Phishing is a social-engineering attack in which the attacker impersonates a trusted sender (a colleague, a bank, a known supplier, a service the victim already uses) to trick the target into revealing credentials, transferring money, opening a malicious file, or clicking a link that initiates further compromise.
Why phishing works
Phishing exploits time pressure, authority, familiarity, and curiosity. The most effective phishing emails arrive at moments where the recipient is expecting a similar message (an invoice during invoice-processing day, a delivery notification after an online order, a password reset shortly after a forgotten-password attempt). Technology can reduce volume but cannot eliminate the underlying human factor.
Common categories
Mass phishing sends untargeted messages to large recipient lists hoping a small percentage will respond. Effective at scale despite poor success rates per message.
Spear phishing is tailored to a specific recipient using research from LinkedIn, the corporate website, and prior breaches. Much higher success rate, much higher attacker effort.
Whaling targets senior executives whose authority makes their compromise especially valuable.
Business Email Compromise (BEC) involves prolonged impersonation of a real internal sender (often a CEO or CFO) to authorise fraudulent payments or supplier-bank-detail changes. BEC is the highest-loss category in UK fraud statistics year on year.
Smishing and vishing deliver phishing payloads by SMS or voice call respectively.
Defences
Technical controls: strong email authentication (SPF, DKIM, DMARC), inbound mail filtering with link rewriting and sandboxing, multi-factor authentication on every account that holds risk, conditional access to detect impossible-travel and unfamiliar-device sign-ins, and well-tuned endpoint detection.
Human controls: regular phishing simulation with feedback (not punishment), clear easy-to-find reporting buttons, and approval workflows for high-risk actions such as bank-detail changes and large transfers that cannot be bypassed regardless of how convincing the request appears.
In penetration testing
Phishing simulations are commissioned as standalone engagements or as part of a wider red team operation. They measure click-through, credential-capture, and report rates, and produce concrete data to inform awareness investment. Conducting realistic phishing simulations requires careful scoping, executive sign-off, and a remediation plan that supports the people who click.
Related terms
See also: social engineering, brute force attack, and penetration testing.
Leave a Reply