Phishing

Phishing works by impersonation. The attacker crafts a message that appears to come from a trusted source — your bank, Microsoft, a colleague, your CEO — and prompts the target to take an action that compromises security: click a link, enter credentials, open an attachment, authorize a wire transfer.

Common variants

Spear phishing targets specific individuals with personalized messages. Rather than a generic "your account has been locked," a spear phish might reference your actual employer, a recent project, or a colleague's name. Far more convincing and more dangerous.

Whaling targets executives specifically. The CFO receives an urgent message appearing to be from the CEO asking for an emergency wire transfer. Common enough to have its own name.

Smishing — phishing via SMS. "Your package couldn't be delivered, click here to reschedule."

Vishing — voice phishing. A caller claims to be IT support and asks for your password or MFA code.

Why phishing is still so effective

Even security-aware people fall for good phishes. The combination of urgency, authority, and a plausible scenario bypasses rational evaluation. One successful phish on a privileged account can give an attacker everything.

The defense has three layers: technical controls (email filtering, MFA so a stolen password alone isn't enough, DNS filtering to block malicious domains), process controls (verify unusual requests out of band, never enter credentials via a link in an email), and training (regular phishing simulations that build habit, not just annual checkbox compliance).

Phishing-resistant MFA — passkeys and FIDO2 hardware keys — is the strongest technical defense, because a phishing page can't capture and replay a FIDO2 authentication.