Basics

What is phishing? Definition, examples, and how attacks work

Phishing is a social-engineering attack in which criminals impersonate a trusted person or brand to trick people into revealing credentials, approving payments, or installing malware. According to EU incident-response reporting, phishing is the leading way attackers gain their first foothold inside an organization. This guide explains the phishing definition, how a phishing attack unfolds, the channels it uses, and how to stay safe.

7 min readUpdated 2026-06-07

Phishing definition: what phishing means

The simplest phishing definition is this: phishing is a fraudulent attempt to obtain sensitive information or trigger a harmful action by disguising a message as coming from a trustworthy source. The phishing meaning comes from the fishing metaphor; an attacker dangles bait and waits for someone to bite. Instead of exploiting a software bug, phishing exploits human trust, habit, and the pressure of a busy workday.

A phishing attack can arrive by email, SMS, voice call, QR code, or chat message. The payload might be a link to a fake login page, a malicious attachment, or simply a convincing request to wire money or share data. Because it targets people rather than firewalls, phishing slips past many technical defenses and remains effective even against well-patched, modern systems.

How a phishing attack works, step by step

Most phishing follows a predictable sequence. Understanding each stage helps you spot where a real attack can be interrupted, often long before any damage is done.

  1. Reconnaissance: the attacker gathers names, job titles, email formats, and relationships from public sources such as company websites, social media, and leaked data.
  2. Lure: a message is crafted to create urgency, fear, or curiosity, for example "your account is locked", "invoice overdue", or "new voicemail received".
  3. Delivery: the message is sent at scale or hand-tailored to one person, often spoofing a known sender or using a look-alike domain.
  4. Hook: a link, attachment, QR code, or reply routes the victim to a fake page or into a conversation with the attacker.
  5. Capture: credentials, payment details, or an approval such as a multi-factor authentication (MFA) prompt are harvested.
  6. Exploit: the attacker uses that access to commit fraud, move deeper into the network, or deploy ransomware.

Modern kits make this easier than ever. Phishing-as-a-service platforms sell ready-made fake login pages, and some adversary-in-the-middle tools can relay live traffic to capture session tokens, defeating many forms of MFA. The attacker no longer needs deep technical skill, which is one reason phishing volumes have stayed persistently high.

Free phishing campaign

Test your employees with one free phishing campaign and see the results for yourself.

Run a focused pilot, measure clicks and reports, and review the training outcomes before rollout.

No credit card required.

Request Access

Common channels and lures phishing uses

Phishing is a tactic, not a single channel. The same deception is delivered through whichever medium reaches the target most convincingly.

Where phishing arrives

  • Email phishing: the classic and still most common form, including bulk campaigns and targeted spear phishing.
  • Smishing: phishing sent by SMS, frequently impersonating couriers, banks, or government services.
  • Vishing: voice-based phishing over the phone, increasingly assisted by AI voice cloning.
  • Quishing: phishing that hides a malicious link inside a QR code to bypass some email link filters.
  • Chat and collaboration tools: messages sent through platforms employees trust internally.

Recurring lure themes in Europe

  • Microsoft 365 and login-credential harvesting, such as "view this secured document" or fake password-reset and MFA prompts.
  • Banking and payment impersonation of well-known EU banks and brands like PayPal or Klarna.
  • Parcel-delivery smishing impersonating couriers and postal services, spiking around the holidays.
  • Invoice, contract, and procurement lures used heavily for business email compromise and credential theft.

These categories overlap and evolve, which is why a deeper look at the different types of phishing is worth your time once you understand the basics.

A real-world European phishing example

Imagine an employee at a Slovak company receives an SMS claiming a parcel from the postal service could not be delivered and a small fee is needed to reschedule. The link leads to a page that looks like a familiar courier site and asks for card details to pay the fee. This parcel-delivery smishing lure is one of the most common in the region, especially around holiday shopping peaks.

A second, costlier example targets the workplace directly. An accountant receives an email that appears to come from a supplier, referencing a genuine open invoice but with updated bank details. The message tone is professional and the timing fits an expected payment. If the change is not verified through a known phone number, the next wire transfer goes straight to the attacker. This pattern, business email compromise, drives some of the largest financial losses tied to phishing.

Why phishing matters for organizations

Phishing matters because it is rarely the end of the story; it is the beginning. In EU incident-response reporting it stands out as the leading initial-access vector, ahead of vulnerability exploitation. Once attackers are in, phishing becomes the on-ramp to the most damaging outcomes: it is a primary delivery route for ransomware, which remains the most impactful cybercrime category facing EU organizations, and it underpins business email compromise fraud.

Compliance raises the stakes

European regulation now treats awareness as a baseline duty. The NIS2 Directive requires basic cyber-hygiene practices and cybersecurity training for staff, and makes management bodies accountable for overseeing these measures. DORA mandates ICT security-awareness programmes for financial entities, including senior management. And under GDPR, a phishing-driven data breach can trigger a notification to the supervisory authority within 72 hours of becoming aware. For organizations subject to these rules, demonstrating regular, measurable awareness activity is now an expectation, not a nice-to-have.

How to stay safe from phishing

The good news is that phishing is highly defendable, and employees are the solution rather than the problem. A layered approach combines technical controls with informed people who know what to do.

  • Pause on urgency: treat any message demanding immediate action, payment, or login as a prompt to verify first.
  • Check the sender and the link destination before clicking, and be wary of look-alike domains.
  • Verify money and data requests through a known, independent channel, never the contact details in the suspicious message.
  • Use phishing-resistant authentication such as passkeys or FIDO2 security keys where possible.
  • Report anything suspicious quickly; a fast report lets your security team contain an incident before it spreads.

To go further, learn the warning signs in our guide on how to recognize phishing, then put durable defenses in place with our guide on how to prevent phishing. Recognition and prevention together turn a workforce into a reliable last line of defense.

Frequently asked questions

What is phishing in simple terms?

Phishing is when a scammer pretends to be a trusted person or company to trick you into giving up information, money, or access. It usually arrives as an email, text, or call with an urgent request. It targets human trust rather than a technical weakness.

What is the difference between phishing and spam?

Spam is unsolicited bulk messaging, usually advertising. Phishing is deliberate deception designed to steal information or money. Spam is mostly annoying, while phishing is an attack that can lead to fraud or a data breach.

Is phishing illegal?

Yes. Phishing is a form of fraud and unauthorized access and is prosecutable across the EU. Authorized phishing simulations run with consent for training purposes are legal and are a recognized security control.

What should I do if I clicked a phishing link?

Do not enter any further details, disconnect if a download started, and report it to your IT or security team immediately. If you entered a password, change it and enable multi-factor authentication. Fast reporting helps contain any damage.

Related articles

Attack types

Types of phishing: a complete taxonomy

Understanding the types of phishing is the first step to defending against them. From bulk email phishing to smishing, vishing and quishing, this guide maps the main phishing types, how each one works, the lures attackers favour in Europe, and the tell-tale sign that gives each away.

9 min readRead article
For employees

How to recognize phishing: red flags and warning signs

Knowing how to recognize phishing is one of the most valuable skills you can have at work, because phishing remains the leading way attackers break into organizations. This guide walks through the phishing red flags, how to check a link or sender safely, and exactly what to do when something feels off.

8 min readRead article
For organizations

How to prevent phishing: a layered defense guide for organizations

No single control stops phishing, the leading initial-access vector behind breaches in Europe. Effective phishing prevention layers technical filtering, identity hardening, continuous awareness training, and a fast reporting culture so threats are caught before they spread. This guide shows IT and security leaders how to build anti-phishing defense that is both practical and measurable.

8 min readRead article

Next step

Ready to measure your phishing and training program?

Book a demo and see how PhishGun can support your simulation and training program, reporting needs, and compliance evidence.

Request AccessEmail info@phishgun.com