up with the malicious request.

4. Exploitation

If the target complies — clicking the link, submitting credentials, opening the attachment, or authorizing the transfer — the attacker achieves their objective. This may result in credential theft, malware installation, financial fraud, or unauthorized access to corporate systems. In enterprise environments, a single compromised account is frequently the starting point for lateral movement deeper into the network. This could eventually enable ransomware deployment, data exfiltration, or persistent access by an advanced persistent threat (APT) group.

What makes phishing particularly dangerous is how little technical sophistication it requires. An attacker does not need to exploit a software vulnerability or defeat a firewall. They simply need to convince one person to take one wrong action. In large organizations, where hundreds or thousands of employees receive external communications daily, the odds consistently favor the attacker.

How can you protect yourself from phishing?

Effective phishing protection requires both individual awareness and organizational controls. Neither is sufficient on its own — technical defenses can be bypassed, and human vigilance alone cannot keep pace with the volume and sophistication of modern phishing campaigns.

For individuals:

• Slow down before acting. Urgency is the attacker’s greatest tool. If a message demands immediate action, treat that as a red flag, not a reason to comply faster.
• Verify through a separate channel. If you receive an unexpected request for credentials, a wire transfer, or sensitive information — even from a known contact — confirm it by calling the person directly or navigating to the organization’s website independently. Do not use contact details provided in the suspicious message itself.
• Inspect links before clicking. Hover over links to reveal the actual destination URL. Look for misspellings, unusual domains, or mismatches between the displayed text and the real address. On mobile, press and hold to preview the link before opening it.
• Enable multi-factor authentication (MFA). MFA provides a critical backstop if credentials are stolen. Even if an attacker captures a username and password through a phishing page, MFA prevents them from using those credentials to access the account without the second factor.
• Report suspected phishing. In organizational environments, reporting a suspected phishing attempt — even if you did not click anything — helps security teams identify active campaigns and protect colleagues who may receive the same message.

For organizations:

• Email security and filtering. Deploy email security tools that use machine learning to identify and quarantine phishing messages before they reach inboxes. Email authentication standards like DMARC, DKIM, and SPF help prevent domain spoofing and ensure only legitimate senders can impersonate your domain.
• Security awareness training. Regular, scenario-based training — including simulated phishing exercises — helps employees recognize attack patterns and builds the habit of critical evaluation before acting on suspicious communications. Training should be updated regularly to reflect evolving tactics, including AI-generated phishing.
• Zero trust and conditional access. Even when phishing succeeds in stealing credentials, a zero trust architecture limits the damage. By continuously validating identity and device posture before granting access — and restricting lateral movement through least privilege controls — organizations can prevent a single compromised account from becoming a full network breach.
• Endpoint detection and response (EDR). If a phishing attack succeeds in delivering malware through a clicked link or opened attachment, EDR solutions can detect the malicious activity on the endpoint, contain the threat, and alert security teams before the damage spreads.

Phishing will remain one of the most common attack vectors for as long as humans are part of the security equation. The most resilient defense is a layered one: technology to catch what it can, mechanisms to quickly deploy policy updates (such as cloud-native security, trained people to recognize what technology misses, and processes that limit the blast radius when an attack inevitably gets through.