Phishing
Phishing is a social engineering attack in which an attacker impersonates a trusted entity, typically via email, to trick victims into revealing sensitive information, clicking malicious links, or installing malware.
Definition
Phishing is a social engineering attack in which an attacker impersonates a trusted entity, typically via email, to trick victims into revealing sensitive information, clicking malicious links, or installing malware.
Overview
Phishing remains one of the most common initial access techniques used by attackers, precisely because it targets people rather than technical systems — it's often far easier to trick a human into clicking a malicious link than to find and exploit a technical vulnerability. A typical phishing email impersonates a trusted sender (a bank, a colleague, an IT department) and creates urgency or curiosity to prompt the victim into an action: entering credentials on a fake login page, opening a malicious attachment, or approving a fraudulent request. Phishing has several specialized variants. Spear phishing targets a specific individual or organization with a highly personalized message, using research about the target to make the attack more convincing. Whaling specifically targets high-value individuals like executives. Business Email Compromise (BEC) impersonates an executive or vendor to trick employees into wiring money or changing payment details. Smishing and vishing use SMS text messages and phone calls, respectively, rather than email, and adversary-in-the-middle phishing kits can even intercept and relay Multi-Factor Authentication (MFA) codes in real time, defeating some forms of MFA. Phishing is frequently the first step in a larger attack chain — a successful phishing attempt might deliver Ransomware, harvest credentials used to access corporate systems, or establish a foothold that a Botnet operator uses for further exploitation. Because of this, phishing resistance is a foundational security control, not just an email-filtering problem. Defenses against phishing combine technical controls — email filtering, Web Application Firewall (WAF)s protecting login pages, and phishing-resistant MFA like hardware security keys — with ongoing employee training and simulated phishing exercises, since a determined attacker will eventually craft a message convincing enough to bypass purely technical filters.
Key Concepts
- Impersonates a trusted entity to manipulate victims into unsafe actions
- Spear phishing and whaling target specific individuals with personalized messages
- Business Email Compromise (BEC) targets financial and payment processes
- Smishing and vishing extend the technique to SMS and phone calls
- Advanced kits can intercept and relay MFA codes in real time
- Often the first step in a larger attack chain, including ransomware delivery
- Best defended with layered technical controls plus ongoing employee training