Phishing
Phishing is a con job over email or text. The attacker pretends to be someone you trust (your bank, your boss, a shipping company) and tries to get you to click a link, open an attachment, or enter your password on a fake website. The fake site looks identical to the real one, but everything you type goes straight to the attacker. Phishing is the number one way that data breaches start.
Phishing is a social engineering attack that uses deceptive communication (email, SMS, voice, messaging apps) to manipulate victims into performing actions that compromise security: clicking malicious links, opening weaponized attachments, entering credentials on spoofed websites, or transferring funds.
Phishing variants:
| Type | Target | Vector | Example |
|---|---|---|---|
| Email phishing | Mass audience | ”Your account has been locked, verify now” | |
| Spear phishing | Specific individual | Researched email | Personalized email referencing real projects |
| Whaling | C-suite executives | Highly targeted email | Fake legal subpoena or board communication |
| Smishing | Mobile users | SMS text message | ”Your package is delayed, track here” |
| Vishing | Phone users | Voice call | Fake IT support requesting remote access |
| Business Email Compromise (BEC) | Finance teams | Spoofed executive email | ”Wire $50,000 to this vendor immediately” |
Technical indicators:
- Sender domain does not match the legitimate organization (subtle typos:
paypa1.com,arnazon.com) - Urgency language (“your account will be suspended in 24 hours”)
- Links point to domains that do not match the displayed text
- Attachments with executable extensions disguised (
.pdf.exe,.docm) - Reply-to address differs from the From address
Email authentication protocols (defense):
- SPF (Sender Policy Framework): DNS record listing authorized mail servers for a domain
- DKIM (DomainKeys Identified Mail): cryptographic signature on email headers and body
- DMARC (Domain-based Message Authentication): policy specifying how to handle SPF/DKIM failures (none, quarantine, reject)
Inspecting email headers for phishing
# Check email authentication results in headers
Received-SPF: fail (domain paypal-security.com does not designate
185.234.xx.xx as permitted sender)
Authentication-Results: mx.google.com;
dkim=fail header.d=paypal-security.com
spf=fail smtp.mailfrom=paypal-security.com
dmarc=fail header.from=paypal.com
# Verify a domain's email authentication DNS records
$ dig +short TXT paypal.com | grep spf
"v=spf1 include:pp._spf.paypal.com ~all"
$ dig +short TXT _dmarc.paypal.com
"v=DMARC1; p=reject; rua=mailto:d@rua.agari.com"
# p=reject means: discard emails that fail authentication
# Check where a suspicious link actually points
$ curl -sI "https://paypal-security-verify.com/login" | grep -i location
# Redirects reveal the real destinationPhishing is the initial access vector in over 80% of successful cyberattacks according to multiple industry reports. The 2020 Twitter hack started with a phone-based phishing attack on employees. BEC scams caused over $2.7 billion in losses in the US alone in 2022 (FBI IC3 data). Modern phishing attacks use AI-generated content to eliminate the grammatical errors that used to be telltale signs. Defense requires both technical controls (email filtering, DMARC enforcement, link protection, MFA) and user training (simulated phishing campaigns, security awareness programs). MFA is the single most effective control: even if a user enters credentials on a phishing site, the attacker cannot complete authentication without the second factor. Organizations like KnowBe4 and Proofpoint provide phishing simulation platforms for regular employee testing.