Skip to main content

GLOSSARY · Security

Phishing

Social-engineering attack that impersonates a trusted party (a colleague, vendor, bank, login page) to trick a target into revealing credentials, clicking a malicious link, or wiring money.

Detailed definition

Phishing is the entry point for the overwhelming majority of breaches. It’s not technically sophisticated — there’s usually no exploit, no vulnerability, no malware on first contact. It’s a fraudulent message that convinces a human to do something they shouldn’t: type their password into a fake login page, click a link that drops a payload, approve an MFA push they didn’t initiate, or wire money to an attacker-controlled account.

The flavors

  • Credential phishing — fake login page that captures username and password
  • Malware phishing — link or attachment that drops ransomware, infostealer, or remote-access trojan
  • MFA fatigue — spam push notifications hoping the target eventually approves one
  • Business Email Compromise (BEC) — impersonating an executive or vendor to redirect a wire transfer or invoice payment
  • Spear phishing — targeted at a specific person with personalized context (LinkedIn, social media, internal org info)
  • Smishing / Vishing — SMS-based or voice-call variants of the same plays
  • Quishing — QR-code-based attacks that lead users to phishing pages off-device

Why phishing keeps winning

Email-based defenses (SPF, DKIM, DMARC, gateway filtering) catch the obvious stuff. But targeted attacks routinely bypass spam filters because they look legitimate — a one-off email from a real sender’s compromised mailbox, addressed to a real recipient, referencing a real ongoing invoice. The only durable defense is layered:

  1. Strong MFA — phish-resistant methods (hardware keys, passkeys, number-matching push) so a stolen password isn’t enough
  2. Conditional access — block sign-ins from unfamiliar countries, require managed device check
  3. Security awareness training — recurring, scenario-based, focused on the patterns users will actually see
  4. Email-gateway sandboxing — detonate attachments before they reach the inbox
  5. Endpoint defenseEDR catches the post-click payload if everything else fails

We run security awareness training programs with phishing simulations for our managed clients — see the Security & Compliance service page.

RELATED TERMS

AUTHORITATIVE SOURCES

External references

Need help applying Phishing to your business?

We've done this kind of work across New York. First conversation is free.