GLOSSARY · Security
Phishing
Social-engineering attack that impersonates a trusted party (a colleague, vendor, bank, login page) to trick a target into revealing credentials, clicking a malicious link, or wiring money.
Detailed definition
Phishing is the entry point for the overwhelming majority of breaches. It’s not technically sophisticated — there’s usually no exploit, no vulnerability, no malware on first contact. It’s a fraudulent message that convinces a human to do something they shouldn’t: type their password into a fake login page, click a link that drops a payload, approve an MFA push they didn’t initiate, or wire money to an attacker-controlled account.
The flavors
- Credential phishing — fake login page that captures username and password
- Malware phishing — link or attachment that drops ransomware, infostealer, or remote-access trojan
- MFA fatigue — spam push notifications hoping the target eventually approves one
- Business Email Compromise (BEC) — impersonating an executive or vendor to redirect a wire transfer or invoice payment
- Spear phishing — targeted at a specific person with personalized context (LinkedIn, social media, internal org info)
- Smishing / Vishing — SMS-based or voice-call variants of the same plays
- Quishing — QR-code-based attacks that lead users to phishing pages off-device
Why phishing keeps winning
Email-based defenses (SPF, DKIM, DMARC, gateway filtering) catch the obvious stuff. But targeted attacks routinely bypass spam filters because they look legitimate — a one-off email from a real sender’s compromised mailbox, addressed to a real recipient, referencing a real ongoing invoice. The only durable defense is layered:
- Strong MFA — phish-resistant methods (hardware keys, passkeys, number-matching push) so a stolen password isn’t enough
- Conditional access — block sign-ins from unfamiliar countries, require managed device check
- Security awareness training — recurring, scenario-based, focused on the patterns users will actually see
- Email-gateway sandboxing — detonate attachments before they reach the inbox
- Endpoint defense — EDR catches the post-click payload if everything else fails
We run security awareness training programs with phishing simulations for our managed clients — see the Security & Compliance service page.
HOW WE HELP
Related Bytes Unlimited services
Need help applying Phishing to your business?
We've done this kind of work across New York. First conversation is free.