What is Phishing?

Phishing is one of the most common cyberattacks: criminals send fake emails that look like messages from trusted organisations to steal passwords, payment details, or access to systems. For businesses, the human factor is the biggest vulnerability.

How does phishing work?

An attacker sends an email that appears to come from a bank, government agency, colleague, or software vendor. The recipient is asked to click a link, open an attachment, or enter login credentials. Once that happens, the attacker has what they need.

Modern phishing attacks are nearly indistinguishable from legitimate messages. They feature correct logos, professional language, and domain names that closely resemble real addresses (e.g. rnicrosoft.com instead of microsoft.com).

Types of phishing

Phishing (mass)

Large volumes of fake emails sent to random recipients, targeting banking credentials or passwords.

Spear phishing

A targeted attack on a specific person or organisation, with personalised content drawn from public information.

CEO fraud

The attacker impersonates a director or manager and requests an urgent transfer or sensitive data from an employee.

Smishing & vishing

Phishing via SMS (smishing) or phone (vishing). Criminals pose as a bank or government to extract credentials.

Warning signs of phishing

  • Unknown or suspicious sender address, despite a familiar display name
  • Urgency: "your account will be blocked", "respond within 24 hours"
  • Links that don't match when you hover over them
  • Requests to enter passwords, PINs, or payment details
  • Unexpected attachments with unusual file types (.zip, .exe, .docm)
  • Spelling errors or unusual formatting in the email

Consequences of phishing for businesses

A single successful phishing attack can lead to a data breach, ransomware infection, financial fraud, or prolonged system outages. For an SME, the average damage per incident can run into tens of thousands of euros, excluding reputational harm and regulatory fines.

Research shows: 91% of all cyberattacks begin with a phishing email. Technical security measures filter many messages, but the human factor remains the greatest vulnerability.

How to protect your organisation

Technical measures such as spam filters, MFA, and email authentication (SPF, DKIM, DMARC) are essential but not sufficient on their own. The strongest defence is a resilient employee who recognises phishing before clicking.

The most effective way to achieve this is a phishing simulation: a controlled, realistic fake attack on your own organisation. Employees learn by experience, not from a policy document.

About phishing simulations Get in touch