Mass phishing uses generic messaging and common lures (password reset, account verification, urgent action required) to maximise response rates across large recipient lists.
What is phishing
Phishing is a targeted social engineering attack that uses deceptive emails, text messages, or websites to trick recipients into divulging credentials, downloading malware, or transferring money. Mass phishing campaigns target large populations with generic lures, while spear-phishing targets specific individuals with researched details. Whaling targets executives. Phishing remains the primary attack vector for initial access, credential theft, and malware delivery in enterprise breaches.
Why it matters
Phishing is consistently one of the most common entry points into enterprise incidents. Unlike technical vulnerabilities, phishing exploits human psychology and can bypass even sophisticated email filters and multi-factor authentication when credentials are harvested through a realistic proxy. For CISOs, effective phishing defense requires a layered approach: email security (sandboxing, URL filtering, DMARC/SPF/DKIM), user training and testing, incident response procedures for compromised credentials, and threat intelligence to recognise emerging tactics. Attackers continuously evolve phishing techniques—lookalike domains, brand spoofing, QR codes and credential harvesting pages. A single successful phishing email can unravel a company's entire security posture; investment in detection, response speed and user awareness directly impacts breach prevention.
Key points
Spear-phishing researches specific targets using professional networks, company websites and OSINT to craft personalised, highly credible attacks with much higher click-through rates than untargeted campaigns.
Email authentication standards (DMARC, SPF, DKIM) prevent domain spoofing but do not stop lookalike domains or compromised legitimate email accounts.
Credential harvesting pages clone legitimate login interfaces to steal usernames and passwords; stolen credentials bypass weak MFA implementations.
Business email compromise (BEC) is one of the most damaging variants: the message comes from a real, hijacked account with no anti-spoofing red flags and typically requests wire transfers, IBAN changes or document access.
Phishing emails often carry malicious attachments (Office files with macros, PDFs with embedded scripts, ZIP files with executables) or QR codes that redirect to credential-harvesting pages on mobile devices.
Spear-phishing incident chain
An attacker researches a financial services firm and identifies a junior analyst who regularly sends spreadsheets to his manager. The attacker registers a lookalike domain (finance-report2026.com) close to the legitimate supplier, crafts an email posing as an executive asking the analyst to review a confidential report and includes a link to the cloned site.
The analyst clicks, enters his credentials and the attacker captures them. Using the compromised account, the attacker accesses shared drives, discovers vendor wire instructions and initiates fraudulent transfers. In parallel, the same mailbox is used in a business email compromise (BEC) attack against the CFO requesting urgent payment approvals. The organisation loses a material sum before detecting the fraud—classic impact pattern of a single phished credential propagating across systems of record.
Common mistakes
- Relying solely on email filters: sophisticated phishing bypasses most gateway controls through lookalike domains, compromised legitimate accounts and obfuscated URLs.
- Assuming multi-factor authentication prevents credential theft: AiTM phishing kits now intercept session tokens in real time, so phishing-resistant factors (FIDO2/passkeys) have become the defensive standard.
- Training without testing: generic annual awareness is ineffective; continuous, role-based simulations with immediate feedback meaningfully reduce click-through and improve reporting rates.
- Ignoring internal phishing. When a legitimate account is compromised, emails come from a real domain with no spoofing flags; independent verification for unusual money, IBAN or access requests is essential.
- Punishing employees who fall for a simulation. If the exercise is used to shame, nobody will report the next real attempt; measure awareness and time-to-report, not individual failures.
Related services
This concept may be related to services such as:
Frequently asked questions
How can we detect phishing emails when attackers use compromised legitimate accounts?
Email filtering based on sender reputation fails when the sender is a legitimate, compromised account. Defense requires behavioral analysis: monitor for unusual email patterns (timing, language, attachment types, recipient lists), implement DMARC/DKIM/SPF to prevent external domain spoofing, and use threat intelligence to identify lookalike domains. User training to report suspicious emails is critical—many phishing attempts contain subtle red flags (unusual requests, suspicious links) that human judgment can catch. A good email security platform combines sandboxing, URL analysis, and behavioral detection.
What is the difference between phishing and spear-phishing?
Phishing is mass email sent to hundreds or thousands of recipients using generic lures and low-effort personalization (e.g., 'Verify your account'). Success rates are typically 5-10%. Spear-phishing is targeted at specific individuals using researched details (names, job titles, recent emails, company events) to create highly credible attacks with 20-40% success rates. Whaling is spear-phishing targeting high-value victims like executives. Spear-phishing is far more dangerous because personalization bypasses skepticism.
Can we eliminate phishing through technology alone?
No. While email security tools (sandboxing, URL filtering, DMARC enforcement) significantly reduce phishing success, they cannot eliminate it entirely. Attackers continuously adapt—using AI to generate convincing text, registering lookalike domains, compromising legitimate accounts, and employing zero-day malware. Effective defense requires a combination: security technology, user training and testing, incident response procedures, threat intelligence, and a culture where users feel safe reporting suspicious emails without fear of punishment.
What should we do immediately after detecting a phishing attack?
1) Preserve the phishing email (headers, full source, attachments) for forensic analysis. 2) Identify and contain compromised accounts—reset passwords, review access logs, check for data exfiltration. 3) Block lookalike domains and malicious URLs enterprise-wide. 4) Alert users and request they report similar emails. 5) Engage threat intelligence to identify the attacker, similar campaigns, and impacted organizations. 6) Review email logs to identify who else may have clicked or replied. Speed matters—a 1-hour response is far more effective than a 24-hour response.