What Is Phishing? Definition, Types, and Protection
What is Phishing? Phishing is a fraud method in which attackers pretend to be a trustworthy entity to obtain credentials, payments or other actions. Phishing is a subset of social engineering, i.e., manipulating people rather than technology. Typical channels are email, SMS, phone and QR codes. Protection primarily relies on phishing‑resistant MFA and passkeys.
Key Takeaways
- Context: Phishing is a subset of social engineering. The attack targets humans, not a technical vulnerability.
- Forms: Mass‑phishing, spear‑phishing, BEC/CEO fraud, smishing, vishing and quishing via QR codes, increasingly using AI‑generated voices and deepfakes.
- Protection: phishing‑resistant MFA or passkeys first. Awareness training adds extra protection but does not replace technology.
How Phishing Works
Phishing follows a recognizable pattern. An attacker pretends to be a trusted sender, such as a bank, supplier, or superior. Via a message, they generate pressure and demand a concrete action: a login, an approval, a transfer, or opening an attachment. The recipient should react before checking.
of observed initial accesses start with phishing
ENISA Threat Landscape 2025
Classic triggers are time pressure, the threat of disadvantages, a purported package, or a supposed security warning. The message leads to a fabricated login page, installs malicious code, or redirects a payment to an altered IBAN. The attack vector is always the human. If the manipulation succeeds, the target provides the information or approval themselves.
The ENISA Threat Landscape 2025 quantifies phishing at 60 Percent of observed initial accesses, with a clear gap to exploiting vulnerabilities. Also, the BSI’s situation report lists phishing as an ongoing trend. A well-crafted lure is hard to recognize as fraud without technical means.
Phishing as a Subset of Social Engineering
Social engineering is the overarching term and refers to manipulating people to obtain information or actions. Rather than exploiting a technical vulnerability, the attacker leverages human patterns such as helpfulness, authority, fear, curiosity, or time pressure. Phishing is a subset of that, where a digital message is the central tool.
The distinction: A mass‑email with a forged link is classic phishing. A targeted attack with prior research on a specific individual is spear‑phishing. A phone call without prior notice is vishing, i.e., social engineering over the phone. An in‑person attack, for example by a purported tradesperson on site, is also social engineering but does not fall under phishing.
For defense, the distinction matters. Phishing protection starts at the inbox, vishing protection at the hotline, BEC protection at the approval process for transfers. Anyone who isolates phishing only covers a fragment of the threat.
Forms of Phishing
Phishing manifests in several guises, each distinguished by target, channel, and deception technique. The baseline form is mass phishing, characterized by high volume and generic greetings. Its success hinges on sheer numbers. Spear phishing, by contrast, targets individuals or teams, leveraging previously gathered intelligence to craft personalized messages. While the preparation is more intensive, the payoff is correspondingly higher.
Business Email Compromise, or BEC, or CEO fraud, attacks financial and approval workflows. A purported supervisor or supplier demands an urgent transfer, often to an altered IBAN. Smishing delivers the bait via SMS or messaging apps, frequently tied to parcel or customs issues. Vishing is voice phishing over the phone, where a voice lends greater authority than text. Quishing exploits QR codes as an entry point: the actual URL remains hidden until scanned, thereby bypassing many email filters.
AI is reshaping the rules of the game. Synthetic voices mimic known individuals, and deepfake videos surface in video calls. The effort required has dropped-just a voice clone can launch an attack if it convinces the listener.
Detecting and Defending Against Phishing
Security begins with technology. Awareness training is a supplement and must not be the final line of defense. Relying solely on employee vigilance to solve phishing hands over safety to chance.
CHECK PROTECTION NOW
- ✓Migrate to phishing‑resistant MFA or passkeys
- ✓Configure and monitor DMARC, SPF, and DKIM
- ✓Operate an email gateway with URL rewriting and attachment sandboxing
- ✓Establish a reporting path for suspicious messages
- ✓Add a second approval step to payment processes
The most important measure is phishing‑resistant multi‑factor authentication (MFA), or, more consistently, passkeys. These methods bind authentication to a domain, rendering an intercepted token useless for any other origin. Classic SMS codes or TOTP from apps are interceptable and do not provide this protection. Passkeys completely eliminate the shared secret.
In addition, inbox‑level filters employ DMARC, SPF, and DKIM for sender verification, alongside AI‑driven detections, URL rewriting, and sandbox detonation of attachments. While these filters reduce volume, they cannot stop a targeted attack launched from a compromised legitimate sender.
The typical warning signs remain steady: urgency and pressure, deviating sender domains, unexpected login prompts, and demands for an exception from the usual process. A clear reporting path without punishment for reported mistakes boosts detection rates.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
Is phishing the same as social engineering?
No. Social engineering is the umbrella term for manipulating individuals. Phishing represents just one subset – specifically, the use of digital messages to do so. Other manifestations include vishing conducted via phone calls, as well as in-person attacks on site.
What is the difference between phishing and spear phishing?
Mass phishing targets many recipients with generic salutations. Spear phishing focuses on individual persons or teams and uses previously gathered details. The effort is higher, but the success rate is also higher.
Is awareness training sufficient as protection?
No. Awareness training complements, but should not be the last line of defense. The most important measure is phishing-resistant multi-factor authentication (MFA) or passkeys.
Which MFA protects against phishing?
Phishing‑resistant methods such as FIDO2 keys or platform authenticators bind login to a domain. An intercepted token is useless for another origin. SMS codes or TOTP are interceptable and do not provide this protection.
What is Quishing?
Quishing is phishing via QR codes. The code leads to a fake page. The URL only becomes visible after scanning and bypasses many email filters because the malicious link is not in the email text.
Editor’s Picks
Editor’s PickWhat Is a Passkey? Definition, How It Works, and StandardsEditor’s PickWhat Is Ransomware? Definition, Process, and ProtectionEditor’s PickWhen a Phone Call Halted Car Production
More from the MBF Media Network
MyBusinessFutureWhen the update itself becomes an entry pointcloudmagazinBanning shadow AI is the most expensive reflex in IT security




