Phishing

What Is Phishing?

Phishing is a cyberattack where an attacker impersonates a trusted person or organisation — a bank, a colleague, a software vendor — to manipulate the target into taking a harmful action. Common goals include stealing credentials, tricking users into transferring money, or delivering malware.

The term comes from "fishing": attackers cast a wide net hoping someone takes the bait.

Common Phishing Variants

• Email phishing: Mass emails impersonating well-known services (Microsoft, Google, PayPal)
• Spear phishing: Targeted attacks personalised with victim-specific details — names, roles, recent events
• Whaling: Spear phishing aimed at executives (CEO, CFO) to authorise wire transfers or data access
• Smishing: Phishing via SMS text messages
• Vishing: Voice-based phishing — attackers call pretending to be IT support, banks, or government
• QR code phishing (quishing): Malicious QR codes that direct victims to fake login pages

Why SMBs Are a Prime Target

Attackers target SMBs precisely because they often lack dedicated security teams and sophisticated email filtering. Business email compromise (BEC) — where attackers impersonate executives to request wire transfers — cost businesses $2.9 billion in 2023 according to the FBI.

How to Defend Against Phishing

1. Deploy email security: Enable SPF, DKIM, and DMARC on your domain to prevent impersonation
2. Enforce MFA: Even if credentials are stolen, MFA stops the attacker using them
3. Train your team: Regular phishing simulations build awareness without blame
4. Use phishing-resistant MFA: Hardware keys (FIDO2) or passkeys resist even real-time credential harvesting
5. Verify unusual requests: Any urgent request involving money, credentials, or data should be confirmed via a separate channel
6. Deploy browser protection: Tools like Google Safe Browsing and Microsoft Defender SmartScreen block known phishing URLs

No technical control replaces human awareness — but layering defences means no single failure is catastrophic.