What Is Phishing and How to Recognize It
A practical guide to identifying phishing emails, messages, and websites, with real-world examples of common techniques.
Continue your mission
A practical guide to identifying phishing emails, messages, and websites, with real-world examples of common techniques.
# What Is Phishing and How to Recognize It
Phishing is a social engineering attack in which an adversary impersonates a trusted entity to deceive a target into revealing credentials, transferring funds, or executing malicious code. The attack exists because human judgment is faster to manipulate than technical controls are to bypass. Attackers who cannot crack a firewall or exploit unpatched software can often obtain the same access by convincing an employee to type a password into a fake login page. Phishing solves a specific problem for attackers: how to cross the boundary between the public internet and a protected network without triggering automated defenses. For defenders, understanding phishing at a technical and behavioral level is a prerequisite for building detection capability, training effective awareness programs, and responding to incidents where the initial access vector was a deceptive message.
---
Phishing is the use of deceptive electronic communications, most commonly email, to manipulate recipients into performing an action that benefits the attacker. The word is a deliberate misspelling of "fishing," reflecting the attacker's strategy of casting bait broadly and waiting for targets to take it.
The technical definition covers three core elements: a deceptive sender identity, a false context designed to trigger urgency or trust, and a payload that either captures information or delivers malware.
Phishing is distinct from several adjacent concepts. Spam is unsolicited bulk email sent for advertising purposes; it does not necessarily attempt to deceive or cause harm. Malware delivery through phishing is one possible outcome, but phishing itself is a deception technique, not a malware category. Social engineering is the broader discipline; phishing is one specific channel within it.
Phishing has several recognized subtypes:
Spear phishing targets a specific individual or organization. The attacker researches the target and customizes the message to appear personally relevant, referencing real colleagues, projects, or vendors.
Whaling is spear phishing directed at executives, board members, or other high-value individuals with authority to approve financial transfers or access sensitive systems.
Smishing uses SMS text messages as the delivery channel instead of email. Attack volume through mobile messaging has increased substantially as organizations improved email filtering.
Vishing (voice phishing) uses phone calls. The attacker impersonates technical support, government agencies, or financial institutions to extract information verbally.
Business Email Compromise (BEC) is a financially motivated variant in which the attacker impersonates an executive or vendor to authorize fraudulent wire transfers or redirect payroll deposits. BEC is frequently categorized separately in financial crime reporting, but the underlying technique is phishing.
Phishing is not limited to credential theft. Attackers use it to deliver ransomware, install remote access tools, and establish persistence inside target networks.
---
Understanding the mechanics of a phishing attack from the attacker's perspective is the most direct path to building detection capability.
Phase 1: Reconnaissance
Before sending a single message, a skilled attacker gathers intelligence on the target. Open-source sources include LinkedIn profiles (to identify employees, roles, and reporting relationships), company websites (to identify vendors, executives, and operational details), and domain registration records. In a spear phishing campaign, this phase produces a list of specific targets and a plausible cover story tailored to each one.
Phase 2: Infrastructure Setup
The attacker registers a domain designed to be confused with a legitimate one. Common techniques include typosquatting (registering "micros0ft.com" instead of "microsoft.com"), homoglyph substitution (replacing Latin letters with visually identical characters from other alphabets), and subdomain abuse (using "paypal.com.account-verify.net" to make the domain appear legitimate in a quick visual scan). The attacker then configures the domain with valid TLS certificates. The presence of HTTPS and a padlock icon in a browser does not indicate the site is legitimate; it only indicates the connection is encrypted.
Phase 3: Message Crafting
Phishing messages are constructed to trigger one of several psychological responses: urgency ("Your account will be suspended in 24 hours"), fear ("Unauthorized access was detected"), authority ("This is a message from your IT department"), or curiosity ("You have received a document to review"). Attackers use stolen or copied email templates from the organizations they impersonate. HTML email allows attackers to display one URL as link text while the actual hyperlink points elsewhere.
Phase 4: Delivery
Email phishing is sent through compromised accounts, bulletproof hosting providers, or free email services. Sending from a previously legitimate account that has been compromised helps the message pass reputation-based filters. Attackers time delivery to coincide with high-volume periods such as Monday mornings or end-of-quarter windows, when targets are under pressure and less likely to verify unusual requests carefully.
Phase 5: Credential Capture or Payload Delivery
When a target clicks a malicious link, one of two things typically happens. In a credential harvesting attack, the target is directed to a page that mimics a legitimate login portal. The fake page captures the entered credentials and either redirects the user to the real site (so they experience no obvious error) or displays a generic error message. In a malware delivery attack, the link triggers a download of a malicious file, or the email itself contains an attachment (commonly a Word document with macros, a PDF with embedded JavaScript, or a compressed archive containing an executable).
Concrete Scenario
A mid-sized accounting firm receives an email appearing to come from their payroll software vendor. The message states that the vendor is migrating accounts and asks each user to verify their login before a deadline. The email uses the vendor's actual logo, footer, and color scheme, copied from the vendor's real website. The link in the email points to "payroll-accountsupport.com," a domain registered three days earlier. An employee who clicks the link sees a perfect replica of the payroll portal login page. After entering credentials, the page displays "Thank you, your account has been verified." The attacker now has valid credentials to a system containing payroll data for the firm's clients. They log in after business hours, export records, and exfiltrate the data before anyone notices. The attack leaves no traces in the firm's email security logs because the phishing domain passed reputation checks at the time of delivery.
---
Phishing is the most frequently observed initial access technique in confirmed data breaches. Verizon's Data Breach Investigations Report consistently places phishing among the top three action types in breaches across industries. The 2023 DBIR found phishing present in a significant proportion of social engineering incidents, which collectively represented one of the largest categories of breach causes examined.
The business impact is direct and measurable. A single successful credential phishing attack can result in unauthorized access to email, cloud storage, financial systems, or internal networks. From that initial access, attackers pivot laterally, establish persistence, and either exfiltrate data or deploy ransomware. The Colonial Pipeline ransomware attack in 2021, which caused fuel supply disruption across the eastern United States, began with a compromised VPN credential. While the specific vector was not publicly confirmed as a phishing email, the credential theft pattern is characteristic of how phishing enables downstream incidents of that magnitude.
Organizations without mature phishing detection and awareness programs face compounding risk. Technical controls filter a high percentage of phishing attempts, but not all. The subset that reaches inboxes is typically more sophisticated: better crafted, using reputable infrastructure, and timed to evade detection. Employees encountering only the most convincing phishing attempts are less likely to recognize them without deliberate training.
A common misconception is that phishing only targets unsophisticated users. Security operations professionals, IT administrators, and senior executives are targeted specifically because of their access. Attackers tailor campaigns to the technical knowledge level of the target. A phishing email sent to a developer may reference a GitHub repository or a CI/CD pipeline notification; one sent to an executive references a board agenda or investor communication.
A second misconception is that security awareness training alone solves the phishing problem. Training reduces click rates but does not eliminate them. Technical controls, detection capability, and rapid response procedures are equally necessary.
---
The Cyber Defense Alliance approaches phishing through the Planetary Defense Model (PDM) under the Threat Intelligence and Detection (TID) domain. The governing methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you.
Applied to phishing, PDI means that defenders do not wait for a phishing email to reach an inbox before responding. The operational focus is on identifying attacker infrastructure before it is weaponized, monitoring for indicators of targeting activity, and building detection logic that fires on attacker behavior rather than on known-bad signatures.
Specifically, CDA practitioners working under TID methodology analyze newly registered domains for typosquatting patterns against client organizations. Domain registration monitoring, certificate transparency log analysis, and passive DNS tracking allow defenders to identify likely phishing infrastructure within hours of its creation. When a domain mimicking a client's vendor or brand appears, the intelligence is actionable: block the domain, alert the client, and brief the incident response team before the first phishing email is sent.
CDA also treats phishing as a signal, not just a threat. A phishing campaign targeting a specific organization reveals attacker intent, target selection criteria, and likely objectives. A campaign using payroll-themed lures suggests the attacker seeks financial access. A campaign impersonating an IT help desk suggests the attacker is after credentials to internal systems. This contextual analysis connects TID to the broader PDM framework: phishing intelligence informs threat modeling, vulnerability prioritization, and response pre-positioning.
Where many organizations respond to phishing after the click, CDA methodology pushes the defensive perimeter back to the point of infrastructure creation. This is operationally distinct from reactive approaches that depend on signature-based email filtering and post-incident forensics. The difference is between knowing an attack occurred and knowing an attack was being prepared.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.