What Is Phishing? Types, Examples, and How to Stop It
Phishing is the most common entry point for cyberattacks. Learn how it works, the main types, red flags to watch for, and how to protect your team.
What is phishing and why do smart employees still fall for it?
Phishing is the most common entry point for cyberattacks. It does not exploit software; it exploits people. Understanding how it works is the first step to stopping it.
What is phishing?
Phishing is a social engineering attack in which an attacker impersonates a trusted source, such as a bank, a colleague, a delivery company, or a software vendor, to trick someone into clicking a link, opening an attachment, or handing over credentials.
The name comes from "fishing": cast enough convincing bait and someone will eventually bite. Unlike malware that exploits software vulnerabilities, phishing exploits human psychology: urgency, authority, fear, and trust.
The scale of the problem is well documented. The Verizon 2025 Data Breach Investigations Report found that 60% of breaches involved the human element, that phishing was the initial access vector in 16% of breaches, and that stolen credentials, often harvested through phishing, were the most common initial access vector of all at 22%.
Phishing attack
How a phishing attack unfolds
1. The attacker picks a target
Either broad (mass email blasts) or targeted (a specific employee at a specific company, called spear phishing). Targeted attacks use information from LinkedIn, company websites, or previous breaches to appear credible.
2. A convincing message is crafted
The email, SMS, or message impersonates a trusted entity. It typically creates urgency ("Your account will be suspended"), authority ("This is your IT department"), or curiosity ("You have a pending payment").
3. The victim takes the bait
Clicking a link leads to a fake login page that harvests credentials. Opening an attachment may install malware. Either way, the attacker now has a foothold.
4. The damage spreads
Stolen credentials are used to access corporate systems, email accounts, or financial platforms. From one click, attackers can move laterally across an entire organization.
Types of phishing
Common types of phishing
Phishing (email). Mass emails mimicking banks, SaaS platforms, or internal IT teams. The most common form.
Spear phishing. A highly targeted attack using personal details to appear credible, often aimed at executives or finance teams.
Smishing. Phishing via text message. Common lures include fake parcel tracking, bank alerts, and government messages.
Vishing. Voice phishing: attackers call posing as IT support, banks, or authorities to extract information or access.
Whaling. Spear phishing aimed specifically at C-level executives. High effort, high reward for attackers.
Business Email Compromise (BEC). Impersonating a CEO, CFO, or supplier to authorize fraudulent payments. FBI reporting puts the median loss from a single BEC incident at around $50,000.
Red flags to teach your employees
Urgency or pressure. "Act immediately or your account will be closed." Legitimate services rarely demand instant action.
Mismatched sender address. The display name says "Microsoft" but the actual domain is something like support@micro-soft-help.com.
Generic greetings. "Dear Customer" instead of your name is a sign of a mass-blast campaign.
Unexpected attachments or links. Especially from known contacts: compromised accounts are often used to spread phishing further.
Requests for credentials or payments. No legitimate IT department or bank will ask for your password via email.
Slightly off branding. Logos that look almost right, unusual fonts, or broken formatting are signs of a spoofed site or email.
How Nimblr helps
Research consistently shows that knowledge alone does not change behavior. Nimblr's phishing simulations send realistic, behavior-based phishing and smishing tests to your employees in real working conditions. When someone clicks, they get an immediate, non-judgmental teachable moment, backed up by Micro Training that reinforces the lesson. Over time, the click rate drops, and stays down.
[Book a demo to see it in action.
FAQ
FAQ: Phishing
What is the difference between phishing and spear phishing?
Phishing is typically a broad, untargeted attack sent to large numbers of people. Spear phishing is highly targeted: the attacker researches a specific individual or organization and crafts a message designed to fool that particular person. Spear phishing has a much higher success rate.
Can phishing happen over SMS or phone calls?
Yes. SMS phishing is called smishing, and phone-based phishing is called vishing. Both are increasingly common, particularly smishing, which has grown sharply as more work moves to mobile devices. Nimblr's platform includes smishing simulations for exactly this reason.
Why do employees fall for phishing even with training?
Because phishing is designed to exploit psychology, not ignorance. Attackers use cognitive biases such as urgency, authority, and social proof that affect everyone regardless of technical knowledge. One-off training is not enough; repeated, realistic simulations are far more effective at building lasting resistance.
What should an employee do if they suspect a phishing email?
Don't click any links or open attachments. Report it to your IT or security team through your organization's designated channel. If you accidentally clicked, report it immediately: fast response can limit the damage significantly.
How common is phishing as an attack vector?
According to the Verizon 2025 Data Breach Investigations Report, phishing was the initial access vector in 16% of breaches, and the human element was involved in 60% of all breaches analyzed.
