® 
Phishing
Definition
Phishing is an attack technique in which criminals impersonate a trusted party to steal sensitive information such as passwords or payment details. It occurs via email, SMS or fake websites.
Phishing is an attack technique in which cybercriminals impersonate a trusted party to steal sensitive information such as passwords, credit card details or corporate data. According to the Verizon DBIR 2024, phishing is involved in over 80% of all reported security incidents, making it the primary attack vector for organisations worldwide.
How does phishing work?
In a phishing attack, an adversary sends a message that appears to originate from a trusted source such as a bank, government agency, colleague or supplier. The message creates urgency, prompting the recipient to click a malicious link, enter credentials on a spoofed website or open an infected attachment. The term derives from fishing combined with phreaking. Modern phishing attacks have become increasingly sophisticated, with AI tools generating flawless, personalised messages that are nearly indistinguishable from legitimate communications in any language.
Types of phishing
Spear phishing targets specific individuals or organisations using personalised information gathered from LinkedIn or social media. Whaling targets executives and board members, often with significant financial consequences. Smishing occurs via SMS or WhatsApp, for example fake messages from delivery services or banks. Vishing uses phone calls where attackers impersonate bank staff or IT helpdesk personnel, and AI voice technology makes these attacks increasingly convincing. Quishing leverages QR codes placed in letters or public locations. Business Email Compromise (BEC) involves compromising or impersonating a business email account to initiate fraudulent payment requests.
How to recognise phishing
Common indicators include impersonal greetings, pressure to act immediately, a sender address that does not match the organisation, and links pointing to suspicious domains. AI-generated phishing messages are increasingly difficult to identify due to improved language quality. Always verify the actual domain behind links.
Impact on organisations
Phishing is the primary initial attack vector for ransomware, data breaches and BEC fraud. The average cost of a data breach is $4.88 million (IBM Cost of Data Breach Report 2024). Across Europe, phishing-related incidents represent the largest share of reported cybercrime. Under NIS2, organisations in critical sectors are required to demonstrably train employees to recognise phishing attacks. The Anti-Phishing Working Group recorded over 4.7 million phishing attacks in 2023, the highest annual total ever documented.
Protection against phishing
Effective defence combines technical and human measures. Technical: email filtering with SPF, DKIM and DMARC, multi-factor authentication (MFA), endpoint detection and URL filtering. Human: regular security awareness training and phishing simulations to test and improve employee recognition skills. Organisational: verification procedures for payment requests, an up-to-date incident response plan, and a clear reporting channel for suspicious emails.
How DEFION helps
DEFION provides Security Awareness Masterclasses and phishing simulations that enable organisations to measure and improve employee awareness. The Email Risk Assessment reveals how vulnerable an organisation actually is to email-based attacks. In the event of a successful phishing attack, the 24/7 incident response team is immediately available.