The Plain English Version
Phishing is when attackers pretend to be someone you trust to trick you into giving up sensitive information or clicking malicious links. It usually comes via email, but also through text messages (smishing), phone calls (vishing), and social media.
The name comes from fishing - attackers cast out bait hoping someone will bite. And they are very good at making that bait look legitimate.
Types of Phishing
Mass phishing: Generic emails sent to thousands of people hoping some will bite
Spear phishing: Targeted attacks researched specifically for you or your company
Whaling: Spear phishing aimed at senior executives
BEC: Business Email Compromise - impersonating colleagues or suppliers
What Phishing Attacks Want
- Credentials - Fake login pages that steal your username and password
- Malware installation - Getting you to download malicious attachments
- Money transfers - Impersonating suppliers or executives to redirect payments
- Data theft - Tricking you into sending sensitive information
- Initial access - Getting a foothold to launch further attacks
Warning Signs
Urgency and pressure (act now or else), unexpected requests especially involving money or credentials, slight misspellings in email addresses or domains, generic greetings, requests to bypass normal procedures, and anything that just feels off.
But be aware: sophisticated phishing can be very convincing. Attackers do their research and craft messages that look legitimate.
Protecting Your Business
Technical controls help: email filtering, link scanning, MFA (so stolen passwords alone are not enough). But user awareness is crucial - people need to know what to look for and feel comfortable reporting suspicious messages.
Regular phishing simulations help train staff without the consequences of a real attack. Create a culture where reporting suspicious emails is encouraged, not punished.