Mass phishing uses generic messaging and common lures (password reset, account verification, urgent action required) to maximize response rates across large recipient lists
What is phishing
Phishing is a targeted social engineering attack that uses deceptive emails, text messages, or websites to trick recipients into divulging credentials, downloading malware, or transferring money. Mass phishing campaigns target large populations with generic lures, while spear-phishing targets specific individuals with researched details. Whaling targets executives. Phishing remains the primary attack vector for initial access, credential theft, and malware delivery in enterprise breaches.
Why it matters
Phishing is the entry point for 80% of enterprise incidents. Unlike technical vulnerabilities, phishing exploits human psychology and can bypass even sophisticated email filters and multi-factor authentication if credentials are harvested early. For CISOs, effective phishing defense requires a layered approach: email security (sandboxing, URL filtering, DMARC/SPF/DKIM), user training and testing, incident response procedures for compromised credentials, and threat intelligence to recognize emerging tactics. Attackers continuously evolve phishing techniques—using lookalike domains, brand spoofing, QR codes, and credential harvesting pages. A single successful phishing email can compromise a company's entire security posture. Investment in detection, response speed, and user awareness directly impacts breach prevention.
Key points
Spear-phishing researches specific targets using LinkedIn, company websites, and OSINT to create personalized, highly credible attacks with 30-40% click rates
Email authentication standards (DMARC, SPF, DKIM) prevent domain spoofing but don't prevent lookalike domains or compromised legitimate email accounts
Credential harvesting pages clone legitimate login interfaces to steal usernames and passwords; stolen credentials bypass weak MFA implementations
Phishing emails often contain malicious attachments (Office documents with macros, PDFs with embedded scripts, ZIP files with executables) that trigger malware installation
Spear-phishing incident chain
An attacker researches a financial services firm's organization and discovers that Bob is a junior analyst who regularly sends spreadsheets to his manager. The attacker registers finance-report2026.com (similar to the legitimate finance-reports.com), crafts an email posing as an executive requesting Bob to review a confidential report, and includes a link to the lookalike site. Bob clicks, enters his credentials, and the attacker captures them. Using Bob's account, the attacker accesses shared drives, discovers vendor wire instructions, and initiates fraudulent transfers. Meanwhile, Bob's email account is used in a business email compromise (BEC) attack against the CFO, requesting urgent payment approvals. The company loses 500,000 dollars before detecting the fraud.
Common mistakes
- Relying solely on email filters: sophisticated phishing bypasses most gateway controls through lookalike domains, compromised legitimate accounts, and obfuscated URLs
- Assuming multi-factor authentication prevents credential theft: users who enter credentials into phishing pages lose their credentials regardless of MFA; attackers then bypass MFA through real-time phishing proxies or credential replay attacks
- Training without testing: generic annual phishing awareness is ineffective; continuous, role-based simulations with immediate training feedback reduce vulnerability significantly
Related services
This concept may be related to services such as:
Frequently asked questions
How can we detect phishing emails when attackers use compromised legitimate accounts?
Email filtering based on sender reputation fails when the sender is a legitimate, compromised account. Defense requires behavioral analysis: monitor for unusual email patterns (timing, language, attachment types, recipient lists), implement DMARC/DKIM/SPF to prevent external domain spoofing, and use threat intelligence to identify lookalike domains. User training to report suspicious emails is critical—many phishing attempts contain subtle red flags (unusual requests, suspicious links) that human judgment can catch. A good email security platform combines sandboxing, URL analysis, and behavioral detection.
What is the difference between phishing and spear-phishing?
Phishing is mass email sent to hundreds or thousands of recipients using generic lures and low-effort personalization (e.g., 'Verify your account'). Success rates are typically 5-10%. Spear-phishing is targeted at specific individuals using researched details (names, job titles, recent emails, company events) to create highly credible attacks with 20-40% success rates. Whaling is spear-phishing targeting high-value victims like executives. Spear-phishing is far more dangerous because personalization bypasses skepticism.
Can we eliminate phishing through technology alone?
No. While email security tools (sandboxing, URL filtering, DMARC enforcement) significantly reduce phishing success, they cannot eliminate it entirely. Attackers continuously adapt—using AI to generate convincing text, registering lookalike domains, compromising legitimate accounts, and employing zero-day malware. Effective defense requires a combination: security technology, user training and testing, incident response procedures, threat intelligence, and a culture where users feel safe reporting suspicious emails without fear of punishment.
What should we do immediately after detecting a phishing attack?
1) Preserve the phishing email (headers, full source, attachments) for forensic analysis. 2) Identify and contain compromised accounts—reset passwords, review access logs, check for data exfiltration. 3) Block lookalike domains and malicious URLs enterprise-wide. 4) Alert users and request they report similar emails. 5) Engage threat intelligence to identify the attacker, similar campaigns, and impacted organizations. 6) Review email logs to identify who else may have clicked or replied. Speed matters—a 1-hour response is far more effective than a 24-hour response.