HomeResourcesGlossaryPhishing
Cybersecurity Glossary

What is Phishing?

Phishing is a social engineering attack that uses fraudulent messages — usually email, sometimes text or voice — to trick users into revealing credentials, clicking malicious links, or installing malware. It remains the most common entry point for business breaches.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How Phishing works

Three-step view of how it operates in practice.

1

Target

Attackers identify a victim and research context — recent vendor payments, common travel, org chart. Personalization dramatically increases success.

2

Deliver

A crafted message lands in the inbox, mimicking a trusted brand, executive, or vendor. Links and attachments are the payload carriers.

3

Exploit

The victim clicks, enters credentials on a fake site, or runs the attachment. The attacker uses stolen credentials or installed malware to pivot.

Phishing Variants

Common phishing variants

A clear breakdown of the common variants.

Variant

Generic phishing

Mass-sent, impersonating well-known brands. Lowest effort, still works at scale.

Most common

Spear phishing

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Whaling

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Smishing & vishing

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Phishing matters for SMBs

Phishing is a social engineering attack that uses fraudulent messages — usually email, sometimes text or voice — to trick users into revealing credentials,…

94%
of organizations experienced a successful phishing attack in 2023
Source: Proofpoint State of the Phish, 2024
Pitfalls

Common Phishing mistakes

  • Relying only on trainingTraining helps but won’t catch every user every time. Technical controls (MFA, conditional access, attachment sandboxing) matter more.
  • No phishing report buttonAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • Punitive culture around clicksShaming users for clicking reduces reporting and drives attacks underground. Non-punitive feedback increases reporting rates.
  • Skipping outbound checksDMARC, DKIM, and SPF configured correctly prevent attackers from spoofing your domain to customers.
Common Questions

Phishing frequently asked questions

BEC (business email compromise) is a targeted phishing style focused on wire fraud and vendor payment manipulation. All BEC is phishing; not all phishing is BEC.
MFA stops most credential-based phishing attacks, but attacker-in-the-middle kits can intercept push and SMS codes. Phishing-resistant MFA (FIDO2 keys, passkeys) defeats these too.
Yes — monthly micro-simulations keep awareness sharp. Measure reporting rate, not just click rate; high reporting is the leading indicator of a healthy program.
Immediately reset the credential, revoke active sessions, check for inbox rules the attacker may have created, and review access logs for the affected account. Speed matters.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

BEC

Policies that adapt to device, location, and risk signals.

Spear Phishing

A security model that verifies every request as if it came from an open network.

MFA

Give users only the access they need — nothing more.

Phishing-Resistant MFA

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Want to cut phishing risk without boring your team to death?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day