Phishing
Home /
Glossary Index /
Alphabet P
Phishing is a cyberattack method where criminals impersonate trustworthy entities to trick individuals into revealing personal information, such as login credentials, banking details, or sensitive corporate data. The term comes from hackers using fraudulent emails to fish for information from unsuspecting users. Phishing attacks have become increasingly sophisticated and are now broken down into different types, including email phishing, spear phishing, smishing, vishing, and whaling. According to the FBI, phishing caused losses of over $10 billion globally in 2024.
How Phishing Works
An attacker sends a fraudulent email, text, or message that appears to come from a legitimate source. The message contains a link to a fake website or a malicious attachment. Victims who interact with these are tricked into sharing confidential information or installing malware. The attacker then uses the stolen credentials or installed backdoor to compromise accounts and move laterally through networks. Phishing preys on human error, bypasses even sophisticated security systems, and causes financial losses, data breaches, and reputational damage.
Types of Phishing Attacks
Email phishing involves fake emails posing as trusted brands or colleagues. Attackers aim to steal login credentials or payment information at scale. Spear phishing uses highly targeted attacks tailored to specific individuals or companies. Attackers research their targets and personalize messages to bypass generic filters. Whaling targets high-level executives like CEOs and CFOs. These messages often reference ongoing business deals or urgent financial matters. Smishing uses fraudulent text messages with malicious links. Attackers trick users via mobile devices where security awareness may be lower. Vishing uses phone calls pretending to be from tech support, banks, or government agencies. Attackers obtain sensitive details through voice interaction. Clone phishing copies a legitimate email that the victim has received before and slightly modifies it, replacing genuine links with malicious ones.
Real-World Phishing Examples
Google and Facebook were tricked into transferring over $100 million using fake invoices. The attacker posed as a legitimate vendor. In 2020, Twitter employees were compromised through a phishing attack. High-profile accounts including Elon Musk and Barack Obama were hijacked to promote a cryptocurrency scam. Colonial Pipeline was shut down after a phishing email enabled attackers to install ransomware, leading to fuel shortages across the U.S. East Coast.
5 Phishing Prevention Strategies
Employee Security Awareness Training
Conduct regular phishing simulation tests. Educate employees on recognizing phishing signs. Training should be interactive and ongoing, not a one-time box-ticking exercise.
Use Multi-Factor Authentication
Even if credentials are stolen, MFA blocks unauthorized access. No second factor means no entry.
Implement Email Security Solutions
Use spam filters, DMARC, DKIM, and SPF records. These technical controls block many phishing emails before they reach inboxes.
Keep Software Updated
Regular updates patch vulnerabilities that phishing attacks exploit. An unpatched browser can be compromised by simply visiting a malicious site.
Verify Before You Click
Check email senders carefully. Hover over links to preview destinations. Avoid clicking suspicious links or downloading unexpected attachments.
Quick Checklist to Spot Phishing
Generic greetings like Dear user or Dear customer. Urgent threats like Your account will be locked or Immediate action required. Suspicious links where the hover text does not match the displayed text. Unexpected attachments, especially .zip, .exe, or .js files. Spelling errors or unusual grammar. Requests for sensitive information like passwords or credit card numbers.
Phishing is a people problem with a technology solution. Technology filters obvious threats. People recognize subtle ones. Combine both. Train employees continuously. Run simulations monthly. Test. Reinforce. Phishing will never stop. Your defense must never stop either.
