Phishing

Phishing in cybersecurity is a social engineering attack where an attacker pretends to be a trusted source to trick a person into sharing credentials, opening a malicious file, clicking a harmful link, approving access, or making an unauthorized payment. It is a major security and compliance concern because it can lead to account compromise, data exposure, fraud, malware infection, and business disruption.

A phishing attack usually starts with a message that creates trust, urgency, fear, curiosity, or routine business pressure. The victim may be asked to click a link, open an attachment, scan a code, reply with information, or approve a request. If the user acts, the attacker may capture credentials, install malware, intercept payments, or gain access to internal systems.

Common types of phishing include email phishing, spear phishing, executive impersonation, business email compromise, smishing through text messages, vishing through phone calls, fake login portals, malicious attachments, and QR-code phishing. The method can vary, but the core pattern is the same: an attacker uses deception to cause a person to take an unsafe action.

Phishing is a broad term for deceptive attacks that trick people into sharing information or taking harmful actions. Spear phishing is a more targeted form of phishing aimed at a specific person, role, team, or organization. Spear phishing often uses personalized details, such as names, projects, suppliers, executives, or business processes, to make the message more convincing.

Organizations can reduce phishing risk by using layered controls such as multi-factor authentication, secure email configuration, domain protection, attachment and link scanning, access reviews, endpoint protection, payment approval procedures, and employee training. Prevention should also include clear reporting channels and regular testing so users know how to recognize and escalate suspicious messages.

Controls that reduce phishing risk include multi-factor authentication, least-privilege access, email authentication, secure web gateways, endpoint detection, password managers, account monitoring, user awareness training, simulated phishing exercises, incident response procedures, and segregation of duties for sensitive approvals. The strongest programs combine technical controls with governance processes and human-centered training.

Phishing awareness training helps employees recognize suspicious messages, avoid unsafe actions, and report potential attacks quickly. For compliance programs, it also provides evidence that the organization is addressing human risk, communicating security responsibilities, and reinforcing expected behavior. Training is most effective when it is practical, role-based, repeated over time, and linked to real reporting procedures.

Employees should report suspected phishing using the organization’s approved process, such as a report button, help desk ticket, security mailbox, or incident channel. They should avoid clicking links, opening attachments, replying to the sender, or forwarding the message outside the approved workflow. A good reporting process should be simple, fast, and well communicated so security teams can investigate quickly.

After a successful phishing attack, an organization should contain the incident, disable or reset affected accounts, revoke active sessions, preserve evidence, assess data and system impact, remove malicious messages, notify appropriate stakeholders, and document corrective actions. The organization should also identify root causes and improve controls, training, monitoring, and response procedures to reduce recurrence.

Information Security & GRC requirements for phishing typically include risk assessment, documented security controls, employee awareness training, incident reporting procedures, access protection, monitoring, response playbooks, evidence retention, and continuous improvement. The goal is to show that phishing risk is understood, managed through appropriate controls, tested over time, and addressed when incidents or control gaps occur.