What phishing is
Phishing is the most common initial access vector in all of cybersecurity. An attacker sends a message — most often an email — that impersonates a trusted entity: a bank, a government agency, a delivery company, Microsoft, Google, or even a colleague. The goal is to get the recipient to click a link, open an attachment, or hand over credentials without realising they are being deceived.
Mass phishing campaigns are a volume game — send millions of identical emails, rely on a small percentage of recipients complying. Spear phishing is the opposite: a carefully researched, precisely targeted message sent to one person or a small group, using real details about them to make it convincing. Both approaches funnel victims to the same outcome: stolen credentials, installed malware, or an authorised fraudulent transaction.
Phishing vs spear phishing vs whaling
Phishing is the spray-and-pray approach: mass campaigns impersonating HMRC, DHL, Microsoft, Apple, or a major bank. The message is generic. The lure is universal — a missed delivery, a tax refund, a security alert requiring immediate action. Success depends on volume, not precision.
Spear phishing is a researched, targeted attack on a specific individual. The attacker has done their homework using OSINT: they know the target's name, job title, their manager's name, what projects they're working on, what software their company uses. The email reads as though it comes from a known contact and references real context. Detection rate plummets.
Whaling is spear phishing aimed specifically at C-suite executives — CEOs, CFOs, board members. The potential payoff is higher (executive credentials, large wire transfers, access to strategic data), so attackers invest significantly more effort into research and convincing presentation.
Anatomy of a phishing email
Every phishing email shares common characteristics. Learning to recognise them is the most effective human defence:
- Urgency trigger: "Your account will be suspended in 24 hours." "Unusual sign-in activity detected." "Invoice overdue — immediate action required." Urgency is designed to bypass rational evaluation and trigger a reflexive response.
- Sender spoofing: The display name says "Microsoft Security Team" but the actual sending address is something like noreply@microsoft-alerts.co. Always check the actual domain, not the display name.
- Suspicious links: Hover over any link before clicking to reveal the real URL. Phishing links often use lookalike domains (micros0ft.com, paypa1.com) or URL-shortening services that obscure the destination.
- Fake login pages: Click the link and you're presented with a pixel-perfect copy of a real login page. Enter your credentials and they are sent directly to the attacker — while you may be redirected to the real site to avoid suspicion.
- Malicious attachments: Office documents with macros, PDFs with embedded scripts, or ZIP archives containing executables. The file name will be designed to look legitimate: "Invoice_November_2025.docx", "Your-DHL-Delivery.pdf".
Business Email Compromise
BEC is phishing's most financially destructive variant — and it requires no malware at all. The attacker either compromises a legitimate executive email account (via credential phishing) or simply spoofs one convincingly enough to fool an employee.
The script is almost always the same: an email appearing to come from the CEO or CFO emails the accounts payable team with an urgent, confidential wire transfer request. "I'm in a meeting and can't call — please process this payment immediately, I'll explain later." The amount is large. The urgency is real. The authority is apparently unquestionable. And because no malware is involved, every technical control — antivirus, email filtering, EDR — is bypassed entirely.
BEC is cybercrime's most profitable technique — generating more total losses than ransomware. It doesn't require technical skill: compromise an email account (or just spoof one convincingly), impersonate the CFO, and email accounts payable with urgent wire transfer instructions. Average BEC loss per incident: $125,000. Total losses reported to the FBI from 2016 to 2022: $43 billion.
Technical and human defences
Phishing defence requires controls at the technical layer and the human layer — because no technical control catches 100% of phishing attempts, and humans are the last line of defence:
- SPF / DKIM / DMARC: Email authentication protocols that verify a message genuinely originated from the claimed domain. DMARC in particular allows domain owners to instruct receiving servers to reject or quarantine unauthenticated messages — preventing most spoofing attacks on your domain.
- Email gateway filtering: Sandbox attachments before delivery, check links against threat intelligence feeds, strip macros from Office documents, flag external sender warnings.
- MFA on all accounts: Even if an attacker successfully harvests your password via a phishing page, MFA prevents them from using it. Credentials alone are not enough. This single control neutralises the majority of credential phishing attacks.
- Security awareness training: Regular, practical training that teaches employees what phishing looks like, how to check sender domains, and how to hover over links before clicking.
- Phishing simulations: Tools like GoPhish let security teams send simulated phishing emails to their own staff, measure click rates, and provide immediate teachable-moment feedback to those who fall for it.
- Reporting culture: Employees should feel safe reporting a suspected phishing email without fear of embarrassment. The cost of one ignored suspicious email far exceeds the cost of one false-alarm report.