Phishing is a social engineering attack that uses deceptive emails, messages, or websites to trick victims into revealing sensitive information or taking harmful actions. Attackers impersonate trusted entities—banks, employers, service providers—to convince victims to enter credentials, transfer money, or download malware.
Variants include spear phishing (targeted at specific individuals), whaling (targeting executives), vishing (voice phishing), and smishing (SMS phishing). Despite technical controls, phishing remains highly effective because it exploits human psychology rather than technical vulnerabilities.
CISSP Relevance
Phishing appears in Domain 1 (Security and Risk Management) under social engineering threats and Domain 7 (Security Operations) for detection and response. Understand phishing techniques, technical controls (email filtering, URL inspection), and the critical role of security awareness training. Know that phishing is a leading initial access vector.
CISA provides phishing resources at Secure Our World.
Related terms: Social Engineering, Security Awareness Training