What is Phishing?

What does it mean?

Most security controls defend the technology. Phishing sidesteps all of them by attacking the human — and humans are far easier to exploit than a well-patched server. A phishing message impersonates a trusted source: your bank, your IT department, a vendor, a colleague, a familiar login page. It manufactures a reason to act quickly — your account will be suspended, an invoice is overdue, the CEO needs this wire sent before a meeting — and it steers you toward a single damaging action: clicking a malicious link, entering credentials into a fake page, opening a poisoned attachment, or approving a payment.

It works because it weaponizes ordinary human instincts — trust in authority, fear of consequences, the urge to be helpful, and the pressure of a deadline. No amount of encryption helps if an employee voluntarily types their password into an attacker's lookalike site. That is why phishing remains, year after year, the single most common entry point for real-world breaches.

Where the term came from

The word dates to the mid-1990s, when attackers on America Online tricked users into surrendering account passwords. It is a play on "fishing" — you dangle bait and wait for someone to bite — with the "ph" spelling borrowed from "phreaking," the older subculture of phone-system hacking. What began as crude password theft has since professionalized into a major criminal industry, complete with off-the-shelf phishing kits, services that host convincing fake login pages, and operations that net billions of dollars a year.

Along the way the vocabulary branched. Spear phishing is a targeted attack tailored to a specific person using real details about them. Whaling targets executives and finance staff, often to authorize fraudulent wire transfers. Smishing arrives by text message and vishing by voice call. The common thread is unchanged: deceive a person into doing the attacker's work for them.

How it works

A typical credential-phishing attack runs in stages. The attacker registers a lookalike domain and clones a real login page. They send an email that spoofs a trusted sender and creates urgency. The victim clicks, lands on the fake page, and enters their username and password — which flow straight to the attacker. From there the attacker logs into the real account and pursues their goal, whether that is stealing data, sending more phishing from a now trusted internal address, or moving laterally deeper into the organization.

Crucially, phishing is usually the beginning of an intrusion, not the end. In the MITRE ATT&CK framework, phishing is an "Initial Access" technique — the front door — after which the attacker pivots to credential theft, privilege escalation, and lateral movement. Modern attackers also defeat weaker multi-factor authentication using real-time proxy kits that relay the victim's second factor on the fly, which is why phishing-resistant factors built on FIDO2 matter so much.

When it matters

Phishing matters for every organization with employees and email — which is all of them. Because it targets people rather than systems, it cannot be fully solved by buying a product; it requires layered defenses. Technical controls help: email authentication standards (SPF, DKIM, DMARC) make spoofing harder, filtering catches known-bad messages, and phishing-resistant MFA limits the damage when a credential is stolen anyway. But the human layer is decisive, which is why mature programs run ongoing awareness training and, critically, simulated phishing campaigns that measure how staff actually respond instead of assuming they will spot the fake. This expectation shows up directly in SOC 2 and other frameworks, and it pairs naturally with a zero trust posture that assumes any single credential can be compromised.

At QUANT LAB

Telling people "do not click suspicious links" changes almost nothing; showing a company exactly who clicked, and what an attacker could have done next, changes a great deal. As part of a penetration test or a red team engagement, we run controlled, authorized phishing simulations that mirror how real attackers operate — then, crucially, we model what happens after the click: whether a captured credential gets us into your real systems, whether your MFA holds, and how far an attacker could move from that initial foothold. We map the whole chain to MITRE ATT&CK, so you see phishing not as an isolated "gotcha" but as the first link in an attack path you can actually break. For the broader buyer's view of how this fits into a security program, read our founder's pentest guide.