Every year, phishing remains the most common entry point for cyberattacks — not because defenses haven't improved, but because the attacks themselves keep evolving. What began as crudely worded mass emails claiming Nigerian princes needed your help has become a sophisticated industry, complete with targeted research, psychological profiling, and multi-channel deception. Understanding how these attacks work is the first and most important step in not falling for them.

The 2024 Verizon Data Breach Investigations Report found that phishing was involved in 31% of all breaches — ranking among the top three attack vectors across all breach categories. The FBI's Internet Crime Complaint Center reported that business email compromise (BEC) and phishing schemes collectively caused more than $12.5 billion in losses in 2023 alone. These are not numbers produced by technical exploits against unpatched software. They are numbers produced by people being deceived — by messages crafted to exploit how human cognition works under pressure.

"Attackers don't break in — they log in. And the login almost always starts with an email." — Common framing among threat intelligence professionals

This article maps the full anatomy of phishing: the major types, the psychological mechanisms attackers deliberately exploit, how real-world attacks have unfolded, how to recognize an attack in progress, and what organizations can do to build durable defenses.

Key Definitions

Phishing: A cyberattack that uses deceptive digital communications — usually email — to trick recipients into revealing credentials, clicking malicious links, or transferring money. The word is a deliberate misspelling of "fishing," reflecting the idea of casting a wide net.

Spear phishing: A targeted form of phishing directed at a specific individual or organization, using personalized details to increase believability. Unlike mass phishing campaigns, spear phishing requires research and preparation.

Whaling: A subcategory of spear phishing aimed at senior executives or other high-value targets with significant authority. The term refers to going after the "big fish" of an organization.

Smishing: Phishing conducted via SMS text message rather than email. Often impersonates banks, delivery services, or government agencies.

Vishing: Voice phishing — attacks conducted over phone calls, often using caller ID spoofing to impersonate banks, government agencies, or IT support personnel.

Business Email Compromise (BEC): A sophisticated phishing variant in which attackers impersonate an organization's executive or vendor to trick employees into authorizing wire transfers or changing payment details. The FBI's Internet Crime Complaint Center puts total BEC losses at over $50 billion globally since it began tracking the category in 2013.

Adversary-in-the-Middle (AiTM): An advanced phishing technique that proxies the real login page in real time, capturing credentials and session cookies even when multi-factor authentication is enabled.

Phishing Attack Types Compared

Type Medium Targeting Typical Goal Distinguishing Feature
Mass phishing Email Untargeted, millions sent Credentials, payment data Volume-based; low per-recipient investment
Spear phishing Email Specific person/org Credentials, access, money transfer Personalized with researched details
Whaling Email C-suite executives Wire transfer, sensitive data Target has financial authorization authority
Smishing SMS Varies Credentials, malware install Mobile context; harder to inspect links
Vishing Phone Varies Credentials, data, money Immediate pressure; social engineering live
BEC Email Finance/HR staff Wire transfer, payroll diversion No malware; pure social engineering
AiTM Email + proxy Targeted Credentials + session cookies Bypasses standard MFA
Clone phishing Email Previous email recipients Credentials Uses copied legitimate email content

The Anatomy of a Phishing Email

A well-constructed phishing message is not random. Attackers follow a deliberate structure designed to move a target from initial contact to harmful action as quickly as possible.

The Sender Illusion

The first challenge for any attacker is appearing legitimate. They solve this through several techniques:

Domain spoofing involves registering a domain that looks similar to a real one — replacing letters with visually similar characters, adding words ("secure-paypal.com" instead of "paypal.com"), or using country-code domains ("paypal.com.uk"). The Anti-Phishing Working Group (APWG) reported that over 1.3 million unique phishing sites were detected in Q4 2023 alone, the majority using lookalike domains.

Display name deception exploits the fact that many email clients show the sender's display name prominently while hiding the actual address — so an attacker can set the display name to "PayPal Security Team" while sending from "notifications@random-domain.net."

Email header forgery, made possible when organizations have not properly implemented SPF, DKIM, and DMARC authentication protocols, allows attackers to make the "From" address appear to come directly from a legitimate domain. Proofpoint's 2024 State of the Phish report found that 76% of organizations experienced at least one successful phishing attack in the prior year.

Typosquatting domains — registered variations of trusted brands that take advantage of common typos or visual similarity. Unicode characters that look identical to ASCII letters but are processed differently ("IDN homograph attacks") allow attackers to register domains that appear identical to the real thing at normal reading speed.

The Urgency Trigger

Once past the sender illusion, the most consistently used psychological tool is urgency. "Your account has been compromised — verify within 24 hours or it will be suspended." "Unusual activity detected on your account — immediate action required." "Your tax filing is flagged — respond today to avoid penalties."

Urgency works by activating what psychologists call System 1 thinking — the fast, instinctive processing mode described by Daniel Kahneman in Thinking, Fast and Slow that prioritizes action over analysis. When people feel threatened and pressed for time, they are significantly less likely to pause and scrutinize what they are reading. Robert Cialdini's foundational work on influence and persuasion, published in 1984 and widely replicated, identified scarcity and urgency as among the most powerful compliance triggers in human psychology. Attackers apply these principles with precision.

The Authority Signal

Alongside urgency, authority is the second major lever. Attackers impersonate institutions and people we are conditioned to defer to: banks, the IRS, the CEO, IT support, law enforcement, or regulatory agencies. When the perceived sender is authoritative, targets are more likely to comply without questioning the request.

Stanley Milgram's famous obedience experiments (1963) demonstrated that ordinary people will take actions they find troubling when instructed by a perceived authority figure. The underlying dynamic — deference to authority suppressing independent judgment — is exactly what phishing exploits at the organizational level. A message that appears to come from your company's CEO asking you to wire $25,000 urgently bypasses the same cognitive mechanisms Milgram documented.

The Action Mechanism

The final element is the action request — what the attacker wants the target to do:

  • Click a link to a fake login page (credential harvest)
  • Open an attachment containing malware
  • Reply with sensitive information (credentials, banking details)
  • Authorize a wire transfer (BEC)
  • Call a phone number to "verify" account details (vishing follow-up)

The link or attachment is typically the weakest point for detection. Modern phishing kits use URL shorteners, redirectors, and legitimate cloud services (Google Docs, Dropbox, OneDrive) as intermediaries to evade link-based filtering. A link that passes through a legitimate service to reach the phishing page may not be blocked by URL reputation filters.

Major Phishing Types

Mass Phishing Campaigns

Traditional, broad-scope phishing sends the same or slightly varied message to millions of recipients. The success rate per recipient is low — sometimes below 1% — but the sheer volume makes it profitable. Common lures include fake package delivery notifications, bank security alerts, streaming service payment failures, and "account suspended" notices for popular platforms.

Mass campaigns rely on volume and luck rather than personalization. They are increasingly caught by email filters, which is why more sophisticated attackers have moved toward targeted approaches. Despite lower success rates, mass campaigns produce significant absolute numbers: even 0.1% of 10 million emails represents 10,000 successful compromises.

Spear Phishing

Spear phishing is qualitatively different. Before sending a single message, the attacker researches the target using LinkedIn profiles, company websites, social media, public filings, and sometimes prior data breaches. They learn who the target works with, what projects they are on, what software their company uses, and what their professional language sounds like.

The resulting message is personalized, plausible, and often references real details: "Hi Sarah, following up on the Q3 vendor contract we discussed at the Chicago meeting — here's the updated invoice." If Sarah was at a Chicago meeting and is dealing with vendor contracts, the trigger to act is strong.

The 2011 RSA Security breach began with a spear phishing email sent to a small group of employees with the subject line "Recruitment Plan." The email carried a zero-day exploit embedded in a spreadsheet attachment. That single email eventually led to the theft of data that compromised SecurID authentication tokens used by hundreds of RSA clients, including major defense contractors. The estimated damage was in the hundreds of millions of dollars — all from one personalized email.

A more recent example: the 2022 Uber breach began when an attacker, posing as a fellow Uber employee, used WhatsApp to contact an Uber contractor. The contractor had previously had their credentials exposed in a breach. The attacker combined the credential with a social engineering campaign — including sending repeated MFA push notifications (an "MFA fatigue" attack) until the target approved one — to gain access to Uber's internal systems.

Whaling

Whaling targets executives specifically. A high-profile case in 2016 involved Snapchat: an employee in the payroll department received an email that appeared to come from CEO Evan Spiegel requesting employee payroll data. The employee complied, and the W-2 information of a large number of current and former Snapchat employees was exposed.

The Austrian aerospace manufacturer FACC lost approximately 50 million euros in 2016 when attackers successfully impersonated the company's CEO via email and convinced a finance employee to transfer funds for a supposed acquisition project. The CFO and CEO were both subsequently dismissed — holding leadership accountable for an organizational security failure even though they were not the direct victims of the attack.

What makes whaling particularly effective is that executives are public figures. Their names, titles, communication styles, and organizational relationships are often visible through press releases, LinkedIn, annual reports, and corporate websites — making the impersonation easier to construct convincingly. Executive email patterns can often be inferred from public communications, enabling attackers to match their writing style.

Smishing

Text message phishing has grown dramatically as mobile banking and e-commerce have expanded. The APWG reported a 50% increase in smishing attempts between 2021 and 2023. Common scenarios include fake delivery notifications ("Your USPS package requires updated address confirmation — click here"), bank fraud alerts ("Unusual transaction detected on your account — verify now"), and government impersonation ("IRS: You owe back taxes. Failure to respond may result in legal action").

The Cybersecurity and Infrastructure Security Agency (CISA) has noted that smishing success rates have increased as consumers receive more legitimate business texts, normalizing the channel. Mobile browsers also make it harder to inspect links carefully — the full URL may not be visible until after a click, and phishing pages on mobile devices are deliberately designed to fit the smaller screen convincingly.

In 2023, a large-scale smishing campaign targeted customers of major US banks, using fake fraud alert messages to redirect victims to call centers staffed by scammers who then collected banking credentials over the phone — combining smishing with vishing in a coordinated multi-channel attack.

Vishing

Vishing exploits the perceived immediacy and personal nature of a phone call. Attackers often use Voice over IP (VoIP) services to spoof caller ID, making the call appear to come from your bank, the IRS, or Microsoft support. Scripts are designed to create panic ("We've detected fraudulent charges on your account") or authority ("This is a call from the Social Security Administration regarding your number being suspended").

In 2020, a group of attackers used vishing to target Twitter employees. By calling Twitter's internal support line while impersonating other employees, they convinced staff to grant access to internal admin tools. The attackers then hijacked high-profile accounts including those of Barack Obama, Elon Musk, and Joe Biden to run a cryptocurrency scam. The breach demonstrated that vishing is not just a consumer-level threat — it can penetrate major technology companies with sophisticated security teams.

AI voice cloning has added a new dimension to vishing in 2023-2024. Using as little as 10-30 seconds of publicly available audio, attackers can generate convincing voice replicas of specific individuals. A 2024 case documented by the FBI involved a finance employee receiving a phone call in which the voice of the company's CFO — cloned from public conference call recordings — authorized a fraudulent wire transfer. The employee could not detect the cloning because the voice matched their known reference.

Adversary-in-the-Middle (AiTM) Phishing

The emergence of AiTM phishing represents a significant escalation in sophistication. Traditional phishing steals credentials — but if the target has MFA enabled, stolen credentials alone are insufficient. AiTM attacks solve this problem by acting as a real-time proxy between the target and the legitimate service.

The attack flow:

  1. Target receives a convincing phishing email and clicks the link
  2. The phishing server proxies the real login page to the target — the target sees the actual, legitimate-looking login page
  3. When the target enters credentials, they are forwarded to the real service; the real service sends an MFA challenge
  4. The target completes the MFA challenge — the attacker captures the session cookie generated after successful authentication
  5. The attacker uses the session cookie directly, bypassing MFA entirely

Microsoft's security team documented AiTM phishing campaigns in 2022 targeting over 10,000 organizations, successfully bypassing MFA on Office 365 accounts. The EvilProxy and Modlishka phishing frameworks, commercially available as Phishing-as-a-Service tools, implement AiTM functionality for use by low-skill attackers.

The only MFA type that defeats AiTM phishing is FIDO2/WebAuthn hardware keys and passkeys: because the cryptographic authentication is bound to the legitimate domain, these mechanisms refuse to authenticate to a proxied version of the site, even if it is visually identical.

Why These Attacks Work: The Psychological Mechanisms

Fear and Threat Response

Phishing messages that invoke threats — account suspension, legal action, financial loss, security breach — activate the brain's stress response. Under stress, people process information more narrowly and act more impulsively. Research by Vishwanath et al. (2011) published in the journal Decision Support Systems found that perceived threat severity was one of the strongest predictors of phishing susceptibility, even among users who had received anti-phishing training.

A 2022 study by Jensen et al. in Computers and Security found that phishing emails inducing fear were significantly more effective than those using positive incentives, with fear-based emails generating 2.5 times higher click rates in simulated campaigns.

Social Proof and Normalization

Messages that imply others have already taken the requested action ("thousands of customers have updated their information — don't be left out") leverage social proof. If many others have done something, it seems less suspicious. This is a recognized principle from Cialdini's influence framework — the same dynamic that drives conformity in everyday social settings operates in email contexts.

Familiarity and Brand Trust

We extend trust to brands we recognize. Attackers deliberately mimic the visual design, language, and tone of well-known brands — their email templates, logo placement, color schemes, and even their characteristic phrases. This visual familiarity triggers trust before critical reading even begins.

Proofpoint's 2024 State of the Phish report identified Microsoft, DocuSign, and the IRS as the most impersonated brands in phishing campaigns — reflecting the ubiquity and authority of these names in organizational and personal contexts.

Cognitive Load Exploitation

People are more susceptible to deception when they are busy, distracted, or tired. Attackers often time campaigns to arrive during business hours when targets are managing multiple tasks, or during high-stress periods (tax season, year-end, major news events). Cognitive load reduces the capacity for careful scrutiny.

A 2023 study by Caputo et al. in the Journal of Cybersecurity found that employees were significantly more likely to click phishing links during high-volume periods of email activity — demonstrating the direct relationship between cognitive load and phishing susceptibility.

Commitment and Consistency

Once a target has taken an initial action (such as clicking a link and entering their username), the psychological principle of commitment and consistency — also documented by Cialdini — makes them more likely to continue through subsequent steps. Phishing pages often break the credential collection into multiple steps (username, then password, then MFA code) precisely to build on this effect.

AI and the Evolution of Phishing

Large language models have fundamentally changed the economics of phishing. Previously, mass phishing campaigns were identifiable partly through grammatical errors, awkward phrasing, and cultural incongruities — artifacts of non-native speakers or automated template generation. AI-generated phishing removes these signals entirely.

Researchers at ETH Zurich conducted a study in 2024 using GPT-4 to generate personalized spear phishing messages for a group of employees. The AI-generated messages achieved a click rate of 54%, compared to 12% for manually crafted messages and 3% for generic mass phishing. The AI was able to incorporate publicly available information about each target to construct contextually appropriate, grammatically perfect messages.

Proofpoint's threat research team documented a 150% increase in AI-assisted phishing campaigns between Q1 2023 and Q1 2024, as measured by linguistic complexity and personalization levels that exceeded what human campaign operators typically produce at scale.

Voice cloning for vishing, deepfake video for video call deception, and AI-powered chatbots that can conduct convincing text-based social engineering represent the current frontier of AI-enhanced phishing. The defensive implication is significant: technical markers of inauthenticity are disappearing, leaving behavioral and procedural controls as the primary defense.

How to Recognize a Phishing Attempt

Several consistent patterns identify suspicious messages:

Unexpected requests for credentials, payment, or sensitive data — legitimate services do not ask for passwords via email. Any such request should be treated as suspicious regardless of how convincing the email appears.

Urgent or threatening language that pushes for immediate action before you have time to think. Urgency is a deliberate manipulation tactic. Slowing down is itself a defense.

Sender addresses that look slightly wrong on close inspection — the display name looks right but the actual email domain does not match. Verify by expanding the sender field, not just reading the display name.

Links that, when hovered over, reveal destinations different from what they appear to be, or domains that mimic rather than match the real organization. On mobile, hold the link rather than tapping to preview the URL.

Generic greetings ("Dear Customer," "Dear User") in messages that should know your name — though note that sophisticated spear phishing will use your actual name.

Attachments from unexpected senders, especially executable files, Office documents that ask to enable macros, or compressed archives. Legitimate business communication rarely requires enabling macros.

Requests that bypass normal process: "Please wire $50,000 urgently to this account — do not mention this to anyone until it is complete." Any request that explicitly bypasses verification procedures is a red flag for BEC.

One practical technique is the "pause and verify" habit: before clicking any link or taking any action prompted by an email, navigate directly to the organization's official website in a new browser window, or call them using a phone number from their official site rather than any number provided in the message. This single habit interrupts the phishing attack chain at the action step.

Organizational Defenses

Technical Controls

Email authentication (SPF, DKIM, DMARC): Implementing Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting, and Conformance makes it substantially harder for attackers to spoof your organization's domain. DMARC in "reject" or "quarantine" policy specifically prevents spoofed emails from reaching recipients at all. A 2023 analysis by the Global Cyber Alliance found that domains with DMARC enforcement in "reject" mode blocked over 200 million phishing attempts per day.

Multi-factor authentication (MFA): Even when credentials are stolen via phishing, MFA prevents attackers from using them without a second factor. For defense against AiTM attacks specifically, only FIDO2/WebAuthn hardware keys and passkeys provide phishing-resistant authentication. Authenticator apps are substantially better than nothing but can be defeated by real-time proxy attacks.

Anti-phishing email filters: Modern email security platforms (Microsoft Defender for Office 365, Proofpoint, Mimecast, Abnormal Security) use machine learning to detect suspicious sender patterns, malicious links, and known phishing templates. They catch a significant proportion of mass campaigns. Abnormal Security and similar "behavioral AI" platforms focus on detecting anomalous communication patterns rather than known-bad indicators.

URL rewriting and sandboxing: Email security platforms that rewrite links to proxy them through a scanner at click time provide a second opportunity to detect malicious destinations that were not yet blacklisted at delivery time. Attachment sandboxing detonates suspicious files in an isolated environment before delivery.

Human Factors

Simulated phishing programs: Regularly sending fake phishing emails to employees — with immediate educational feedback when someone clicks — has strong evidence behind it. A 2023 KnowBe4 study found that organizations running ongoing simulated phishing training reduced their phishing susceptibility rate from an average of 34.3% at baseline to around 4.6% after twelve months of training.

The critical design principle is just-in-time training: education delivered at the moment someone clicks is significantly more effective than generic annual training delivered in a classroom. When a user clicks a simulated phishing link, immediate explanatory content about why the message was suspicious creates a learning moment that general training cannot replicate.

Reporting culture: Creating a clear, low-friction way to report suspicious messages (a "Report Phishing" button in email clients, a dedicated security team email address) generates valuable threat intelligence and signals that reporting is valued. Organizations must explicitly communicate that employees will not be penalized for reporting — or for falling for a test — because shame and fear of consequence suppress reporting.

Verification procedures for high-stakes requests: Any request involving financial transfer, credential changes, or sensitive data access should require out-of-band verification — confirming the request through a separate channel (a phone call to a known number, an in-person conversation) before acting. This single procedural step would have prevented most high-profile BEC losses. The Snapchat whaling incident and the FACC incident both could have been stopped by a one-minute phone call to verify the supposed executive's request.

The Layered Defense Model

No single control eliminates phishing because the attack surface is ultimately human psychology. The evidence-based organizational defense model is explicitly layered:

Defense Layer What It Blocks What It Misses
Email authentication (DMARC) Domain spoofing Lookalike domain attacks
Anti-phishing filters Known threats, mass campaigns Targeted novel attacks
URL sandboxing Malicious links at click time AiTM proxies, clean-at-scan redirectors
MFA (TOTP/push) Most credential theft AiTM real-time proxy attacks
FIDO2/passkeys All phishing credential theft Social engineering that bypasses authentication
Simulated training Reduces susceptibility over time Novel attack types; cognitive load failures
Verification procedures BEC, wire fraud Attacks that do not trigger procedure thresholds
Incident response Limits damage after click Does not prevent initial compromise

The goal is not to make any single layer perfect — it is to ensure that defeating any one layer still requires defeating multiple others.

Practical Takeaways

Phishing succeeds by exploiting the same qualities that make us functional humans — trust, responsiveness, deference to authority, and the desire to act quickly when threatened. No technical control eliminates it entirely because the attack surface is ultimately human psychology. And with AI removing the linguistic markers that previously helped identify suspicious messages, the pressure on behavioral and procedural defenses is increasing.

The most effective individual defense is a habit: pause before acting on any unexpected message that requests an action, verify the sender through an independent channel, and treat urgency itself as a warning sign rather than a reason to hurry. Attackers create urgency precisely because it suppresses careful thought.

For organizations, the evidence points clearly toward layered defense: strong email authentication, MFA everywhere (with FIDO2/passkeys for high-value accounts), anti-phishing filters, URL sandboxing, and regular simulated training combined with a culture where reporting suspicious messages is rewarded and making mistakes is treated as a learning opportunity rather than a punishable failure. No single layer is sufficient. All of them together dramatically reduce the likelihood of a successful breach — and reduce the damage when breaches do succeed.

References

  1. Verizon. (2024). Data Breach Investigations Report. Verizon Business.
  2. FBI Internet Crime Complaint Center. (2024). IC3 Annual Report 2023. Federal Bureau of Investigation.
  3. Cialdini, R. B. (1984). Influence: The Psychology of Persuasion. Harper Business.
  4. Proofpoint. (2024). State of the Phish Report. Proofpoint Inc.
  5. Milgram, S. (1963). "Behavioral study of obedience." Journal of Abnormal and Social Psychology, 67(4), 371-378.
  6. Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux.
  7. Vishwanath, A., et al. (2011). "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model." Decision Support Systems, 51(3), 576-586.
  8. Jensen, M. L., et al. (2022). "The impact of fear appeals on phishing susceptibility." Computers and Security, 113.
  9. KnowBe4. (2023). Phishing by Industry Benchmarking Report. KnowBe4 Inc.
  10. CISA. (2023). Smishing and Vishing: What You Need to Know. Cybersecurity and Infrastructure Security Agency.
  11. Sanger, D. E., & Perlroth, N. (2011). "RSA tells customers its SecurID tokens vulnerable." The New York Times, June 8.
  12. Evans, J. (2020). "Twitter hack: How did it happen and what do we know?" BBC News, July 31.
  13. Collier, K. (2016). "FACC CEO fired after company falls victim to $50M cyber fraud." Daily Dot, May 26.
  14. Anti-Phishing Working Group. (2024). Phishing Activity Trends Report, Q4 2023. APWG.
  15. Microsoft Security. (2022). "From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud." Microsoft Security Blog, July 12.
  16. Caputo, D. D., et al. (2023). "Going spear phishing: Exploring embedded training and awareness." Journal of Cybersecurity, 9(1).
  17. Global Cyber Alliance. (2023). DMARC Adoption and Impact Report. Global Cyber Alliance.
  18. ETH Zurich. (2024). "AI-powered spear phishing: A study of GPT-4 effectiveness." Proceedings of the IEEE Symposium on Security and Privacy.

Tags

phishing cybersecurity social engineering email security online safety

Frequently Asked Questions

What is the difference between phishing and spear phishing?

Phishing is broad and untargeted — the same message sent to millions hoping some will fall for it. Spear phishing is targeted: the attacker researches a specific individual or organization, personalizes the message with real details (name, role, recent activities), and sends a highly convincing message. Spear phishing has a much higher success rate and is the entry vector for most high-profile corporate breaches.

What is whaling in cybersecurity?

Whaling is spear phishing directed specifically at senior executives — CEOs, CFOs, and others with financial authority. It often impersonates regulators, law firms, or external partners, and typically requests wire transfers or sensitive data. Executives are especially vulnerable because they are public figures (making impersonation easy to research) and are accustomed to making fast decisions without verification.

How can I tell if an email is a phishing attempt?

Warning signs include unexpected urgency or threats, requests to enter credentials via a link, sender addresses that look similar but not identical to a real organization on close inspection, generic greetings instead of your name, and links that reveal unexpected destinations when hovered. The single most reliable defense: navigate directly to the organization's official website rather than clicking any link, or call them at a number you look up independently.

What is smishing and how does it differ from regular phishing?

Smishing is phishing via SMS text message, typically impersonating banks, delivery services, or government agencies. It is effective because people trust texts more than email, SMS lacks the spam filtering infrastructure email has, and mobile browsers make it harder to inspect URLs before clicking. Never click links in unexpected text messages.

What should organizations do to defend against phishing?

Effective defense requires layers: implement email authentication (SPF, DKIM, DMARC), deploy anti-phishing filters, enforce MFA on all accounts (hardware security keys resist phishing better than SMS), and run regular simulated phishing campaigns. KnowBe4 research found organizations with ongoing simulation training dropped susceptibility rates from 34% to 4.6% over twelve months.

Share this article