Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    security
    2 min read

    Phishing

    Phishing is a social engineering attack that tricks victims into revealing sensitive information or taking harmful actions through deceptive emails, messages, or websites.

    Phishing is the most common initial attack vector, responsible for over 90% of security breaches.

    Types of phishing: - Email Phishing: Mass emails impersonating trusted entities - Spear Phishing: Targeted attacks on specific individuals - Whaling: Targeting executives and high-value individuals - Smishing: SMS-based phishing - Vishing: Voice phishing via phone calls - Business Email Compromise (BEC): Impersonating executives for fraud

    Common indicators: - Urgency or fear tactics - Suspicious sender addresses - Generic greetings - Spelling/grammar errors - Unusual requests

    Defense layers: - Email filtering and authentication (SPF, DKIM, DMARC) - Security awareness training - Phishing simulations - MFA to limit credential theft impact - URL filtering

    Why It Matters

    Phishing is the initial access vector in over 90% of successful cyberattacks, making it the single greatest threat to most organizations. Technical controls catch the majority of phishing attempts, but sophisticated spear phishing and BEC attacks regularly bypass filters. Regular phishing simulations with immediate training feedback measurably reduce click rates over time, and MFA ensures that even successful credential theft doesn't result in account compromise.

    Key Points

    Responsible for 90%+ of security breaches
    Email filtering alone is not sufficient
    Regular phishing simulations improve awareness
    MFA limits damage from successful phishing
    Report suspicious emails to security team

    Applicable Compliance Frameworks

    SOC 2ISO 27001HIPAA

    Related Terms

    Security Awareness Training

    Security awareness training educates employees about cybersecurity threats, safe practices, and their role in protecting organizational assets.

    Email Security

    Email security encompasses technologies and practices to protect email communications from threats like phishing, malware, and business email compromise.

    Frequently Asked Questions

    How often should phishing simulations be run?

    Monthly or quarterly. Track metrics over time and provide immediate training when users fail simulations.

    Can technical controls stop all phishing?

    No. Sophisticated phishing often bypasses technical controls. Human awareness training is essential alongside technical defenses.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    PCI DSS Compliance

    Payment card industry data security standards

    Learn more
    Standard

    GDPR Compliance

    EU data protection and privacy regulations

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Phishing?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms