Phishing
What is Phishing?
PhishingA social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
Phishing is a fraudulent communication — usually email, but also SMS, voice calls, or chat — that is crafted to look like it comes from a legitimate organization. The attacker's goal is to manipulate the recipient into disclosing sensitive information (passwords, payment data, MFA codes), authorizing a wire transfer, or executing a malicious attachment or link. Phishing is the most common initial-access vector in modern breaches because it targets human judgment rather than software flaws. Defences combine technical controls (DMARC, SPF, DKIM, anti-phishing gateways, browser warnings, FIDO2 keys) with user awareness training and rapid incident-response procedures for reported messages.
flowchart LR
A[Attacker] -->|crafts lure| B[Phishing email or site]
B -->|delivers to| C[Victim]
C -->|clicks link| D{Enters credentials?}
D -->|Yes| E[Attacker harvests credentials]
D -->|No| F[Attack fails]
E --> G[Account takeover / fraud]● Examples
- 01
A fake "Microsoft 365 password reset" email that links to a credential-harvesting site.
- 02
An invoice attachment that installs a banking trojan when opened.
● Frequently asked questions
What is Phishing?
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware. It belongs to the Attacks & Threats category of cybersecurity.
What does Phishing mean?
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
How do you defend against Phishing?
Defences for Phishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Phishing?
Common alternative names include: Email phishing, Mass phishing.