TL;DR
Phishing is a social engineering attack where attackers impersonate trusted entities (banks, employers, services) to trick victims into revealing credentials, clicking malicious links, or installing malware. It is the most common way breaches start. Defend with email filtering, MFA (so stolen passwords are not enough), and security awareness training.
The Simple Explanation
You get an email that looks like it is from your bank, boss, or a service you use. It asks you to click a link and log in, or open an attachment. The link goes to a fake site that steals your password. The attachment installs malware. Phishing exploits trust and urgency to bypass technical defenses by targeting people.
Types of Phishing
| Type | Target | Characteristics |
|---|---|---|
| Mass phishing | Anyone | Generic, high volume |
| Spear phishing | Specific person | Personalized, researched |
| Whaling | Executives | High-value targets |
| Smishing | SMS recipients | Text message based |
| Vishing | Phone users | Voice call based |
Warning Signs
- Urgent language: "Act now or lose access!"
- Unexpected requests for credentials
- Sender address does not match claimed org
- Generic greeting: "Dear Customer"
- Spelling and grammar mistakes
- Links that do not match the claimed destination
- Requests to bypass normal procedures
- Too good to be true offers
Common Phishing Scenarios
- Password reset: "Your account was compromised, reset now"
- Invoice/payment: "Pay this invoice immediately"
- IT support: "We need to verify your credentials"
- Executive impersonation: "The CEO needs this done today"
- Package delivery: "Click to track your shipment"
MFA is your safety net. Even if an employee falls for phishing and gives up their password, multi-factor authentication stops the attacker from logging in. MFA is essential phishing defense.
Protection Strategies
- Email filtering: Block known phishing
- MFA: Passwords alone are not enough
- Training: Teach recognition skills
- Simulations: Test with fake phishing
- Reporting: Easy way to flag suspicious emails
- DMARC: Prevent email spoofing
What is the difference between phishing and spear phishing?
Regular phishing sends generic messages to many targets hoping someone clicks. Spear phishing targets specific individuals with personalized messages using research about them. Spear phishing is more convincing because it references real details about the target, their job, or their company.
How do I recognize a phishing email?
Look for urgency or threats, unexpected requests for credentials, mismatched or suspicious sender addresses, generic greetings, spelling and grammar errors, and suspicious links (hover to check). Legitimate organizations rarely ask for passwords via email. When in doubt, contact the organization directly using known contact info.
How can organizations protect against phishing?
Implement email filtering to block phishing attempts, require multi-factor authentication so stolen passwords are not enough, conduct regular security awareness training, run phishing simulations to test employees, and have clear reporting procedures for suspicious emails.