What Is Phishing?

Phishing is a type of social engineering attack where an attacker impersonates a trusted entity — a bank, a vendor, a colleague, even your CEO — to trick you into taking a harmful action. The most common form is email phishing: you receive an email that looks legitimate, urging you to click a link, open an attachment, or provide sensitive information. The link leads to a fake login page that captures your credentials. The attachment installs malware. The "urgent request from your CEO" convinces you to wire money to a fraudulent account.

Phishing is the number one attack vector for data breaches, and it's getting harder to spot. Modern phishing emails are sophisticated — they use accurate branding, personalized details scraped from social media, and legitimate-looking domains that differ from the real ones by a single character. Spear phishing targets specific individuals (often executives or financial staff) with highly customized messages. Business Email Compromise (BEC) goes further, sometimes involving compromised or spoofed email accounts of actual business partners to request fraudulent payments.

Defending against phishing requires layers: technical controls (email filtering, DMARC/DKIM/SPF authentication, link scanning) combined with human awareness. Security awareness training that includes simulated phishing tests is one of the most effective defenses — it teaches employees to recognize phishing attempts through repeated, realistic practice. The goal isn't to create paranoia but to build the habit of pausing to verify before clicking links, opening attachments, or responding to unusual requests.