---
title: "What Is Phishing? How Attacks Work | Bytes Unlimited"
description: "Phishing is the social-engineering attack that starts most breaches — an attacker impersonates a trusted party to extract credentials, click-throughs, or money. Learn the categories and the defenses."
canonical: https://www.bytesunlimited.com/glossary/phishing/
---

 GLOSSARY · Security 

#  Phishing 

 Social-engineering attack that impersonates a trusted party (a colleague, vendor, bank, login page) to trick a target into revealing credentials, clicking a malicious link, or wiring money. 

## Detailed definition

**Phishing** is the entry point for the overwhelming majority of breaches. It’s not technically sophisticated — there’s usually no exploit, no vulnerability, no malware on first contact. It’s a fraudulent message that convinces a human to do something they shouldn’t: type their password into a fake login page, click a link that drops a payload, approve an [MFA](/glossary/mfa/) push they didn’t initiate, or wire money to an attacker-controlled account.

## The flavors

* **Credential phishing** — fake login page that captures username and password
* **Malware phishing** — link or attachment that drops ransomware, infostealer, or remote-access trojan
* **MFA fatigue** — spam push notifications hoping the target eventually approves one
* **[Business Email Compromise (BEC)](/glossary/bec/)** — impersonating an executive or vendor to redirect a wire transfer or invoice payment
* **Spear phishing** — targeted at a specific person with personalized context (LinkedIn, social media, internal org info)
* **Smishing / Vishing** — SMS-based or voice-call variants of the same plays
* **Quishing** — QR-code-based attacks that lead users to phishing pages off-device

## Why phishing keeps winning

Email-based defenses (SPF, DKIM, DMARC, gateway filtering) catch the obvious stuff. But targeted attacks routinely bypass spam filters because they look legitimate — a one-off email from a real sender’s compromised mailbox, addressed to a real recipient, referencing a real ongoing invoice. The only durable defense is layered:

1. **Strong [MFA](/glossary/mfa/)** — phish-resistant methods (hardware keys, [passkeys](/glossary/passkeys/), number-matching push) so a stolen password isn’t enough
2. **Conditional access** — block sign-ins from unfamiliar countries, require managed device check
3. **Security awareness training** — recurring, scenario-based, focused on the patterns users will actually see
4. **Email-gateway sandboxing** — detonate attachments before they reach the inbox
5. **Endpoint defense** — [EDR](/glossary/edr/) catches the post-click payload if everything else fails

We run security awareness training programs with phishing simulations for our managed clients — see the [Security & Compliance service page](/services/security/).

HOW WE HELP

## Related Bytes Unlimited services

* [ Security & Compliance PCI DSS, HIPAA, and general security posture work. Endpoint protection, MFA, awareness training, audit-ready documentation.](/services/security/)

RELATED TERMS

## See also

* [ BEC ](/glossary/bec/)
* [ Ransomware ](/glossary/ransomware/)
* [ MFA ](/glossary/mfa/)

AUTHORITATIVE SOURCES

## External references

* [ CISA — Phishing Guidance  (opens in new tab) ](https://www.cisa.gov/topics/cybersecurity-best-practices/teach-employees-avoid-phishing)

##  Need help applying Phishing to your business? 

 We've done this kind of work across New York. First conversation is free. 

[ Get In Touch ](/contact/) [ Back to Glossary ](/glossary/)

## Sitemap

- [Site map](https://www.bytesunlimited.com/sitemap.md)
- [llms.txt](https://www.bytesunlimited.com/llms.txt)
- [Canonical URL list](https://www.bytesunlimited.com/sitemap.xml)
