Phishing - The Ultimate Guide | How it Works and How to Prevent it, services, consultancy, information security, phishing, phishing exercise, scam, guide, ultimate guide, what is, blog, urm phishing exercise, technical controls, information security controls, iso 27001 certification, iso 27001, urm blog, infosec blog

Phishing – The Ultimate Guide

We are hearing a lot about phishing and phishing attacks currently so, in this blog, we will take a step back to understand what phishing is, the types and the background. Let’s start with the basic question – what is phishing?


Phishing is a fraudulent attempt to deceive an end-user into providing confidential information. Phishing emails are generally crafted to imitate a legitimate business, bank or email provider, by replicating the branding, design and pattern of their communications. The objective is to trick the recipient into freely providing sensitive data, such as passwords, username, network information etc. Reports suggest that a third of all data breaches root from a phishing attack and it is now the most proliferated vector of attack due to its simplicity, the high availability of tools and, that typically, it does not require specialist knowledge.

Types of phishing

Phishing has infamously evolved over the years. At the outset, it was a social engineering activity using a shotgun approach to target a large group of users. However, over the years, it has developed and, instead of mass spam emails being sent out to all users, criminals started targeting specific groups or individuals. These types of attacks are commonly known as spear phishing i.e. targeting specific individuals or whale phishing, targeting executives/executive management/high net worth individual etc.

Vulnerabilities exploited

The anatomy of phishing is relatively straightforward.  What makes it so dangerous is its simplicity and the vulnerabilities it is attempting to exploit. A phishing attack directly targets users and then plays on basic human behavioural traits:

• Desire to help

• Desire to cooperate

• Fear

• Greed

Forms of delivery

The phishing attack vector differs depending on the target, type of attack and information targeted. The most common forms of delivery are:

• Email

• Instant messaging (including SMS)

• Telephone

Email and instant messaging are the typical forms of attack vectors. They are free, exposure is nominal and they do not require technical infrastructure or knowledge. The number of targets that can be attacked at the same time is, theoretically, unlimited.

Using phones as an attack vector is less common as it involves a degree of intricacy and it is more complex to obfuscate the attackers’ tracks. However, these attacks are still common and may be used in combination with one of the other vectors.


As an organisation, there are two primary options to mitigate the phishing threat:

The technical controls consist of a number of measures used to prevent electronic messages from reaching the intended end-users. Due to the constant increase in the sophistication of these attacks, some of these messages do get through. For this reason, the second security control, training and awareness, is just as critical as the technical controls. All end users must be aware of the threat and need to know what to look out for and whom to contact if in doubt or if/when they require assistance.


Attackers are always one step ahead. They have more resources at their disposal and no ethical boundaries to observe. Users must be aware that there is no such thing as a free lunch – if it sounds too good to be true, then it definitely is. Vigilance is key and users must understand that it is their responsibility to observe organisational policies and report any suspicious email, phone call or other types of communication.