Phishing
Phishing is a social engineering attack where attackers trick users into revealing credentials, downloading malware, or visiting fake websites. It exploits human psychology rather than technical vulnerabilities, making users the attack vector.
# WHAT TEAMS RUN INTO
- —
Phishing is effective against trained users. Even organizations that conduct security awareness training see employees click phishing links. Users are distracted, in a hurry, or receive phishing emails that are nearly indistinguishable from legitimate mail.
- —
Phishing-resistant authentication only prevents one type of phishing. Phishing-resistant MFA stops credential phishing, but business email compromise (BEC) attacks phish for actions, not credentials — a user tricks another user into approving an access request.
- —
The phishing ecosystem is fast and cheap. Attackers can send millions of phishing emails using stolen infrastructure. Defense is individual-by-individual, making it a losing game when attackers outnumber defenders.
# WHY IT MATTERS
Phishing is the #1 attack vector for account takeover and the starting point for most breaches. It bypasses authentication by tricking users into giving away credentials or installing malware. Every identity decision is a security decision, and phishing is the attack that corrupts the most important identity decision — whether to trust a message or login screen claiming to be from a legitimate system.