What is Phishing?
A Complete Guide

Train your employees to watch out and repport phishing emails.

Email Security

What is Phishing? A Complete Guide

Phishing is a type of online fraud where attackers use social engineering tactics to trick individuals into sharing sensitive information such as passwords, credit card numbers, or other personal data. Read our blog to best know how to protect yourself from these phishing attacks.

By Cian Fitzpatrick | April 13, 2023

Suspicious man trying to login

Phishing refers to a cybercrime where individuals are contacted through email, phone, or text by individuals posing as credible institutions. The aim is to coax them into sharing sensitive data such as personal information, bank account and credit card details, and passwords. This information is then used to access crucial accounts, potentially causing financial harm and identity theft.

Phishing Definition

To deceive the victim into clicking on a malicious link, phishing employs impersonating a trustworthy source through email, instant messages, or text messages. This can lead to installing malware, system freezing by a ransomware attack, or revealing confidential data.

In addition, cybercriminals use phishing as a means to infiltrate corporate or governmental networks, often as part of a more extensive attack like an advanced persistent threat (APT) event. Hackers override security measures, introduce malware, and acquire privileged access to confidential data by compromising employees.

A phishing attack can have severe consequences, including unauthorised purchases, theft of funds, and identity theft. If an organisation is targeted, it can result in significant financial losses, damage to reputation and consumer trust, and a decline in market share. Depending on the extent of the attack, a phishing attempt can escalate into a security incident that can be challenging for a business to recover from.

How does Phishing work?

Attackers send malicious email messages or other communication methods that resemble legitimate ones. The more the message appears real, the greater the chance of success. The attackers’ goals are usually to obtain personal information or credentials, creating a sense of urgency in the message to make users feel threatened. This manipulative technique leads to the victim’s compliance even to unreasonable demands.

Organisations must train staff to recognise the latest phishing tactics; it only takes one person to fall for a phishing attempt and trigger a severe data breach. It is why phishing is considered one of the most challenging and critical threats to mitigate.

Dangers of Phishing

Personal phishing risks

Personal phishing targets individuals through phone calls, emails, or text messages. Attackers pose as trustworthy entities like government agencies, banks, or famous companies to obtain sensitive information like credit card details, usernames, and passwords. This information can be used to steal money or commit identity theft. Personal phishing attacks can devastate individuals as they lack the same level of security as large organisations. Individuals should be cautious of unsolicited messages and regularly update their passwords to protect themselves.

Organisational phishing risks

Organisational phishing is a cyber attack that targets businesses, governments, and institutions using fake emails, text messages, or phone calls to obtain sensitive information such as login credentials, financial data, or other confidential details. Attackers use this data to steal funds or launch advanced attacks. Phishing attacks can result in severe financial and reputational damage, particularly when involving sensitive data or intellectual property. Organisations must implement robust security measures, including employee training, to reduce the risk of falling prey to these attacks.

Common Traits of Phishing

Phishing is an illegal technique used to trick individuals into revealing sensitive information. Here are some common indicators of a phishing attempt that you should be aware of to stay safe:

  • Requests for sensitive information
  • Generic greetings or lack of personalisation
  • Spelling or grammatical errors
  • Unofficial or unfamiliar sender information
  • Urgent requests or sense of urgency
  • Unfamiliar or mismatched URLs
  • Suspicious or misleading hyperlinks
  • Threats or scare tactics
  • Requests for immediate action
  • Tempting or too-good-to-be-true offers


Protect your business from phishing attacks today by signing up for our Managed Phishing Awareness Training program.

Click Here

Phishing Attacks: Statistics and Examples

The 2022 Cost of Data Breach Report by IBM affirms that data breaches are mostly due to the usage of stolen or compromised credentials. Such credentials were the primary attack method in 19% of breaches this year, a slight decline from 20% in 2021. 

In 2022, 19% of data breaches were primarily caused by stolen or compromised credentials, showing a small decline from 2021’s 20% statistic. The average cost of breaches resulting from this type of attack was $4.5m, and it took 243 days to detect and 84 days to control, which is 16.6% longer than the average time to identify and manage a data breach. Phishing was the second most frequent cause of data breaches, accounting for 16% of incidents and costing $4.91m.


In August 2022, Acorn Financial Services suffered a security breach when an employee was targeted in a phishing attack. The attackers stole login credentials and accessed sensitive information, including client details. Acorn conducted an investigation and informed affected customers. The breach could have been prevented or minimised with a phishing detection system in place.

Twilio experienced a security breach in August 2022. The breach was caused by an SMS phishing attack in which employees were directed to a fake authentication site that looked like Twilio’s real site. The employees unknowingly entered their login credentials on the fake site, which allowed the attackers to gain access to Twilio’s internal resources and customer data. The attackers compromised 93 Authy accounts and potentially exposed 1,900 accounts on the encrypted communication app Signal, but they wouldn’t have been able to access message history or contact lists.

Laptop with lock

Types of Phishing Attacks

1) Spear phishing

Spear phishing involves targeting specific individuals in an organisation, typically those with high-level access, through email. This tactic aims to deceive victims into providing confidential information, transferring funds, or downloading malicious software.

2) Business email compromise (BEC)

Business email compromise (BEC) involves the perpetrator pretending to be someone the recipient trusts, such as a coworker, manager, or supplier. The attacker then requests actions such as wire transfers, changes to banking details, or payroll diversions. Because BEC attacks don’t employ malware or malicious URLs, they are difficult to detect using traditional cybersecurity methods. Instead, these scams rely on social engineering tactics and impersonation to deceive individuals interacting with the attacker.


Whaling or CEO fraud targets high-profile employees within an organisation. The attackers deceive the victims into thinking that the CEO or another executive has requested a money transfer. Unlike regular phishing, this fraud involves impersonating the CEO of the targeted company rather than another entity.

4) Microsoft 365 phishing

A Microsoft 365 phishing attack involves using email or other electronic communication to deceive users into disclosing personal information or clicking on harmful links. These attacks are usually aimed at Office 365 users, often high-value targets with access to sensitive data.

5) Smishing

Smishing is a cyber-attack where attackers use SMS messages to deceive users into accessing malicious websites from their smartphones. The attackers will send a text message containing a harmful link to a specific victim, offering discounts, rewards, or free prizes to entice them to click the link.

7) Social media phish

Social media phishing involves cyberattacks on social media platforms such as Facebook, Twitter, LinkedIn, and Instagram. These attacks aim to either steal sensitive personal information or take over a user’s social media account.

8) Voice phishing or Vishing

Voice Phishing or Vishing involves using a phone to obtain personal information from victims. This is achieved through social engineering techniques to convince victims to provide sensitive information, often to gain access to financial accounts.

9) “Evil Twin” Wi-Fi

Attackers can execute a cyberattack known as “Evil Twin” Wi-Fi by creating a fraudulent wireless access point that looks like a legitimate free Wi-Fi hotspot. By connecting to this fake access point, users may unknowingly allow the attacker to intercept their internet traffic, enabling them to perform man-in-the-middle (MITM) attacks.

10) Pharming

Pharming is a cyberattack used to steal account credentials in two stages. First, malware is installed on the victim’s device, redirecting them to a spoofed website. Second, they are tricked into revealing their account credentials. DNS poisoning is also applied to redirect users to these fake domains.

Take the first step in securing your business from phishing attacks

Learn more about our comprehensive phishing awareness training program 

Call Us Now

Phishing Techniques

1) Malicious Web Links

Phishing emails often contain links, which can be harmful. These links can lead users to fake websites or sites infected with malicious software. Malicious links can be camouflaged to look legitimate and hidden within images or logos in an email.

2) Malicious Attachments

Although they appear authentic, file attachments may contain malware that can compromise computers and their data. Malware such as ransomware can lock and make all files on a PC inaccessible. Additionally, keystroke loggers can track every user’s password. Moreover, malware can spread to other networked devices like external hard drives, servers, and cloud systems, making it crucial to be mindful of cybersecurity measures.

3) Fraudulent Data Entry Forms

Deceptive emails contain false data entry forms that urge users to enter personal and sensitive information. The asked data can be credit card details, passwords, user IDs, and phone numbers. Upon submitting this information, cybercriminals can exploit it for their benefit.

A top view of a laptop with three credit cards on top of it held by a phishing hook

Phishing’s Most Targeted Industries

In Q1 of 2022, certain industries were highly susceptible to phishing attacks, as indicated by data from Statista. The online sectors that experienced the most targeting are: Embed link
  • Financial faced 23.6% of phishing attacks.
  • Software-as-a-Service faced 20.5% of phishing attacks.
  • E-commerce faced 14.6% of phishing attacks.
  • Social media faced 12.5% of phishing attacks.
  • Cryptocurrency faced 6.6% of phishing attacks.
  • Payment faced 5% of phishing attacks.
  • Logistics faced 3.8% of phishing attacks.
Moreover, IBM discovered that the healthcare sector bore the maximum data breach cost from successful phishing attacks.

Phishing’s Most Impersonated Brands

According to some reports, the following brands are most commonly used in phishing attacks worldwide:

  • DHL accounted for 22% of such attacks;
  • Microsoft was used in 16% of cases;
  • LinkedIn is featured in 11% of incidents;
  • Google, targeted in 6% of attacks;
  • Netflix was used in 5% of cases.

Contact us today for detailed information about our services.

Call Us Now

How To Recognise Phishing?

Knowing how to recognise phishing attempts is crucial in protecting oneself from these attacks. Key indicators to watch for include;

  • Unusual or generic greetings, 
  • Subject lines with unusual language or errors, 
  • Too good-to-be-true offers, 
  • Emails from public domains, 
  • Misspelt domains or with an additional word, 
  • Emails with an urgent or threatening tone.

These should be treated cautiously, and be wary of suspicious links or attachments and unsolicited phone calls asking for personal information.

A side view of a suspicious man with a covered face and gloves using a laptop.

How To Protect Yourself From Phishing Attacks?

To protect oneself from phishing attempts, verifying the sender and his/her request is important. If a phishing attempt is suspected, do not respond and report it immediately to relevant authorities or IT departments.

Primary steps you can take to protect yourself from phishing:

  • Install email security software on your devices.
  • Use multi-factor authentication for your accounts, which requires two or more credentials falling into three categories: something you know, have, and are. This makes it difficult for attackers to access your accounts.
  • Back up your data by saving it on an external memory or in the cloud for your computer and phone. These steps can help safeguard you from phishing and protect your sensitive information.
  • Provide training sessions to employees regarding recognising phishing and how to deal with it.

What should I do if I receive a phishing email?

When receiving an email or text with a link or attachment, ask yourself if you know the sender or have an account with the company. If not, it could be a phishing scam. Look for signs of a scam, report it, and delete the message if necessary. If you have an account or know the sender, contact them through a legitimate phone number or website, and avoid opening attachments or clicking on links to avoid malware.

What to do if I responded to a phishing email?

If you have shared personal information with a scammer, you can take prompt action to safeguard yourself. If you’ve given your banking details, inform your bank. If you suspect hacking, check for unrecognised messages or being locked out, and follow instructions to recover the account. Notify your IT department if the message was on a work device. Run a full antivirus scan if you opened a link or installed software, and change all passwords that use the same password if you shared it. Report lost money as a crime to your bank and Action Fraud (for England, Wales, and Northern Ireland) or Police Scotland (for Scotland).

What to do if I've been successfully phished?

If you have been successfully phished, the most crucial step is to report the phishing attack. Reporting the attack can help inform the platform that you’ve been phished. This will initiate the assistance you need in regaining account security and informing others at risk of being phished.

How To Report Phishing?

To report a phishing attack, there are different options available depending on your location:

Contact us today for detailed information about our services.

Call Us Now

How can Topsec help?

Phishing attacks cause significant damage to businesses, both in terms of financial loss and reputation. At Topsec, we understand the risks and have developed top-tier internet security solutions to help protect our clients.

Topsec’s managed concierge service ensures that specialist support is always available to our customers. A team of experts handling email security monitors the number of spam emails and potentially hazardous information received rigorously. We know phishing attacks can happen anytime, so our technical professionals are available 24/7 to assist and support you in such an occurrence.

Topsec’s Managed Phishing Awareness Training is an online solution that executes real-time phishing attacks to test and improve your employees’ security awareness. We manage the entire process, from creating and sending phishing emails to generating reports on employee performance. Our approach combines simulated phishing attacks with security awareness training to identify staff who require additional training and combat phishing threats. Our Phishing Simulator includes pre-designed templates created by security professionals that replicate spear phishing, clone phishing, and other hacking strategies.

Topsec also provides an anti-phishing software and attachment sandboxing service that helps clients evaluate potentially harmful attachments. It uses advanced machine learning algorithms, anti-evasion techniques, anti-exploit, and aggressive behaviour analysis to examine the file or URL in a safe virtual environment without affecting system performance. Suspicious attachments can be flagged and classified as malware while providing a feedback loop to update the antivirus system. It provides a critical first line of defence against weaponised attachments and ensures quick delivery of emails.

In today’s digital landscape, protecting your business from cyber attacks is more critical than ever. With Topsec’s internet security solutions, be at peace of mind knowing your business is always protected.


Phishing continues to be an elite threat to organisations and individuals alike. And with the increasing sophistication of these attacks, it is extremely important to take proactive steps to safeguard yourself and your organisation. For example, some effective measures to mitigate the risk of phishing attacks include training employees to recognise and report phishing attempts, implementing multi-factor authentication, and using anti-phishing software.

Topsec offers a range of solutions and services to help organisations protect against phishing attacks. Our anti-phishing software uses advanced algorithms to analyse email content and detect and block suspicious messages before they can reach their intended targets. We also offer employee phishing awareness training and can help organisations understand how their staff respond to such threats. This helps organisations and their staff understand and deal effectively with phishing patterns. Contact Topsec today to learn more about how we can help protect your organisation against phishing attacks.

schedule a consultation with our experts

Don't let your business become another statistic – invest in Managed Phishing Awareness Training today.

Call Us Now

Phishing FAQ's

Phishing attempts that deceive users into downloading malware or clicking on a malware link are known as trap phishing. The tactic involves impersonating well-known brands and using aggressive approaches to persuade users to share personal information, pay, or log in to a phishing website to “update” their account details. Cybercriminals exploit this opportunity to steal users’ login credentials and other sensitive data.

Barrel phishing is a targeted phishing attack involving two or more emails sent to the same victim. The first email is used as bait and appears to be from a trusted source. In contrast, the second email contains malicious content that aims to trick the victim into revealing sensitive personal or financial details. The attack aims to establish authenticity with the first email and then lure the victim into divulging their information with the second.

A phishing kit is a package of software tools, including HTML, code, and images, that enables cybercriminals to carry out phishing attacks. With these kits, even those with minimal phishing knowledge can easily create multiple phishing pages and target many people.

When you are phished, the attacker mostly tricks you into providing sensitive data, such as passwords or credit card numbers, to a fraudulent source. This data can be used for identity theft or financial gain.

The most common signs of a phishing attack include requests for personal information, misspellings, lack of proper greetings, unofficial email addresses, unfamiliar web pages, and deceptive hyperlinks.

Unsolicited emails sent in large quantities for promotional purposes are known as spam. On the other hand, phishing emails are tailored to deceive the recipient into disclosing confidential information.

Phishing is considered a criminal act in several jurisdictions because it involves fraudulent activities and the theft of personal information.

Opening a phishing link could redirect you to a counterfeit website that resembles a genuine one. After you enter your information, the attackers can retrieve it and exploit it for malicious intent.

Phishing can target anyone, although some groups may be more susceptible, such as the elderly or those not proficient with technology. People who handle sensitive information as part of their job, like those in finance or healthcare, may also be more vulnerable to phishing attacks.

It is advised to delete phishing emails without responding to them since this can prevent additional attacks and safeguard your sensitive information.

Phishing is not a virus but can serve as a channel for distributing viruses or malware.

The duration for which phishing links remain active varies and can range from a few hours to several weeks, based on the attacker’s objectives and the success of the phishing attack.

Blocking or flagging suspicious emails as spam can be a useful precautionary measure to prevent further phishing attempts. This feature is commonly available in email services, and Topsec, an internet security provider, also offers such an option to its users.

Suspicious emails often have urgent demands for personal information, misspellings or grammatical errors, sender addresses, or unfamiliar domains. Furthermore, emails that seem to originate from a reputable organisation but contain links or attachments can be suspicious.