Social-engineering attacks that trick people into revealing data, granting access, or taking unsafe actions.
Phishing is a social-engineering tactic that tries to trick people into revealing information, granting access, or taking unsafe actions. In plain language, it is fraudulent communication that aims to exploit trust, urgency, or confusion rather than relying only on a technical flaw.
Phishing matters because many security incidents begin with a person being manipulated rather than a system being directly broken. Stolen credentials, unsafe file execution, and fraudulent approvals often start with misleading messages that appear ordinary enough to be trusted.
It also matters because phishing targets both individuals and organizational process. Even strong technical environments can be undermined if users are persuaded to surrender secrets or approve unsafe actions.
Phishing appears in email security, identity protection, awareness training, help-desk workflows, and incident response. Security teams connect it to Multi-Factor Authentication, Antivirus, Business Email Compromise, and Trojan defense because phishing can lead to credential abuse, malware delivery, and fraudulent decision-making.
Teams also use phishing scenarios in tabletop exercises and detection tuning because it is one of the most common entry points for broader compromise.
| Layer | Defensive role |
|---|---|
| Email and web controls | Reduce delivery and unsafe navigation |
| MFA and passkeys | Limit damage from stolen passwords |
| User reporting | Turns suspicious messages into reviewable cases |
| Incident playbooks | Standardize response when a user clicks or submits data |
| Pattern | Typical lure |
|---|---|
| Credential harvest | Fake login or document-sharing prompt |
| Urgent action | Account lockout or payment warning |
| File delivery | Invoice or policy document attachment |
| Conversation hijack | Reply to an existing thread to gain trust |
A staff member receives an email that looks like a routine sign-in or document-sharing request. The message creates urgency and encourages the user to click through and provide credentials or open a file, even though the request did not come from the legitimate source it claims to represent.
Phishing is not limited to email, even though email is a common delivery path. The core issue is deceptive communication aimed at manipulating trust.
It is also different from Spear Phishing. Phishing can be broad and generic. Spear phishing is more specifically targeted to a person, team, or organization.