GLOSSARY · THREATS & INCIDENTS
Phishing
Fraudulent messages that impersonate a trusted party to trick people into revealing credentials, paying money, or running malware.
Phishing is the most durable attack vector in security, and it stays that way because it targets the decision-making process rather than software vulnerabilities. An attacker does not need to find a zero-day if an employee will click a convincing login page and type their password. The volume is staggering: most organizational breaches trace back to a credential phished from someone who was not paying full attention for thirty seconds.
Variants multiply constantly. Spear phishing targets specific individuals with personalized detail harvested from LinkedIn or company websites. Vishing (voice phishing) uses phone calls, often combined with AI-generated voice cloning. Smishing arrives by SMS. Business email compromise (BEC) impersonates executives or finance contacts to authorize fraudulent wire transfers. The common thread is social engineering: manufacturing urgency, authority, or familiarity to compress the time a person has to think critically.
Defenses layer: phishing-resistant MFA (passkeys, hardware tokens) removes the value of a stolen credential even when someone clicks. Email authentication (SPF, DKIM, DMARC) makes it harder to spoof your own domain. Security awareness training is worth doing but should not be treated as the primary control. People will occasionally click; the architecture should be built assuming they will.