Phishing

Phishing exploits human psychology to bypass technical security controls, making it one of the most effective attack vectors.

Common phishing techniques

• Email phishing: Mass campaigns impersonating trusted brands (banks, IT support, delivery services).
• Spear phishing: Targeted attacks using researched information about specific individuals or organizations.
• Whaling: High-value attacks targeting executives and decision-makers.
• Smishing: Phishing via SMS text messages with malicious links.
• Vishing: Voice phishing using phone calls to extract information or credentials.
• Clone phishing: Duplicating legitimate emails with malicious links or attachments swapped in.

Red flags to watch for

• Urgent language pressuring immediate action.
• Requests for credentials, payment, or sensitive data.
• Suspicious sender addresses that mimic legitimate domains.
• Unexpected attachments or unfamiliar link destinations.
• Generic greetings instead of personalized names.
• Poor grammar, spelling errors, or awkward phrasing.

How to prevent phishing

• Implement email authentication (SPF, DKIM, DMARC) to block spoofed senders.
• Deploy advanced email filtering with link and attachment sandboxing.
• Train employees regularly with simulated phishing campaigns.
• Require multi-factor authentication (MFA) to limit credential theft impact.
• Use password managers to prevent credential entry on fake sites.
• Establish out-of-band verification for sensitive requests (call back using known numbers).
• Report and analyze phishing attempts to improve defenses.