Skip to Content
Threats and Attacks

What is phishing?

Phishing is a fraudulent message, almost always by email, crafted to look like it comes from a legitimate source, such as a bank, a known vendor or your own boss, with the goal of tricking a person into handing over passwords and sensitive data or installing malicious software. It is the most common entry point for cyberattacks.

Zamak TechnologiesUpdated on July 9, 2026

How a phishing attack works

Phishing does not break into systems, it convinces a person. The scam usually follows four steps.

1

The bait

The criminal builds a message that imitates a trusted source, with a logo, address and tone close to the real ones.

2

The trigger

A reason to act without thinking: urgency, fear, a bill, a prize or an order that seems to come from a superior.

3

The action

The victim clicks the link, opens the attachment or types the password into a fake page that copies the real one.

4

The harvest

The credential or data goes straight to the criminal, who uses the access to steal money, data or plant ransomware.

Source: N-able Cyber Encyclopedia.

How to recognize phishing

  • The sender's name does not match the email's real domain
  • Links that, on hover, point to a different address than the text
  • A generic greeting (“Dear customer”) instead of your name
  • Urgency or a threat: “your account will be blocked in 24 hours”
  • An unexpected attachment you did not request
  • A request for a password, code or sensitive data by message
  • Grammar mistakes, odd formatting or something simply “off tone”

Types of phishing

  • Traditional phishing Mass, generic emails sent to thousands of people.
  • Spear phishing Aimed at a specific person, with real details to look legitimate.
  • Whaling Focused on executives who authorize payments or access critical data.
  • Vishing, smishing and quishing The same tactics by phone (voice), SMS or QR code.

Why phishing is so dangerous

193,407
phishing complaints to the FBI in 2024, the most reported cybercrime (IC3 2024)
21 s
median time for someone to click a phishing email after delivery (Verizon DBIR 2025)
No. 1
phishing is the most common entry point for cyberattacks

Phishing is the entry point for most attacks, from ransomware to business email compromise. In the FBI's Internet Crime Report (IC3 2024), phishing and spoofing were the most reported cybercrime, with 193,407 complaints, more than double the second place. And the reaction window is tiny: Verizon (DBIR 2025) measured the median time to click a phishing email at just 21 seconds after delivery. That is why defense cannot rely on human attention alone: when one person slips, the whole company is exposed.

How to protect against phishing

Effective defense is layered, because no person is right 100% of the time:

  1. A second identity check (MFA)If the password is stolen, the second factor still blocks access.
  2. Managed email securityFilters most malicious messages before they reach the inbox.
  3. Training and phishing simulationTurns the team into a defense layer that recognizes the scam.
  4. Verify through an independent channelFaced with a request for money or data, confirm by phone, not through the received email.
  5. Advanced endpoint defenseIf someone clicks, it contains the malicious software before it spreads.

In practice

When in doubt, verify through another channel. A phone call confirms what an email cannot prove.

How Zamak handles phishing

Zamak Technologies combines managed email security, a second identity check and training with phishing simulation, so that defense does not depend on a person never slipping. A good starting point is the phishing simulation, which shows how your team would react to a real scam.

Frequently asked questions about phishing

How do I know if an email is phishing?
Be suspicious of urgency, requests for passwords, links whose destination does not match the text, and senders whose address does not correspond to the company. When in doubt, do not click and confirm through another channel.
What is the difference between phishing and spam?
Spam is unwanted mail, usually advertising. Phishing is a fraud that tries to steal data or money by impersonating someone trusted.
What is spear phishing?
It is phishing aimed at a specific person, using real details (name, role, projects) to look legitimate and increase the chance of success.
I clicked a phishing link, what now?
Do not type anything, disconnect the device from the network and alert IT or security immediately. Change the password of the affected service from another trusted device.
Does antivirus protect against phishing?
It helps, but it is not enough. Phishing tricks the person, not the system. Real protection combines email security, a second identity check and training.
Does training the team solve it?
It greatly reduces the risk, but no person is always right. Training is one layer; it works together with technology, not in its place.

Related terms

RansomwareBEC (email fraud)Social engineeringMFADark web
Threats and Attacks
RansomwarePhishingBEC (email fraud)Social engineeringDouble extortionDark webDeep web
Endpoint and Identity
MFA
Detection and Response
EDRMDRXDRMITRE ATT&CK
Network and Access
ZTNA
Continuity and Recovery
BackupImmutable backupRPO (Recovery Point Objective)RTO (Recovery Time Objective)DRaaS (Disaster Recovery as a Service)
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessment