Phishing Explained
By A. Northam • Published: 2 March 2026 • Updated: 23 April 2026
Phishing is a form of social engineering in which attackers trick individuals into revealing sensitive information such as passwords, financial details, or authentication codes.
It remains one of the most common and effective digital attack methods because it targets human behavior rather than technical vulnerabilities.
On this page
- How phishing works
- Phishing attack flow (diagram)
- Common types of phishing
- Why phishing succeeds
- Phishing and authentication
- Phishing-resistant authentication
- Detection and response
- Phishing within defense in depth (diagram)
- Key takeaway
- Recommended next reading
How phishing works
Phishing typically involves impersonation. An attacker pretends to be a trusted entity — such as a bank, colleague, service provider, or internal IT department — and persuades the target to take an action.
Common actions include:
- Clicking a malicious link
- Downloading an infected attachment
- Entering login credentials into a fake website
- Approving a fraudulent authentication request
Phishing succeeds because it manipulates attention, emotion, and trust — often under time pressure.
Phishing attack flow (diagram)
Common types of phishing
Email phishing
The most widespread form, often sent in bulk and designed to resemble legitimate communications.
Spear phishing
Targeted phishing aimed at a specific individual or organization, often using personalized details.
Business email compromise (BEC)
Impersonation of executives or vendors to request payments or sensitive information.
Smishing and vishing
Phishing conducted via SMS messages (smishing) or phone calls (vishing).
Why phishing succeeds
Phishing exploits human behavior — urgency, authority, curiosity, or fear — rather than software flaws.
Even strong technical controls can be bypassed if a user willingly provides credentials.
Phishing and authentication
Multi‑Factor Authentication reduces the risk of credential theft leading to account compromise.
See: Multi‑Factor Authentication Explained
Phishing-resistant authentication
Modern authentication approaches such as hardware security keys or cryptographic device‑bound credentials are more resistant to phishing attacks.
These methods reduce reliance on shared secrets like passwords.
Detection and response
Effective defense involves layered controls:
- Email filtering and scanning (preventive)
- User awareness training (administrative)
- Monitoring and anomaly detection (detective)
- Incident response procedures (corrective)
See: Security Controls Taxonomy
Phishing within defense in depth (diagram)
Key takeaway
Phishing is primarily a psychological attack, not a software flaw.
Reducing risk requires layered security controls, strong authentication, and structured response planning.
This article is provided for educational purposes only and does not constitute legal, compliance, or professional security advice.