Phishing: Definition and Compliance Guide

Why It Matters

Phishing is the number one attack vector in cybersecurity. Over 90% of successful cyberattacks begin with a phishing email. It bypasses technical defenses by targeting the weakest link — human judgment. The damage goes beyond stolen credentials: phishing leads to ransomware infections, business email compromise (BEC) fraud costing billions per year, and data breaches that trigger GDPR notification obligations.

Types of Phishing

Email phishing — mass emails impersonating banks, services, or colleagues. The most common form.
Spear phishing — targeted attacks directed at specific individuals using personal information gathered from social media or data breaches.
Whaling — spear phishing targeting senior executives (CEO, CFO) for high-value targets.
Smishing — phishing via SMS text messages (e.g., fake delivery notifications).
Vishing — voice phishing via phone calls impersonating IT support, banks, or government agencies.
Clone phishing — duplicating a legitimate email and replacing links or attachments with malicious ones.

Warning Signs

Urgency — "Your account will be suspended in 24 hours"
Sender mismatch — display name says "Microsoft" but email is from random domain
Suspicious links — hover to check; URL doesn't match the claimed organization
Generic greetings — "Dear Customer" instead of your name
Grammatical errors — though AI-generated phishing is increasingly polished
Unexpected attachments — especially .exe, .zip, or macro-enabled Office files
Requests for credentials — legitimate organizations don't ask for passwords via email

Prevention

Security awareness training — regular, practical training with simulated phishing exercises
Multi-factor authentication (MFA) — even if credentials are stolen, MFA blocks unauthorized access
Email filtering — DMARC, DKIM, and SPF to prevent email spoofing
Incident reporting culture — make it easy and safe for employees to report suspicious emails
Zero-trust approach — verify every access request, regardless of source

Key Statistics

3.4 billion phishing emails are sent globally every day
BEC losses exceeded $2.7 billion in 2022 (FBI IC3 report)
Average cost of a phishing-related data breach: $4.76 million (IBM, 2023)

Why It Matters

Types of Phishing

Email phishing — mass emails impersonating banks, services, or colleagues. The most common form.
Spear phishing — targeted attacks directed at specific individuals using personal information gathered from social media or data breaches.
Whaling — spear phishing targeting senior executives (CEO, CFO) for high-value targets.
Smishing — phishing via SMS text messages (e.g., fake delivery notifications).
Vishing — voice phishing via phone calls impersonating IT support, banks, or government agencies.
Clone phishing — duplicating a legitimate email and replacing links or attachments with malicious ones.

Warning Signs

Urgency — "Your account will be suspended in 24 hours"
Sender mismatch — display name says "Microsoft" but email is from random domain
Suspicious links — hover to check; URL doesn't match the claimed organization
Generic greetings — "Dear Customer" instead of your name
Grammatical errors — though AI-generated phishing is increasingly polished
Unexpected attachments — especially .exe, .zip, or macro-enabled Office files
Requests for credentials — legitimate organizations don't ask for passwords via email

Prevention

Security awareness training — regular, practical training with simulated phishing exercises
Multi-factor authentication (MFA) — even if credentials are stolen, MFA blocks unauthorized access
Email filtering — DMARC, DKIM, and SPF to prevent email spoofing
Incident reporting culture — make it easy and safe for employees to report suspicious emails
Zero-trust approach — verify every access request, regardless of source

Key Statistics

3.4 billion phishing emails are sent globally every day
BEC losses exceeded $2.7 billion in 2022 (FBI IC3 report)
Average cost of a phishing-related data breach: $4.76 million (IBM, 2023)

Phishing

Why It Matters

Types of Phishing

Warning Signs

Prevention

Key Statistics

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Cybersecurity Awareness Training: The Complete Guide for 2026

Compliance Glossary: Key Terms and Definitions 2026

Want more than the definition?

Phishing

Why It Matters

Types of Phishing

Warning Signs

Prevention

Key Statistics

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Cybersecurity Awareness Training: The Complete Guide for 2026

Compliance Glossary: Key Terms and Definitions 2026

Want more than the definition?