Phishing
What Is Phishing?
Phishing is a class of social engineering attack in which an adversary impersonates a trusted entity, through fraudulent email, websites, text messages, or voice calls, to deceive targets into disclosing credentials, financial information, or other sensitive data, or into installing malicious software. The term derives from "fishing," reflecting the use of lure-and-hook mechanics applied to human psychology rather than technical vulnerabilities. Phishing occupies the intersection of cybersecurity, behavioral psychology, and network communications, and it remains the most common initial access vector in data breaches tracked by major security incident databases.
Where technical exploits target software flaws, phishing targets cognitive ones: urgency, authority, and familiarity. Malware is closely related; phishing campaigns routinely deliver malware payloads through malicious attachments or links, and compromised credentials obtained by phishing often precede ransomware deployment. The NIST Cybersecurity glossary defines spear phishing as any highly targeted phishing attack, emphasizing that specificity and personalization are what distinguish it from bulk campaigns.
Attack Variants and Delivery Channels
Bulk phishing casts wide nets using mass email that mimics banks, delivery services, or technology platforms. The attacker registers lookalike domains or uses compromised mail servers to pass spam filters, then directs recipients to credential-harvesting pages that replicate legitimate login portals. Spear phishing narrows the target to a specific individual or organization, incorporating details gathered from public profiles, organizational directories, or prior breaches to make the lure credible.
Whaling directs spear phishing at senior executives whose credentials grant access to financial systems or sensitive data; business email compromise (BEC) is an operationalized form that leads to fraudulent wire transfers without any malware component. Smishing uses SMS messages, exploiting the speed and informality of mobile interaction; vishing uses voice calls, often with caller ID spoofing, to impersonate banks or government agencies. Adversary-in-the-middle phishing kits intercept real-time authentication sessions, capturing both passwords and session cookies and bypassing conventional multi-factor authentication.
Detection and Technical Countermeasures
Email authentication protocols form the first technical layer of defense. Sender Policy Framework (SPF) verifies that a sending server is authorized to send mail for the domain in the envelope from address. DomainKeys Identified Mail (DKIM) attaches a cryptographic signature to message headers, allowing the receiving server to verify that the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy that instructs receivers to reject or quarantine messages that fail alignment.
Browser-based URL scanning, certificate transparency logs, and machine learning classifiers trained on domain registration patterns and page content extend detection to phishing sites that bypass email filters entirely. The most robust countermeasure is phishing-resistant authentication: as described in NIST's cybersecurity insights on phishing resistance, authenticators based on FIDO2 and the W3C Web Authentication API bind cryptographic keys to specific origins, making them inherently unusable on impersonating sites regardless of how convincing the fake portal appears.
Human Factors and Awareness
Technical controls are incomplete without attention to human behavior. Security awareness training that uses simulated phishing exercises has measurable effects on click rates in controlled studies, though the effect size and durability vary with training frequency and design. Organizational policies that require out-of-band confirmation for wire transfer requests and that limit the broadcast of organizational hierarchy in public directories reduce the surface available to spear phishing reconnaissance. IEEE research on computational ethics and AI-aided social engineering detection examines how large language models are being applied both offensively, to craft more personalized lures at scale, and defensively, to classify suspicious messages.
Applications
Phishing defense techniques have applications across security operations, including:
- Enterprise email gateway filtering and DMARC policy enforcement
- Endpoint detection of credential-harvesting page visits
- Phishing-resistant MFA deployment using hardware security keys or FIDO passkeys
- Security operations center triage and incident response
- Regulatory compliance and cyber insurance risk assessment