What Is Phishing?

Phishing is a social engineering attack in which threat actors masquerade as legitimate entities and send deceptive messages—typically via email, SMS, or messaging apps—to trick users into revealing sensitive data, downloading malicious software, or transferring funds. According to NIST, phishing is "a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person" (NIST CSRC Glossary, CNSSI 4009-2015).

How does phishing work?

Phishing attacks follow a predictable lifecycle, though sophistication varies widely. Threat actors begin with reconnaissance, harvesting email addresses and organizational information from public sources, data breaches, or paid lists. They then craft a lure that impersonates a trusted brand—leveraging urgency, authority, or curiosity to compel action. Messages are delivered at scale via email, SMS, social media, or messaging platforms.

The attack exploits two primary vectors. Credential-harvesting phishing directs victims to a counterfeit website that mimics a legitimate service's login page. When the user enters their credentials, attackers capture them for immediate account takeover or credential stuffing attacks. Some advanced campaigns also capture multifactor authentication (MFA) codes through fake TOTP applications or real-time interception of push notifications ("MFA bypass"). According to CISA, attackers then "masquerade as that subscriber to the real verifier or relying party" using stolen credentials (CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," October 2023).

Malware-based phishing delivers weaponized attachments—typically documents, PDFs, or executables—that execute when opened. The payload ranges from infostealers that exfiltrate credentials to ransomware that encrypts entire file systems. Both vectors depend entirely on user interaction: the attack fails unless the target clicks a link or opens an attachment.

AI-enhanced phishing now generates highly convincing lures with fewer grammatical errors and more natural tone, making both human and automated detection harder. Traditional content-based signals that flagged phishing emails—typos, awkward phrasing, generic greetings—are disappearing as AI tools scale personalization and language quality.

How does phishing differ from spear phishing?

Phishing and spear phishing operate on the same technical principles but differ dramatically in targeting precision and personalization. The comparison table below illustrates the key tradeoffs:

Neither approach is universally better. Mass phishing scales revenue for attackers through sheer volume; spear phishing compensates for lower volume with dramatically higher success rates. Organizations face both simultaneously—bulk phishing strains email infrastructure and user attention, while spear phishing bypasses defenses through personalization and often compromised legitimate accounts.

Why has phishing gained traction?

Phishing has become the dominant attack vector because it reliably exploits the gap between security infrastructure and human judgment. Several market forces explain its prevalence.

Phishing was the #1 reported cybercrime to the FBI's Internet Crime Complaint Center (IC3) in 2024, with 193,407 complaints—more than double the next category (extortion at 86,415 complaints). Reported losses from phishing surged from $18.7 million in 2023 to $70 million in 2024, a 274% increase (FBI, "2024 IC3 Annual Report," 2025). Total cybercrime losses across all categories reached $16.6 billion in 2024, a 33% increase from 2023, driven substantially by email-based attacks.

Phishing's impact extends beyond direct financial losses. Social engineering—which includes phishing—ranks consistently as a top initial access vector in data breaches. Ransomware appeared in 44% of all confirmed breaches in 2024, up from 32% the prior year, with phishing being the primary delivery mechanism (Verizon, "2025 Data Breach Investigations Report," 2025). The global average cost of a data breach was $4.44 million in 2025, but US organizations paid $10.22 million on average, making the US the most expensive region for breach remediation (IBM, "Cost of a Data Breach Report," 2025).

However, this traction is not inevitable. User behavior remains the critical vulnerability. Proofpoint found that 68% of employees knowingly take risky actions despite training—clicking suspicious links, opening attachments, or sharing credentials (Proofpoint, "2024 State of the Phish Report," 2024). Yet training does create measurable impact: simulated phishing failure rates have declined over time, and organizations investing in repeated, role-based training show 5-10% improvement in response rates. The caveat is that training effectiveness degrades rapidly without continuous reinforcement—a single training session provides minimal protection.

Third-party compromise amplifies phishing's impact. Third-party involvement in breaches surged to 30% in 2024, doubling from 15% the prior year (Verizon, "2025 Data Breach Investigations Report," 2025). When attackers compromise a trusted vendor's email account, phishing emails originate from verified, authenticated senders—rendering email authentication controls ineffective.

What are the limitations of phishing?

Phishing's simplicity is also its weakness. Modern email filters using machine learning, URL reputation services, and sandboxing have become increasingly effective at blocking mass campaigns. Organizations with mature email security infrastructure detect 80-90% of bulk phishing before it reaches user inboxes—a significant improvement over five years ago.

Sender authentication protocols represent a structural defense that phishing attackers cannot fully overcome. SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can prevent domain spoofing when properly configured at "reject" policy level. However, many organizations still operate DMARC in "monitor" mode rather than enforcement, leaving open the window for domain-spoofing attacks. Organizations that fully enforce DMARC reduce impersonation-based phishing by up to 95% (CISA, "Phishing Guidance," October 2023).

User interaction remains the critical bottleneck for attackers. If a user does not click the link or open the attachment, the attack fails. This dependence on human action means phishing has an inherent failure rate that technical controls alone cannot eliminate. Even with MFA bypass techniques, attackers must still achieve the initial click.

The multi-channel expansion of phishing creates operational challenges for defenders. Email-only security programs fail against SMS phishing (smishing), voice phishing (vishing), and messaging app-based attacks. Organizations that monitor only email miss 30-40% of phishing-derived account compromises. Proofpoint detects an average of 10 million Telephone-Oriented Attack Delivery (TOAD) messages per month—these are emails that direct victims to call a phone number where live vishing occurs—showing how attackers chain phishing across channels (Proofpoint, "2024 State of the Phish Report," 2024).

MFA fatigue and bypass techniques continue to evolve. Attackers increasingly use legitimate authentication flows—real push notifications to previously compromised MFA devices, or credential-forwarding proxies that sit between the user and the target service—to bypass standard MFA implementations. Only phishing-resistant MFA (FIDO2/WebAuthn hardware keys) fully resists these techniques, though hardware key adoption remains limited outside highly security-mature organizations.

AI-generated content has removed language-based detection signals. Grammatical errors, typos, and awkward phrasing once flagged phishing reliably. AI-powered lure generation now produces messages nearly indistinguishable from legitimate communications, eliminating a key human detection heuristic.

How can organizations defend against phishing?

Effective phishing defense combines technical, human, and organizational controls across multiple channels.

Technical controls should implement email security infrastructure that assumes sender authentication is not trustworthy. Deploy modern email gateways using machine learning to scan messages for malicious URLs, suspicious attachments, and content patterns indicating social engineering. Implement URL reputation checking and real-time URL analysis (sandboxing) to catch zero-day malicious links. DMARC must be enforced at the "reject" policy level to prevent domain spoofing—many organizations spend years in "monitor" or "quarantine" mode before reaching enforcement, leaving vulnerable windows open.

Phishing-resistant MFA should be mandatory for all privileged accounts and strongly recommended for users with financial authority or access to sensitive data. According to NIST SP 800-63-4 and OMB M-22-09, federal agencies must use phishing-resistant MFA by 2025. FIDO2/WebAuthn hardware keys are the gold standard; TOTP applications and SMS-based MFA provide incremental improvements but remain vulnerable to sophisticated attacks. Browser isolation, which prevents malicious web content from reaching the endpoint, provides defense-in-depth against drive-by downloads and credential harvesting.

Endpoint detection and response (EDR) tools should monitor for malware delivered via phishing attachments that bypass email filters. EDR provides visibility into process execution, memory injection, and network connections that indicate post-compromise activity.

Human controls require sustained investment. Security awareness training should move beyond annual compliance videos to periodic, role-based simulations. Finance teams, HR personnel, IT help desk staff, and executives face different phishing threats and need tailored training. Proofpoint found that organizations implementing simulated phishing exercises with immediate feedback show 15-25% improvement in click-through reduction within six months (Proofpoint, "2024 State of the Phish Report," 2024).

One-click phishing reporting tools embedded in email clients dramatically improve detection speed. When employees can flag suspicious messages with a single click, security teams gain real-time threat intelligence and immediately isolate malicious campaigns before they propagate organization-wide. Solutions like Cofense Reporter and KnowBe4's Phish Alert Button have become standard practice in security-mature organizations.

Organizational controls should extend beyond email. Implement multi-channel monitoring to detect phishing on SMS, voice calls, and collaboration platforms like Slack and Teams. Many organizations have sophisticated email security but no protections on messaging apps where phishing increasingly occurs. Zero-trust architecture limits lateral movement damage if a user falls for phishing and has their credentials compromised—assume breach principles ensure that compromised credentials alone cannot access critical systems.

Incident response procedures specific to phishing should include immediate credential reset, mailbox audit (to detect data theft in calendar invitations and drafts), threat hunting for lateral movement, and cross-organizational communication with any business partners who may have received phishing from the compromised account.