{"id":21907,"date":"2026-07-10T11:20:00","date_gmt":"2026-07-10T11:20:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/10\/what-is-phishing-definition-types-protection\/"},"modified":"2026-07-11T06:17:29","modified_gmt":"2026-07-11T06:17:29","slug":"what-is-phishing-definition-types-protection","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/10\/what-is-phishing-definition-types-protection\/","title":{"rendered":"What Is Phishing? Definition, Types, and Protection"},"content":{"rendered":"<div class=\"st-definition\">\n<p><strong>What is Phishing?<\/strong> Phishing is a fraud method in which attackers pretend to be a trustworthy entity to obtain credentials, payments or other actions. Phishing is a subset of social engineering, i.e., manipulating people rather than technology. Typical channels are email, SMS, phone and QR codes. Protection primarily relies on phishing\u2011resistant MFA and passkeys.<\/p>\n<\/div>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Context:<\/strong> Phishing is a subset of social engineering. The attack targets humans, not a technical vulnerability.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Forms:<\/strong> Mass\u2011phishing, spear\u2011phishing, BEC\/CEO fraud, smishing, vishing and quishing via QR codes, increasingly using AI\u2011generated voices and deepfakes.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Protection:<\/strong> phishing\u2011resistant MFA or passkeys first. Awareness training adds extra protection but does not replace technology.<\/li>\n<\/ul>\n<\/div>\n<h2>How Phishing Works<\/h2>\n<p>Phishing follows a recognizable pattern. An attacker pretends to be a trusted sender, such as a bank, supplier, or superior. Via a message, they generate pressure and demand a concrete action: a login, an approval, a transfer, or opening an attachment. The recipient should react before checking.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:1.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">60 Percent<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">of observed initial accesses start with phishing<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">ENISA Threat Landscape 2025<\/p>\n<\/div>\n<p>Classic triggers are time pressure, the threat of disadvantages, a purported package, or a supposed security warning. The message leads to a fabricated login page, installs malicious code, or redirects a payment to an altered IBAN. The attack vector is always the human. If the manipulation succeeds, the target provides the information or approval themselves.<\/p>\n<p>The ENISA Threat Landscape 2025 quantifies phishing at 60 Percent of observed initial accesses, with a clear gap to exploiting vulnerabilities. Also, the BSI&#8217;s situation report lists phishing as an ongoing trend. A well-crafted lure is hard to recognize as fraud without technical means.<\/p>\n<h2>Phishing as a Subset of Social Engineering<\/h2>\n<p>Social engineering is the overarching term and refers to manipulating people to obtain information or actions. Rather than exploiting a technical vulnerability, the attacker leverages human patterns such as helpfulness, authority, fear, curiosity, or time pressure. Phishing is a subset of that, where a digital message is the central tool.<\/p>\n<p>The distinction: A mass\u2011email with a forged link is classic phishing. A targeted attack with prior research on a specific individual is spear\u2011phishing. A phone call without prior notice is vishing, i.e., social engineering over the phone. An in\u2011person attack, for example by a purported tradesperson on site, is also social engineering but does not fall under phishing.<\/p>\n<p>For defense, the distinction matters. Phishing protection starts at the inbox, vishing protection at the hotline, BEC protection at the approval process for transfers. Anyone who isolates phishing only covers a fragment of the threat.<\/p>\n<h2>Forms of Phishing<\/h2>\n<p>Phishing manifests in several guises, each distinguished by target, channel, and deception technique. The baseline form is mass phishing, characterized by high volume and generic greetings. Its success hinges on sheer numbers. Spear phishing, by contrast, targets individuals or teams, leveraging previously gathered intelligence to craft personalized messages. While the preparation is more intensive, the payoff is correspondingly higher.<\/p>\n<p>Business Email Compromise, or BEC, or CEO fraud, attacks financial and approval workflows. A purported supervisor or supplier demands an urgent transfer, often to an altered IBAN. Smishing delivers the bait via SMS or messaging apps, frequently tied to parcel or customs issues. Vishing is voice phishing over the phone, where a voice lends greater authority than text. Quishing exploits QR codes as an entry point: the actual URL remains hidden until scanned, thereby bypassing many email filters.<\/p>\n<p>AI is reshaping the rules of the game. Synthetic voices mimic known individuals, and deepfake videos surface in video calls. The effort required has dropped-just a voice clone can launch an attack if it convinces the listener.<\/p>\n<h2>Detecting and Defending Against Phishing<\/h2>\n<p>Security begins with technology. Awareness training is a supplement and must not be the final line of defense. Relying solely on employee vigilance to solve phishing hands over safety to chance.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">CHECK PROTECTION NOW<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Migrate to phishing\u2011resistant MFA or passkeys<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Configure and monitor DMARC, SPF, and DKIM<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Operate an email gateway with URL rewriting and attachment sandboxing<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Establish a reporting path for suspicious messages<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Add a second approval step to payment processes<\/li>\n<\/ul>\n<\/div>\n<p>The most important measure is phishing\u2011resistant multi\u2011factor authentication (MFA), or, more consistently, passkeys. These methods bind authentication to a domain, rendering an intercepted token useless for any other origin. Classic SMS codes or TOTP from apps are interceptable and do not provide this protection. Passkeys completely eliminate the shared secret.<\/p>\n<p>In addition, inbox\u2011level filters employ DMARC, SPF, and DKIM for sender verification, alongside AI\u2011driven detections, URL rewriting, and sandbox detonation of attachments. While these filters reduce volume, they cannot stop a targeted attack launched from a compromised legitimate sender.<\/p>\n<p>The typical warning signs remain steady: urgency and pressure, deviating sender domains, unexpected login prompts, and demands for an exception from the usual process. A clear reporting path without punishment for reported mistakes boosts detection rates.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Is phishing the same as social engineering?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Social engineering is the umbrella term for manipulating individuals. Phishing represents just one subset &#8211; specifically, the use of digital messages to do so. Other manifestations include vishing conducted via phone calls, as well as in-person attacks on site.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the difference between phishing and spear phishing?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Mass phishing targets many recipients with generic salutations. Spear phishing focuses on individual persons or teams and uses previously gathered details. The effort is higher, but the success rate is also higher.<\/p>\n<\/details>\n<details>\n<summary><strong>Is awareness training sufficient as protection?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Awareness training complements, but should not be the last line of defense. The most important measure is phishing-resistant multi-factor authentication (MFA) or passkeys.<\/p>\n<\/details>\n<details>\n<summary><strong>Which MFA protects against phishing?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Phishing\u2011resistant methods such as FIDO2 keys or platform authenticators bind login to a domain. An intercepted token is useless for another origin. SMS codes or TOTP are interceptable and do not provide this protection.<\/p>\n<\/details>\n<details>\n<summary><strong>What is Quishing?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Quishing is phishing via QR codes. The code leads to a fake page. The URL only becomes visible after scanning and bypasses many email filters because the malicious link is not in the email text.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/09\/what-is-a-passkey-definition-how-it-works-standards\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ein-passkey-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Is a Passkey? Definition, How It Works, and Standards<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ransomware-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Is Ransomware? Definition, Process, and Protection<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/07\/if-a-phone-call-stops-car-production\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When a Phone Call Halted Car Production<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/mybusinessfuture.com\/en\/when-the-update-itself-becomes-an-entry-point\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-lieferkettenangriff-software-mittelstand-72660027-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When the update itself becomes an entry point<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/07\/06\/banning-shadow-ai-is-the-most-expensive-reflex-in-it-security\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-shadow-ai-verbieten-teuerster-reflex-gov-92616216.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Banning shadow AI is the most expensive reflex in IT security<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Phishing explained: how attacks work, from spear-phishing to quishing, and why passkeys offer the best protection.","protected":false},"author":50,"featured_media":21890,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"phishing attacks","_yoast_wpseo_title":"What Is Phishing? Definition, Types, and Protection","_yoast_wpseo_metadesc":"Phishing explained: how attacks work, types including spear-phishing and quishing, and why passkeys are the most effective defense.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-phishing-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-phishing-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[263],"tags":[],"class_list":["post-21907","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheitslexikon-en"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":21884,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=21907"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21907\/revisions"}],"predecessor-version":[{"id":21938,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21907\/revisions\/21938"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/21890"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=21907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=21907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=21907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}