Phishing Explained

By A. Northam • Published: 2 March 2026 • Updated: 2 March 2026

Phishing is a form of social engineering in which attackers attempt to trick individuals into revealing sensitive information such as passwords, financial details, or authentication codes.

It remains one of the most common and effective digital attack methods.

How phishing works

Phishing typically involves impersonation. An attacker pretends to be a trusted entity — such as a bank, colleague, service provider, or internal IT department — and persuades the target to take an action.

Common actions include:

Clicking a malicious link
Downloading an infected attachment
Entering login credentials into a fake website
Approving a fraudulent authentication request

Common types of phishing

Email phishing

The most widespread form, often sent in bulk and designed to resemble legitimate communications.

Spear phishing

Targeted phishing aimed at a specific individual or organization, often using personalized details.

Business email compromise (BEC)

Impersonation of executives or vendors to request payments or sensitive information.

Smishing and vishing

Phishing conducted via SMS messages (smishing) or phone calls (vishing).

Why phishing succeeds

Phishing exploits human behavior rather than technical vulnerabilities. It relies on urgency, authority, curiosity, or fear.

Even strong technical controls can be bypassed if a user willingly provides credentials.

Phishing and authentication

Multi-Factor Authentication reduces the risk of credential theft leading to account compromise.

See: Multi-Factor Authentication Explained

Phishing-resistant authentication

Modern authentication approaches such as hardware security keys or cryptographic device-bound credentials are more resistant to phishing attacks.

These methods reduce reliance on shared secrets like passwords.

Detection and response

Effective defense involves layered controls:

Email filtering and scanning (preventive)
User awareness training (administrative)
Monitoring and anomaly detection (detective)
Incident response procedures (corrective)

See: Security Controls Taxonomy

Phishing within defense in depth

Because phishing targets users, strong identity controls, logging, and rapid response mechanisms are critical.

See: Defense in Depth Explained

Key takeaway

Phishing is primarily a psychological attack, not a software flaw.

Reducing risk requires layered security controls, strong authentication, and structured response planning.

This article is provided for educational purposes only and does not constitute legal, compliance, or professional security advice.