Phishing

Phishing is a social engineering technique where attackers impersonate trusted entities to trick victims into revealing sensitive information, clicking malicious links, or downloading malware. It remains the most common initial attack vector for cyberbreaches.

Types of phishing:

• Email phishing: Mass emails impersonating legitimate organisations
• Spear phishing: Targeted attacks against specific individuals
• Whaling: Phishing targeting senior executives and decision-makers
• Smishing: Phishing via SMS text messages
• Vishing: Phishing via voice calls
• Clone phishing: Duplicating a legitimate email with malicious modifications
• Business Email Compromise (BEC): Impersonating executives to authorise transfers

Common phishing tactics:

• Urgency ("Your account will be suspended in 24 hours")
• Authority ("Message from your CEO")
• Fear ("Unusual activity detected on your account")
• Reward ("You have won a prize")
• Curiosity ("Someone shared a document with you")
• Trust ("Invoice from your supplier attached")

Phishing red flags:

• Sender address does not match the claimed organisation
• Urgency or pressure to act immediately
• Generic greeting ("Dear Customer" instead of your name)
• Suspicious links (hover to check actual destination)
• Unexpected attachments
• Requests for sensitive information via email
• Poor grammar and spelling (though AI makes this less reliable)

Phishing protection measures:

• Email filtering and security (Proofpoint, Mimecast, Microsoft Defender)
• Security awareness training for all staff
• Multi-factor authentication (MFA) on all accounts
• DMARC/SPF/DKIM email authentication
• Phishing simulation exercises
• Reporting mechanisms for suspected phishing
• URL filtering and web security