Cybersecurity Terms

Phishing

Phishing is a social engineering attack where adversaries impersonate trusted entities through email, text messages, phone calls, or fake websites to trick people into revealing sensitive information, clicking malicious links, or transferring money. It remains the most common initial attack vector for data breaches, bypassing technical security controls by targeting human judgment instead.

What is phishing?

Phishing is the art of impersonation at scale. Attackers craft messages that appear to come from trusted sources (your bank, your CEO, a SaaS vendor, a shipping company) and trick recipients into taking actions that compromise security: clicking a link to a credential-harvesting site, opening a malware-laden attachment, or wiring money to a fraudulent account.

Phishing comes in several forms:

  • Email phishing. Mass campaigns sent to large numbers of recipients, often mimicking well-known brands. Low sophistication, high volume. According to Keepnet, an estimated 3.4 billion phishing emails are sent globally every day.
  • Spear phishing. Targeted attacks aimed at specific individuals or organizations using personalized information (the recipient's name, role, current projects, colleagues). Far more convincing and effective than generic campaigns.
  • Business email compromise (BEC). A specialized form of spear phishing where attackers impersonate executives, vendors, or partners to authorize fraudulent wire transfers or data sharing. BEC was responsible for $2.77 billion in reported losses in the U.S. in 2024.
  • Smishing and vishing. Phishing via SMS (smishing) or voice calls (vishing), often used to bypass email security controls.

Why phishing matters for startups

Phishing doesn't care how good your code is. You can have perfect SAST scans, airtight CSPM configurations, and zero vulnerabilities in your application. One employee clicking a convincing phishing link can bypass all of it.

Here's the landscape:

  1. It's the most common attack vector. Phishing is consistently identified as the leading initial access method in data breaches.
  2. Small teams are high-value targets. At a startup, one person often has access to code repositories, cloud infrastructure, financial accounts, and customer data. Compromising that single individual through spear phishing gives an attacker broad access without needing to exploit a single technical vulnerability.
  3. AI is making phishing better. AI-generated phishing emails are harder to distinguish from legitimate communication. According to Keepnet, reports indicate a 400% rise in successful phishing scams attributed to AI tools. The grammatical errors and awkward phrasing that once marked phishing emails are disappearing.
  4. 60% of small businesses don't survive. The National Cybersecurity Alliance reports that 60% of small businesses that experience a serious cyber incident close within six months. Phishing is the most common way that incident starts.

Defending against phishing

Phishing defense requires layers because no single control is sufficient:

  • Email filtering and link scanning. Cloud email providers (Google Workspace, Microsoft 365) include built-in phishing detection. Supplement with dedicated email security tools for higher-risk environments.
  • Multi-factor authentication (MFA). Even if credentials are phished, MFA prevents attackers from using them. Phishing-resistant MFA (hardware security keys, passkeys) is the strongest option.
  • Security awareness training. Regular, realistic phishing simulations help employees recognize and report suspicious messages. Focus on building reporting culture, not blame.
  • Domain protections. Implement DMARC, DKIM, and SPF to prevent attackers from spoofing your domain to target your customers and partners.

Frequently asked questions

What's the difference between phishing and spear phishing?

Phishing is a broad term for social engineering attacks that impersonate trusted entities. Standard phishing campaigns are generic and sent to large numbers of people (like a mass email pretending to be from a shipping company). Spear phishing is a targeted variant where the attacker researches and personalizes the attack for a specific individual or organization, using details like the target's name, job title, current projects, or colleagues' names to make the message more convincing. Spear phishing has a much higher success rate because the personalization makes it harder to identify as fraudulent.

Toggle answer

Can phishing bypass multi-factor authentication?

Standard MFA (SMS codes, authenticator apps) significantly reduces phishing risk but isn't immune. Advanced phishing techniques like adversary-in-the-middle (AitM) attacks can intercept MFA codes in real time by proxying the authentication session between the victim and the legitimate service. Phishing-resistant MFA methods, specifically hardware security keys (like YubiKeys) and passkeys, are designed to prevent this because they cryptographically bind authentication to the legitimate domain. If your team handles sensitive data or high-value accounts, phishing-resistant MFA is worth the investment.

Toggle answer

How should a startup respond if an employee falls for a phishing attack?

First, contain: immediately reset the compromised account's credentials, revoke active sessions, and check for unauthorized access or changes (email forwarding rules, new OAuth app authorizations, unfamiliar devices). Second, investigate: review authentication logs to determine what the attacker accessed, check for lateral movement to other accounts or systems, and assess whether sensitive data was exposed. Third, notify: follow your incident response plan and any applicable breach notification requirements. Finally, learn: use the incident to improve defenses (was MFA enabled? Could email filtering have caught it?) without blaming the employee. Build a culture where reporting phishing attempts quickly is rewarded.

Toggle answer

Related terms

Cybersecurity Terms

Attack Vector

Cybersecurity Terms

Incident Response

Cybersecurity Technologies

Malware

Cybersecurity Technologies

Ransomware

Cybersecurity Terms

Lateral Movement

Secure your startup’s momentum

Get started

Follow us

Product

Vulnerability Scanning & ManagementSecurity MonitoringSecret ScanningCode ScanningDynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Compliance & Risk ManagementIdentity & AccessIntegrations

Solutions

Resources

About us

© 2026 Fencer All rights reserved.
Terms of Service
 | 
Responsible Disclosure
 | 
Privacy Policy