What is Phishing?

Phishing is a cyberattack that tricks people into handing over sensitive information—usually passwords, credit card numbers, or other credentials—by masquerading as a trustworthy entity.

The attacker creates a fake website, email, or message that looks legitimate, often mimicking a bank, email provider, or popular service. When victims enter their information, thinking they're logging into their real account or responding to a genuine request, they're actually sending it straight to the attacker. The credentials can then be used to break into actual accounts, steal money, launch further attacks, or sell on underground markets.

Most phishing happens through email, where attackers send messages designed to create urgency or fear. You might get a warning that your account will be closed unless you verify your information immediately, or a notification about a package delivery that needs your attention. The message includes a link to a convincing replica of a legitimate site. Other phishing occurs through text messages (called smishing), phone calls (vishing), or even social media. More sophisticated versions, like spear phishing, target specific individuals with personalized details that make the attack harder to detect. Whaling goes after executives specifically, often impersonating other high-level employees to authorize fraudulent wire transfers.

The term "phishing" emerged in the mid-1990s from the hacker community, combining "fishing" (for victims) with "ph" from "phreaking"—the earlier practice of hacking phone systems. Early phishers targeted AOL users, creating fake login screens to steal account credentials they could use or resell. These attacks were relatively crude by today's standards, but they established the basic template: impersonate a trusted entity, create urgency, and trick users into revealing information.

As email became ubiquitous in the early 2000s, phishing exploded. Attackers began targeting online banking customers with increasingly sophisticated fake websites. The problem grew serious enough that the Anti-Phishing Working Group formed in 2003 to coordinate responses across industry and law enforcement. Banks and other targets started adding warnings to legitimate emails and educating customers about never clicking links in messages.

Phishing evolved rapidly as defenses improved. Attackers developed spear phishing, researching specific targets to craft personalized messages far more convincing than generic blasts. They began compromising legitimate websites to host phishing pages, making URLs harder to distinguish as fake. Email authentication standards like SPF and DKIM emerged to combat spoofed sender addresses, leading attackers to compromise real accounts and send phishing from genuinely legitimate addresses. The arms race continues, with attackers now using AI to craft more convincing messages and even generate realistic voice or video content.

Phishing remains one of the most effective attack vectors in cybersecurity despite decades of awareness efforts. According to most incident response data, the majority of successful breaches begin with a phishing email. The technique works because it exploits human psychology rather than technical vulnerabilities—no software patch can fix the human tendency to click when curious, worried, or rushed.

The business impact extends beyond stolen credentials. Phishing often serves as the entry point for ransomware, where one employee clicking a malicious link can lead to an entire organization's data being encrypted. Business email compromise scams, where attackers impersonate executives to request wire transfers, have cost companies billions of dollars. Even when attacks fail, organizations spend significant resources on security awareness training, email filtering systems, and incident response.

Modern phishing has become harder to detect. Attackers use compromised legitimate accounts to send messages, bypassing many technical filters. They research targets thoroughly on social media and corporate websites to craft convincing pretexts. AI tools now help generate grammatically perfect emails without the typos that once served as warning signs. Some attackers even conduct multi-stage attacks, using initial contact to build trust before making their real request. The ubiquity of legitimate security alerts and password reset emails from various services has also created a fog where phishing attempts hide more easily.

Plurilock's social engineering testing services help organizations understand their actual vulnerability to phishing attacks through realistic simulations that go beyond generic awareness training. Our offensive security team, drawing on intelligence community experience, designs campaigns that mirror current attacker techniques—including sophisticated pretexts, multi-stage approaches, and even deepfake technology.

We identify which employees and departments are most vulnerable, but more importantly, we help organizations implement technical controls and security architectures that reduce reliance on perfect human judgment.

Rather than just testing and reporting, we work to reduce your actual attack surface through identity and access management improvements, better email security, and detection systems that catch compromised credentials before they're used.