Phishing

Hardly any form of attack hits companies as regularly as phishing. Every day, forged invoices, alleged parcel notifications, and supposed login prompts land in business mailboxes. A single careless click can be enough to hand attackers credentials or to bring malware into the network.

For those responsible for IT, phishing is therefore far more than an annoyance in the inbox. It is one of the most common entry points into corporate networks and stands at the beginning of many ransomware incidents. Campaigns have long been directed against companies of every size, from the trades business to the corporation. Anyone who understands the mechanics of these attacks and combines several layers of protection noticeably lowers the risk of serious security incidents.

What is phishing?

Phishing refers to fraud attempts in which attackers pose as trustworthy senders in order to move recipients to a harmful action: entering credentials on a forged page, opening an infected attachment, or approving a payment. The term derives from the English word for angling. The perpetrators cast out bait and wait to see who bites.

Classic phishing takes place as a mass mailing by email. Alongside it, more targeted variants have become established. In spear phishing, attackers research their victims in advance and formulate personally tailored messages, for example to employees in accounting or to administrators. Smishing shifts the attack into SMS and messenger services, often disguised as a parcel or bank notification. In business email compromise, perpetrators pose as executive management, a supplier, or a business partner and prompt transfers or change stored bank details, often entirely without malware.

What all variants have in common is the goal of exploiting human trust. Technical vulnerabilities play a role only secondarily. That is exactly what makes phishing so persistent: it works wherever people communicate and make decisions under time pressure.

How such an attack works

Most attacks follow a recurring pattern:

  • Preparation: Attackers collect addresses and background knowledge from public sources, such as company websites, social networks, or previous data leaks. In targeted attacks, this creates a precise picture of roles, projects, and internal procedures.
  • Bait: A message imitates a known sender and creates pressure to act, for example through a supposedly blocked mailbox or an open invoice with a tight deadline. Sender address, logo, and tone seem deceptively genuine.
  • Click: The link leads to a rebuilt login page, or the attachment contains malicious code. Entered credentials land directly with the attackers. Modern attack tools additionally intercept session cookies and thereby also bypass some multi-factor methods.
  • Takeover: With the captured data, the perpetrators log in, read along in mailboxes, set up inconspicuous forwarding rules, and gain access to further systems.
  • Spread and monetization: From the compromised account follow attacks on colleagues and business partners, the theft of confidential data, or the preparation of a ransomware attack.

Why this matters

  • Gateway for ransomware: many encryption attacks begin with a single convincing email. The follow-up costs of an incident considerably exceed the effort for prevention.
  • Direct financial damage: business email compromise leads to real transfers to perpetrator accounts. A recovery rarely succeeds, especially with foreign transfers.
  • Stolen identities have a long aftereffect: compromised accounts are used for follow-up attacks over weeks, often without anyone noticing.
  • Technology alone rarely suffices: filters detect many attacks, but well-made individual attacks still get through. The human factor remains part of the defense.
  • The quality of the attacks is rising: tools based on artificial intelligence generate error-free, linguistically convincing messages in every language. The formerly reliable identifying feature of clumsy wording is thus increasingly disappearing.
  • Reporting duties and reputation: successful attacks can trigger reports under the GDPR and permanently damage the trust of customers and partners.

Typical scenarios

  • Forged login page: an email prompts a renewed login to the cloud mailbox. The linked page is a visually identical copy that captures credentials.
  • CEO fraud: the supposed executive management asks by email for an urgent, confidential transfer. The tone is insistent, follow-up questions are blocked.
  • Supplier trick: a known supplier apparently reports a new bank connection. The next regular payment goes to the perpetrators.
  • Application with attachment: a supposed job application contains a prepared document that installs a backdoor on the computer when opened.
  • Parcel SMS: a text message reports a held-up parcel and leads to a page that asks for personal data or pushes the installation of an app.

Phishing vs. social engineering

Phishing is the best-known manifestation of social engineering, that is, the targeted manipulation of people into security-critical actions. Social engineering additionally encompasses phone calls with invented stories (vishing), gaining entry to buildings, or prepared USB sticks. The difference lies in the channel, the principle stays the same: exploited are trust, helpfulness, and time pressure.

Effective defense therefore addresses both. Technical controls reduce the number of baits that reach employees at all. Trained teams recognize and report the attempts that nevertheless make it through the filters. Clear processes, such as the four-eyes principle for payment approvals and master data changes, deprive even successful deceptions of their effect. Regular short exercises with realistic examples work better here, in experience, than rare mandatory training.

Protection with KAEMI

The delivery of phishing messages can never be entirely prevented, the resulting damage very much so. With SASE/SSE , a secure web gateway blocks access to known phishing pages, and ZTNA ensures that stolen credentials alone do not yet open access to internal applications. If a compromise nevertheless occurs, microsegmentation limits the spread in the network to a few systems. We are happy to develop with you a staggered protection that fits your organization: Contact .

Frequently asked questions about Phishing

How do I recognize a phishing email?

Watch for created time pressure, unexpected payment or login prompts, deviating sender addresses, and links whose actual destination differs from the displayed text. Error-free, professionally designed emails can be forged too. When in doubt: do not reply to the message, do not click any link, and verify the supposed sender via a known, separate channel, for example by phone.

What should we do after clicking on a phishing link?

Report the incident to IT immediately, even on mere suspicion. Change affected passwords from a clean device and have active sessions and app authorizations terminated. IT checks mailbox rules, login logs, and the affected device. An open reporting culture without assigning blame ensures that such incidents are reported early and the damage stays small.

Is a spam filter enough as protection against phishing?

A filter is necessary, but on its own insufficient. Well-made individual attacks, compromised genuine sender accounts, and links that are activated only after delivery repeatedly overcome filters. More effective is an interplay of email filter, web filter at the network level, multi-factor authentication, clear approval processes for payments, and regular training of employees.

What distinguishes phishing from spear phishing?

Classic phishing is sent en masse and untargeted, the messages stay generic. Spear phishing is directed against selected persons or departments and uses researched details, such as real project names, colleagues, or suppliers. This makes the messages credible and considerably harder to recognize, for filters as for recipients. Executives and accounting are particularly often in the focus.

Does multi-factor authentication reliably protect against phishing?

It raises the hurdle considerably and is part of the basic equipment. Attackers have, however, developed counter-methods, such as the real-time forwarding of codes or the interception of session cookies via rebuilt login pages. Phishing-resistant methods such as hardware-based security keys and additional controls at the network level, for example ZTNA as part of SASE/SSE, largely close this gap.

Open questions about this in your environment? KAEMI advises you in line with your requirements and can also take over operations.