- Phishing is a social engineering attack that tricks people into revealing credentials, transferring money, or downloading malware by impersonating a trusted source.
- Attackers use email, SMS, voice calls, and QR codes to reach victims, with each channel requiring different detection habits.
- Spear phishing, whaling, smishing, and vishing are targeted variations that carry a higher success rate than generic mass campaigns.
- Spotting phishing requires attention to sender address anomalies, urgency cues, mismatched URLs, and unexpected requests for sensitive data.
- Technical controls, security awareness training, and data security tools together reduce phishing risk at both the individual and organizational level.
What Is Phishing?
Phishing is a cyber attack in which an adversary impersonates a trusted person or organization to trick a target into revealing credentials, transferring funds, or downloading malware. The term references the act of "fishing" for victims using deceptive bait. Attacks typically arrive via email, but also appear through SMS, voice calls, and malicious websites designed to resemble legitimate ones.
Phishing has existed since the mid-1990s and remains one of the most common initial access methods in data breaches. Its persistence comes from two factors:
- It is inexpensive to execute at scale
- It targets human judgment rather than technical vulnerabilities.
Even organizations with mature security programs experience phishing incidents because the attacks evolve faster than user training cycles. Understanding phishing in cybersecurity terms means recognizing it as both a technical and behavioral problem.
How Phishing Works
Phishing attacks follow a consistent sequence regardless of the channel used.
- Target selection: The attacker chooses a victim pool. Mass campaigns cast wide nets, sending millions of generic messages. Targeted campaigns research specific individuals or organizations to craft believable context.
- Pretext construction: The attacker builds a cover story. Common pretexts include password expiration notices, package delivery alerts, invoice disputes, IT security warnings, and executive wire transfer requests.
- Delivery: The message is sent through email, SMS, a phone call, or a malicious QR code. The sender address, phone number, or domain is spoofed or typosquatted to resemble a trusted source.
- Interaction trigger: The message includes a call to action: click a link, open an attachment, call a number, or reply with credentials. Urgency is the most common lever (i.e. "Your account will be locked in 24 hours").
- Credential capture or payload delivery: Clicking a link routes the victim to a fake login page that harvests credentials, or triggers a download of malware. In some attacks, the victim is instructed to take action directly, such as transferring funds.
- Exploitation. Stolen credentials are used for account takeover, sold, or used to pivot deeper into a network. Data exfiltrated in the attack may be ransomed or published.
| Attack stage | Attacker action | Victim experience |
|---|---|---|
| Delivery | Spoofed email or SMS sent | Message appears from known brand or contact |
| Trigger | Urgency or authority cue used | Pressure to act quickly |
| Capture | Fake login page or attachment served | Credentials entered or malware downloaded |
| Exploitation | Credentials used or data exfiltrated | Account compromised or breach begins |
Types of Phishing Attacks
Phishing attacks take several forms depending on the target, channel, and method of deception. Understanding each type helps organizations configure detection and training accordingly.
Email phishing
Email phishing is the most common form. Attackers send bulk messages impersonating banks, software vendors, HR departments, or shipping carriers. These messages direct recipients to fake login pages or prompt them to open malicious attachments. Volume is high and personalization is low, though filters and spam systems have made purely generic campaigns less effective.
Spear phishing
Spear phishing targets a specific individual or team. The attacker researches the victim using public sources, including LinkedIn profiles, company websites, and prior breach data, to personalize the message. A spear phishing email might reference a real project name, a colleague's name, or a recent corporate announcement to establish credibility. The targeted nature makes these attacks harder to detect and considerably more effective than mass campaigns.
Whaling
Whaling is spear phishing directed at senior executives, board members, or other high-authority individuals. Because executives have elevated access and approval authority, a successful whaling attack can result in fraudulent wire transfers, access to sensitive intellectual property, or full administrative access to corporate systems. Whaling messages often mimic legal notices, regulatory correspondence, or board-level communications.
Smishing
Smishing (SMS phishing) delivers malicious content via text message. A common smishing scenario involves a fake shipping notification with a link to "reschedule delivery," which routes to a credential-harvesting page. SMS lacks the sender authentication infrastructure that email has developed, making spoofing straightforward.
Vishing
Vishing (voice phishing) uses phone calls rather than written messages. Callers impersonate IT support staff, bank fraud departments, or government agencies. They use urgency and authority to pressure victims into providing credentials, one-time passcodes, or wire transfer authorizations in real time. The conversational format makes it difficult for targets to pause and verify legitimacy.
Quishing
Quishing (QR code phishing) embeds malicious URLs in QR codes, which are then distributed in emails, physical signage, or printed materials. Scanning the code routes the victim to a phishing site. QR-based attacks are effective at bypassing email link scanners because the URL is encoded visually rather than as a text string.
Business email compromise (BEC)
Business email compromise (BEC) is a sophisticated phishing variant in which the attacker either compromises a legitimate email account or creates a convincing lookalike address. The attacker uses that position to redirect payments, intercept payroll deposits, or extract sensitive data. BEC attacks cause disproportionately high financial losses relative to their volume.
| Phishing type | Primary channel | Primary goal | Targeting level |
|---|---|---|---|
| Email phishing | Credential theft, malware | Broad | |
| Spear phishing | Credential theft, access | Individual or team | |
| Whaling | Financial fraud, access | Executive | |
| Smishing | SMS | Credential theft | Broad or targeted |
| Vishing | Phone | Credential theft, fraud | Individual |
| Quishing | QR code | Credential theft | Broad |
| BEC | Email (compromised) | Financial fraud, data theft | Targeted |
Why Phishing Matters for Data Security
According to IBM's 2025 Cost of a Data Breach Report, phishing was the most common initial access vector, accounting for 16% of breaches studied, and has ranked among the top attack vectors for three consecutive years. When an attacker obtains credentials through a phishing attack, the consequences extend well beyond the compromised account.
Stolen credentials enable account takeover, which can expose sensitive data stored in email, cloud storage, or enterprise applications. If the compromised account belongs to someone with broad data access, an attacker can silently exfiltrate large volumes of files before detection. In regulated industries, that exposure triggers mandatory reporting obligations under frameworks like HIPAA, PCI DSS, and GDPR, regardless of whether the data was misused.
For organizations managing sensitive intellectual property, customer data, or financial records, phishing represents a direct path to the assets that data loss prevention (DLP) tools are designed to protect. A successful phishing campaign that produces valid credentials bypasses perimeter defenses entirely and operates inside the trust boundary of legitimate users.
Phishing also enables insider risk scenarios that are difficult to distinguish from authorized activity. When an attacker uses stolen credentials, behavioral detection tools that monitor for unusual data movement or access patterns become essential for identifying the intrusion.
The financial impact compounds across direct losses, regulatory fines, incident response costs, and reputational damage. Organizations that treat phishing prevention as a standalone email security problem rather than a data security issue consistently underestimate their exposure.
How to Spot a Phishing Email
Recognizing phishing requires attention to several categories of signals. No single indicator is definitive, but combinations of the following should prompt verification before any action is taken.
Sender address anomalies
The visible display name may say "IT Support" or "PayPal" while the actual sending address is a spoofed or typosquatted domain. Check the full sender address, not just the display name. Common patterns include extra letters (paypa1.com), added subdomains (login.paypal.attacker.com), or freemail accounts ([email protected] claiming to be a corporate sender).
Urgency and pressure cues
Phishing messages consistently create time pressure, such as "Your account will be suspended," "Immediate action required," or "Reply within 24 hours." Urgency is designed to override deliberate judgment. Legitimate institutions rarely require immediate irreversible action via unsolicited communication.
Mismatched or suspicious URLs
Before clicking any link, hover to inspect the destination URL. Phishing links often use redirect chains, URL shorteners, or lookalike domains. A message from your bank should not link to a domain you do not recognize.
Unexpected requests for credentials or payment
Legitimate organizations do not request passwords, two-factor authentication codes, wire transfers, or gift card purchases via email or text. Any such request, regardless of how official it appears, warrants independent verification through a known phone number or direct website visit.
Generic or unusual greetings
Mass phishing emails often use generic salutations ("Dear Customer") when the real institution would use your name. Conversely, spear phishing may use your name correctly but contain subtle inconsistencies in tone, formatting, or context that suggest the sender does not know you as well as implied.
Attachment warnings
Unexpected attachments in any format (PDFs, Word documents, spreadsheets, compressed archives) warrant caution. Malicious attachments may appear to be invoices, shipping labels, or HR documents. If you were not expecting the attachment and cannot verify the sender independently, do not open it.
How to Prevent Phishing
Phishing prevention requires overlapping controls across technology, process, and people.
Technical controls
- Email authentication (SPF, DKIM, DMARC): These protocols verify that incoming messages originate from authorized senders. Organizations that publish strict DMARC policies significantly reduce spoofing of their own domain.
- Email filtering and anti-phishing tools: Modern email security platforms scan links, attachments, and sender reputation in real time and quarantine suspicious messages before delivery.
- Multi-factor authentication (MFA): MFA prevents account takeover even when credentials are stolen. Phishing-resistant MFA methods (hardware tokens, passkeys) are preferable to SMS-based codes, which can be intercepted via SIM swapping.
- DNS filtering: Blocking known malicious domains at the DNS layer prevents connections to phishing sites even when a user clicks a malicious link.
- Data security monitoring: Tools that monitor data movement can detect when a compromised account is being used to access or exfiltrate sensitive files, providing a secondary detection layer after a credential theft.
Process controls
- Verification protocols for financial transactions: Require out-of-band confirmation (phone call to a known number) for any wire transfer, payroll change, or payment redirection request received via email.
- Incident reporting channels: Make it easy for employees to report suspicious messages without fear of embarrassment. Fast reporting accelerates takedown requests and alerts peers.
- Privileged access management: Limit the blast radius of a compromised account by scoping access to what each role genuinely requires.
Security awareness training
Training should go beyond annual compliance videos. Effective programs use simulated phishing exercises to give employees practice identifying real attacks, provide immediate feedback when someone clicks a simulated phishing link, and update scenarios to reflect current attack patterns. Frequency matters: monthly micro-training outperforms annual sessions in retention and detection rates.
How Cyberhaven Addresses Phishing Risk
Phishing's primary consequence for organizations is data exfiltration. Once an attacker obtains valid credentials, they operate as a trusted user and can access, copy, and transfer sensitive data through channels that perimeter security tools do not inspect.
Cyberhaven's DLP addresses this gap by tracking data at the content level rather than the perimeter level. Because Cyberhaven uses Data Lineage to follow individual files and data objects across their entire lifecycle, it can detect when a credential-compromised account accesses sensitive data and initiates unusual transfers, even when those transfers use sanctioned tools. An attacker logging in with stolen credentials and downloading customer records to a personal cloud account triggers the same behavioral and content-based controls that would flag an insider threat.
Cyberhaven’s IRM capability adds behavioral context to account activity. When an account that normally accesses only marketing files suddenly queries the customer database at 2 a.m. and exports a large archive, IRM correlates that pattern against baseline behavior and surfaces it for investigation, regardless of whether the actor is an adversary using stolen credentials or a malicious insider.
Together, DLP and IRM provide a detection layer that remains effective even after a phishing attack succeeds at the credential level. For organizations in regulated industries where a breach must be contained and documented, Cyberhaven's Data Lineage also produces a precise record of what data was accessed, by which account, and where it was sent, reducing investigation time and supporting mandatory notification assessments.
Learn more about how to prevent phishing-related data incidents with “How to Detect and Prevent Data Exfiltration in Real Time.”
.avif)
.avif)
