Phishing
A social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
Phishing is a social-engineering attack in which the attacker impersonates a trusted entity — a bank, a colleague, a SaaS vendor, a courier — to manipulate a target into handing over credentials, money, or access to an internal system. It is the single most common initial-access vector in security incidents: the Verizon DBIR has identified phishing and pretexting as the dominant human-element vector for over a decade.
The format has evolved well beyond the bulk email of the 2000s. Defining properties of modern phishing:
- Multi-channel. Email remains dominant, but vishing (voice), smishing (SMS), qishing (QR codes), and OAuth consent phishing now make up a meaningful share of incidents. ANSSI’s annual Panorama de la cybermenace tracks the channel mix in France.
- Targeted. Generic “Nigerian prince” lures are residual noise. The damaging variants are spear-phishing against specific roles (finance, IT, execs) and BEC against payment-approval chains.
- MFA-aware. Attacker kits like EvilProxy and Tycoon proxy MFA challenges in real time; older “phishing-resistant” claims no longer hold for push and TOTP. Only FIDO2 / passkeys are structurally resistant.
- AI-assisted. Generative AI removes the language-quality tell on which legacy filters and trained users relied. A 2024 sentence-by-sentence French-language lure is now indistinguishable from a legitimate one to most readers.
The buyer-side mistake is to treat phishing as a filter problem. Secure email gateways and AI detectors catch the bulk; the residual that lands in inboxes is, by definition, the slice that defeated detection. What matters from that point is human behavior: report rates, time-to-report, repeat-clicker concentration. That is the surface on which a behavior-centered program — see behavioral KPI — is measured.
Related terms
- Spear-phishingA targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.
- Business Email Compromise (BEC)A targeted fraud in which an attacker impersonates an executive, supplier, or counsel to redirect a legitimate payment — historically the single most financially damaging cybercrime category.
- Vishing (voice phishing)Phishing delivered over a voice call — increasingly combined with an email pretext and, since 2023, with AI-cloned voices of executives and colleagues.
- Qishing (QR phishing)Phishing in which the malicious link is delivered as a QR code rather than text, shifting the click from a managed laptop to an unmanaged personal phone.
- OAuth phishing / consent phishingAn attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.
- Social engineeringManipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.