Phishing

A form of social engineering attack that arrives most often via fraudulent emails (though it can also be via text or other messaging) where attackers pretend to be a trustworthy entity to trick victims into revealing information or installing malware.

‍

A typical phishing email might look like it's from a known company (your bank, a vendor, or your boss), urging you to click a link or open an attachment. The link usually leads to a fake login page (to steal credentials) or initiates a malware download.

‍

‍Phishing is extremely common and dangerous - it's often the entry point for bigger breaches or ransomware attacks. Variants include spear phishing (targeted at specific individuals with personalized info) and whale phishing (targeting executives). For example, you might get an email that says "Your account has been suspended, click here to verify now," with branding that looks legit. If you click and enter your password, you've just handed it to attackers.

‍

Defending against phishing involves technical measures (spam filters, link scanning) and, importantly, user vigilance. Employees should be trained to spot signs of phishing: incorrect sender addresses, generic greetings, urgent or threatening language, unexpected attachments, or URLs that don't match the real site (hovering over the link reveals a weird address). When in doubt, don't click - verify through another means.

‍

Ultimately, phishing preys on trust and haste, so a skeptical eye and cautious habit of verifying requests (especially those involving money or credentials) are your best defense.