Structured data rendered for: Article
INVADERS
Back to Glossary

Phishing

Lucas Oliveira
8/13/2025
Cybersecurity Definition

Phishing

Phishing uses deceptive emails or messages to trick recipients into revealing credentials or executing malware.[1] Spear-phishing and BEC (business email compromise) target high-value individuals with tailored lures. DMARC enforcement, anti-spoofing checks and AI-driven email filters reduce phishing success rates. Periodic simulations and just-in-time training lower click rates dramatically.

Phishing: Building Defenses That Outpace Deception

Phishing adapts to every new control. This guide focuses on practical, layered defenses that blunt the impact of credential theft, malware delivery, and business email compromise—without crushing productivity.

Table of Contents

Why Phishing Still Works

People are targeted, not just systems. Time pressure, spoofed trust signals, and lookalike domains create high click‑through rates—especially on mobile.

Campaign Types and Lures

  • Credential harvesters (IDP lookalikes)
  • Malware delivery via macro docs or archives
  • Conversation hijacking inside compromised threads
  • Vishing and smishing variants

From Click to Compromise

A common chain: lure → fake login or payload → session theft or initial access → lateral movement or fraud. Align defenses to this path.

Detection and Triage

  • Email: DMARC/DKIM/SPF enforcement; brand indicators
  • Web: block bad with URL Filtering; real‑time risk
  • Endpoint: macro/Office hardening; EDR for script abuse
  • Identity: risk‑based auth; revoke tokens on suspected theft
  • Network: domain age checks; TLS fingerprint shifts

Prevention in Layers

  • Phishing‑resistant MFA (Passkeys/FIDO2)
  • Conditional access for new device + risky action
  • Browser isolation for unknown links
  • Training grounded in real lures, not trivia
  • Password managers to defeat reuse (see Access Control)

Incident Response for BEC and Credential Theft

  1. Contain: reset tokens, invalidate sessions, block forwarding rules
  2. Investigate: OAuth grants, mailbox rules, wire instructions
  3. Notify: finance/legal; contact impacted third parties
  4. Harden: enable advanced phishing protections, enforce MFA
  5. Learn: update simulations from real incidents

FAQ

  1. Does training help?
    Yes—when paired with technical controls and real‑world scenarios.

  2. Are password managers safe?
    They reduce reuse and help catch fake domains; protect the master factor with MFA.

  3. What about QR code phishing?
    Treat unknown QR sources like unknown links; apply the same controls.

  4. Can we stop all phishing?
    No—but layered defenses reduce compromise and speed recovery.

  5. Biggest win?
    Passkeys for admins and high‑risk users.

Related Topics