ELI5: What is Phishing?
A phishing email looks just like a real message from someone you trust, but it’s actually from a bad guy. They want you to click a link or type in your password so they can steal it. Always double-check who really sent the message.
Definition
Phishing is a social engineering attack that uses deceptive email messages—crafted to appear as though they come from trusted, legitimate organizations (banks, employers, vendors, government agencies)—to trick recipients into revealing credentials, clicking malicious links, or opening malware-laden attachments. It remains the most prevalent initial access vector for breaches and ransomware attacks.
Key Details
- Spear phishing: Targeted phishing directed at a specific individual or organization—uses personal details to increase believability.
- Whaling: Spear phishing targeting executives (C-suite)—high-value targets for BEC (Business Email Compromise) fraud.
- Vishing: Voice-based phishing via phone calls; Smishing: SMS-based phishing.
- Email authentication: SPF, DKIM, and DMARC help detect and block spoofed sender addresses.
- Defense: security awareness training, phishing simulations, email filtering, MFA (credentials alone are insufficient even if stolen).
Connections
- Parent: social-engineering — the most common form of social engineering
- See also: smishing, vishing