Phishing
Phishing is a type of social engineering attack where threat actors use deceptive communications — typically email, but also SMS (smishing), voice calls (vishing), or messaging platforms — to trick victims into revealing credentials, clicking malicious links, or downloading malware.
Types of Phishing
- Email Phishing: Mass emails impersonating trusted brands or services
- Spear Phishing: Targeted attacks customized for specific individuals or organizations
- Whaling: Attacks targeting senior executives and high-value individuals
- Business Email Compromise (BEC): Impersonating executives to authorize fraudulent transactions
- Smishing/Vishing: Phishing via SMS text messages or voice phone calls
- Clone Phishing: Replicating legitimate emails with malicious substitutions
Common Phishing Indicators
- Urgent language creating a sense of immediate action required
- Mismatched or suspicious sender domains
- Unexpected attachments or links
- Requests for credentials or sensitive information
- Generic greetings instead of personalized content
- Grammar and spelling inconsistencies
Prevention & Detection
Technical Controls
- Email authentication (SPF, DKIM, DMARC)
- Advanced email security gateways
- URL filtering and sandboxing
- Multi-factor authentication (MFA)
Human Controls
- Security awareness training and phishing simulations
- Reporting mechanisms for suspicious emails
- Verification procedures for sensitive requests (wire transfers, credential changes)
Why It Matters
Phishing remains the #1 initial access vector in breaches. It targets the human element — often the weakest link in the security chain. Effective defense requires both technical controls and user awareness.
Related Terms
- Social Engineering
- Initial Access
- Credential Harvesting
