What is phishing?
Phishing is a fraudulent message, almost always by email, crafted to look like it comes from a legitimate source, such as a bank, a known vendor or your own boss, with the goal of tricking a person into handing over passwords and sensitive data or installing malicious software. It is the most common entry point for cyberattacks.
How a phishing attack works
Phishing does not break into systems, it convinces a person. The scam usually follows four steps.
The bait
The criminal builds a message that imitates a trusted source, with a logo, address and tone close to the real ones.
The trigger
A reason to act without thinking: urgency, fear, a bill, a prize or an order that seems to come from a superior.
The action
The victim clicks the link, opens the attachment or types the password into a fake page that copies the real one.
The harvest
The credential or data goes straight to the criminal, who uses the access to steal money, data or plant ransomware.
Source: N-able Cyber Encyclopedia.
How to recognize phishing
- The sender's name does not match the email's real domain
- Links that, on hover, point to a different address than the text
- A generic greeting (“Dear customer”) instead of your name
- Urgency or a threat: “your account will be blocked in 24 hours”
- An unexpected attachment you did not request
- A request for a password, code or sensitive data by message
- Grammar mistakes, odd formatting or something simply “off tone”
Types of phishing
- Traditional phishing Mass, generic emails sent to thousands of people.
- Spear phishing Aimed at a specific person, with real details to look legitimate.
- Whaling Focused on executives who authorize payments or access critical data.
- Vishing, smishing and quishing The same tactics by phone (voice), SMS or QR code.
Why phishing is so dangerous
Phishing is the entry point for most attacks, from ransomware to business email compromise. In the FBI's Internet Crime Report (IC3 2024), phishing and spoofing were the most reported cybercrime, with 193,407 complaints, more than double the second place. And the reaction window is tiny: Verizon (DBIR 2025) measured the median time to click a phishing email at just 21 seconds after delivery. That is why defense cannot rely on human attention alone: when one person slips, the whole company is exposed.
How to protect against phishing
Effective defense is layered, because no person is right 100% of the time:
- A second identity check (MFA)If the password is stolen, the second factor still blocks access.
- Managed email securityFilters most malicious messages before they reach the inbox.
- Training and phishing simulationTurns the team into a defense layer that recognizes the scam.
- Verify through an independent channelFaced with a request for money or data, confirm by phone, not through the received email.
- Advanced endpoint defenseIf someone clicks, it contains the malicious software before it spreads.
In practice
When in doubt, verify through another channel. A phone call confirms what an email cannot prove.
How Zamak handles phishing
Zamak Technologies combines managed email security, a second identity check and training with phishing simulation, so that defense does not depend on a person never slipping. A good starting point is the phishing simulation, which shows how your team would react to a real scam.