What is phishing?
Phishing is a social-engineering technique: rather than attacking a machine, the attacker manipulates a person. By posing as a legitimate party (a bank, a colleague, a supplier), they induce the target to click a booby-trapped link, open a malicious attachment, enter credentials or make a payment.
It is often the first step of a broader attack: access gained through phishing is then used to move through the system, deploy ransomware or exfiltrate data.
Why it matters for your organization
Phishing remains the most common entry point for cyberattacks, precisely because it bypasses technical defenses by targeting the human. A single deceived person can be enough to compromise an entire organization.
The arrival of generative AI has made these attacks far more credible and personalized. The usual tells, such as language errors, disappear, and deepfakes add a layer of deception over voice and image.
How to reduce the risk
- Multi-factor authentication to limit the impact of a stolen credential.
- Continuous awareness and realistic simulation exercises.
- Email filtering and mailbox protection (SPF, DKIM, DMARC).
- Verification procedures for sensitive requests, notably transfers.
- Easy reporting so employees raise the alarm quickly when in doubt.
Where organizations most often fall short
The classic mistake is betting everything on training in hope of a zero click rate, an unrealistic goal. Better to assume a phishing attempt will eventually succeed and limit the consequences through multi-factor authentication, segmentation and verification procedures. The other pitfall is neglecting business email compromise, which often contains no link or attachment to detect.