What is Phishing?

What is phishing? How companies recognise attacks before anyone clicks

Phishing is the most common initial attack vector against companies in the EU and UK. It is often explained as "a fake email that criminals use to steal your data". Technically that is true, but it misses the point. Phishing does not succeed because of technology. Phishing succeeds because of timing, context and human reflex.

This article gives a practical answer to what phishing is, which types of phishing exist, and what companies can concretely do to reduce the number of successful attacks.

TL;DR

Phishing is a cyberattack where someone impersonates a trusted party to get an employee to do something: click a link, open an attachment, log in on a fake page, or make a payment. It works because it plays on urgency, authority, fear or helpfulness. Companies reduce phishing risk through technical filters, realistic phishing simulations, and a reporting culture where doubt can be raised without friction.

What phishing actually is

Phishing is a form of social engineering where an attacker poses as a trustworthy sender, such as a bank, a colleague, a vendor or an internal IT department. The goal is simple: get something from the recipient without them noticing that anything is wrong.

That "something" varies:

• Credentials for Microsoft 365, Google Workspace or a corporate portal
• Financial information or a payment to a modified bank account
• Access to a system via a malicious attachment or link
• Personal data for follow-up identity attacks

In most cases, the phishing email is just credible enough. The sender almost matches. The logo is there. The request feels logical within the context of work. The recipient may hesitate for a moment, then acts anyway.

The most common types of phishing

The term "phishing" now covers an entire family of attacks. For companies, it is useful to know the differences, because defence varies by type.

Email phishing

The classic. A mass email or a targeted message that looks like a legitimate communication. Usually with a link to a cloned login page or an attachment containing malware. Filters catch a lot, but the best-written phishing emails still get through.

Spear phishing

A targeted variant. The attacker has done research, knows the recipient's role, possibly ongoing projects or relationships. The email uses those details to sound credible. Spear phishing succeeds more often than mass phishing.

Whaling and CEO fraud

Here the attacker targets executives or profiles with signing authority, often via emails that look like they come from the CEO. Many whaling campaigns are also Business Email Compromise attacks. The impact is large: fraudulent transfers easily run into six or seven-figure amounts.

Smishing

Phishing via SMS or messaging services such as WhatsApp. Short messages, often with urgent tone and a link. Smishing is gaining importance because many employees use personal phones for work.

Vishing

Phishing via phone calls. A supposed helpdesk agent or finance officer calls with an urgent request. Vishing is effective because voice contact lowers the threshold to trust faster than written communication.

Clone phishing

The attacker takes a legitimate email and replaces the attachment or link with a malicious version. Because the rest of the email is familiar, it often passes both filters and suspicion.

Why phishing works

Phishing rarely succeeds because employees are careless. It succeeds because attackers exploit normal human behaviour.

• Authority: a request that appears to come from a manager or IT department gets fewer critical questions
• Urgency: a deadline or "act within 24 hours" short-circuits careful thinking
• Helpfulness: customer-facing profiles want to resolve things quickly
• Familiarity: a logo, a correct name, a plausible subject builds trust

The Verizon 2025 Data Breach Investigations Report confirms that the human element remains a factor in the vast majority of breaches. That does not mean people are the problem. It means attackers target people because technical security has become too strong for a frontal attack.

What companies can concretely do

Reducing phishing risk requires a layered approach. No single measure solves it.

1. Technical filters in order

• Email authentication with SPF, DKIM and DMARC with a strict or quarantine policy
• External-sender banners on emails from outside the organisation
• Multi-factor authentication on all accounts, preferably phishing-resistant like FIDO2 or passkeys
• URL rewriting and time-of-click scanning in the mail filter

2. Realistic exercise

Phishing simulations teach employees to recognise what they encounter in practice. Quality sits not in volume but in relevance: scenarios from their own work environment, at moments that fit their job, with direct feedback. One-off "click tests" without follow-up leave little effect.

3. Training with practical context

Security awareness training that connects to real incidents and the actual risks of a company works better than generic compliance modules. Short, repeated sessions beat long annual e-learning.

4. A reporting culture

Employees must know where and how to report suspicious emails and must be able to do so without fear of repercussion. At companies where reporting is low-friction, a phishing attack is often isolated within minutes. Where reporting feels like failure, an attack remains undetected and spreads further.

5. Payment processes

Every payment instruction that comes in via email must be confirmed through a second channel. No exceptions for the CEO. A fixed call-back procedure for changes to bank accounts stops the vast majority of BEC fraud.

How to recognise a phishing email

A few questions recipients can ask before clicking:

1. Am I expecting this email from this sender at this moment?
2. Is the domain in the email address exactly correct, or are there subtle deviations?
3. Is there pressure to act quickly?
4. Am I being asked to do something that falls outside my normal workflow?
5. Does it involve money, credentials or access to a system?

When in doubt: do not click, do not reply, verify via another channel. And report. Always report, even if no one clicked. Reporting is information that protects other colleagues.

What phishing is not

To clear up confusion:

• It is not purely a technical problem that only IT needs to solve
• It is not a one-off training that can be "fixed"
• It is not a failure by the employee who clicked, it is a learning moment for everyone

Once companies treat phishing as a shared responsibility between technology, training and processes, the success rate of attacks drops measurably.

Frequently asked questions about phishing

What is phishing exactly?

Phishing is a cyberattack where someone impersonates a trusted party to get a recipient to do something: click a link, open an attachment, log in on a fake page, or make a payment. The goal is usually credentials, money or system access. Phishing works because it plays on urgency, authority, fear or helpfulness.

What is the difference between phishing and spear phishing?

Phishing is often a mass attack where the same email goes to many recipients. Spear phishing is more targeted: the attacker has researched the specific recipient, knows the role, projects or relationships, and uses those details to sound credible. Spear phishing has a much higher success rate than mass phishing.

How do you recognise a phishing email?

Watch for deviations in the sender domain, an unexpected tone of urgency, requests that fall outside your normal workflow, and prompts for credentials, money or access. When in doubt: do not click, verify via another channel such as a phone call to the colleague or vendor, and report it to IT or the security department.

Do phishing simulations actually help?

Yes, if they are executed well. Effective phishing simulations use scenarios relevant to the employee's work environment, give direct feedback after a click, and are repeated regularly. One-off click tests without follow-up have little learning impact. The combination of simulation plus short awareness training after the test works best.

What should you do if someone clicked on a phishing link?

Report immediately to IT or the security department. Do not wait until something visibly goes wrong. Change passwords of the affected account, expire MFA tokens, and log out active sessions. The IT team must investigate whether credentials were entered, whether malware was downloaded, and whether there is lateral movement in the network. Speed determines the damage.

What does NIS2 say about phishing?

Under NIS2 Article 21 essential and important entities must apply cybersecurity risk management, including measures against social engineering and phishing. That covers technical measures, staff awareness and training. Incidents with significant impact must be reported within strict deadlines, meaning companies must also formalise their phishing incident response.

Has phishing become worse with AI?

Yes. Large language models make writing credible phishing emails trivial, also in perfect English, French or Dutch. Deepfake voice and video are used for vishing and whaling. Traditional heuristics such as "watch for language errors" are therefore largely obsolete. Defence shifts towards technical controls, verification through a second channel and behavioural recognition.

Related services and resources

Strengthen your defence against phishing with Sectricity's phishing simulation and testing, security awareness training and the Swishing phishing game. Test the human side more broadly through social engineering assessments, including smishing and vishing simulations. Start with a free security scan.