What Is Phishing?



Phishing is an attack strategy that uses deception in order to solicit sensitive information or directly breach a system, typically in the form of an email. Although phishing is almost as old as email, it has become increasingly more sophisticated, often evading spam filters and human detection.

Phishing is considered one of the most effective attack vectors being used today. According to the Verizon Data Breach Investigations Report, 94 percent of malware deliveries are completed through a phishing email of some type. It is more critical than ever to learn what phishing is, and how to avoid becoming the next victim.

What is the Goal of Phishing?


Breaching a System

Some phish are used to get malicious code past the perimeter. Initial scrutiny is vital in this case because all it takes is a click and the malware can begin to download itself to your computer. Often, malware will lurk unsuspected in the system, either quietly collecting data or waiting to strike so the user may never realize that what they clicked was malicious. These emails contain either an attachment, a download, or a link to a website that will deliver a malware payload. This malware could be any number of things—ransomware, cryptomining malware, worms, or other cyber threats.

Gathering Sensitive Credentials

Phishing is also used as a means for gathering credentials, which can then be used for further attacks. This typically requires users to have to type in their personal information in some way, which is usually achieved by linking the target to a threat actor’s website. Users have more time to determine if the site is legitimate, so more work may go into making it look realistic, perhaps spoofing websites, using covert redirects, or ensuring the email appears as though it comes from a trustworthy source.

What Are the Different Types of Phish?


The most familiar type of phish are also the most basic. These emails cast a wide net, and vary in terms of how realistic they are, but are aimed at a general audience with a goal of getting clicks from careless or unaware employees. However, there are other, more specific types of phish that are also used, including:

Spear Phishing

Spear phishing

Spear phishing uses targeted attacks against a specific person or organization. A threat actor does research in order to learn personal information to tailor emails accordingly. For example, phish could be created to look like an individual’s specific bank, or an organization may be phished with emails that appear to be from those working in human resources. Since spear phish are from familiar names or organizations, and often look more realistic, users are much more likely to open them.



Whaling is an even more precise type of phish aimed at high level targets, like C-level executives. While threat actors must again carefully research and craft an email that is not only tailor made, whaling presents an additional challenge. Since such high profile individuals are typically more selective about the emails they open, malicious actors put more thought into the getting their attention in the emails they craft.



Not all phish are in email form. People can receive automated or live calls requesting personal information that can be given in person or dialed into the keypad. Now that caller ID is universal, many vishing attacks also incorporate spoofing, in which a phone number from a local area code, or even a recognized company, appears to be calling. The most common vishing attacks include calls from banks, credit card companies, loan offers, car companies, or even charitable requests.



Threat actors utilize every communication method, including short message services (SMS). Attackers send text messages or use messaging apps to solicit personal information or spread malicious links. Malicious links opened on a cell phone are particularly dangerous, since there typically isn’t antivirus software to protect these devices.

What Is a Social Engineering Pen Test?


Since you can't stop phishing emails from appearing, the best way to manage these threats is by learning how to recognize them. Phishing simulations are a type of social engineering testing that imitates such phishing campaigns. Pen testers deploy a number of phish of varying difficulty levels, and monitor whether any are opened, clicked, or have credentials entered. These simulations can uncover which employees are vulnerable to phishing and discern what types of phish are most likely to fool them, so organizations can prevent them from doing it again, through trainings or other education sessions.


What Are the Benefits of Phishing Campaign Simulations?


Test Employee Vigilance

Get data on which employees are susceptible to phishing attacks, and how severe of a problem phishing is within your organization.

How Do You Run an Effective Phishing Simulation?


A careless user can end up costing an organization time, money, and reputation simply by clicking a link or signing into a website they thought was trustworthy. Penetration testers who run phishing campaigns are tasked with averting such disasters. When properly executed, these social engineering tests can give organizations data on how vulnerable they are to such attacks and serve as educational opportunities to teach employees about ways to recognize and avoid getting phished. 

Read more>


Think Like an Attacker

Design your phish to fit an attacker’s desired outcome. If the goal is to release a malicious payload, you may only need to entice a user to click on a link to a potentially interesting news article. On the other hand, if you need a login, you would want an email that imitates a service that you know they use.

Tailor Phish to Your Users

Spear phish and whaling are becoming more common and should be included in any simulation campaign. Personalize phish in any way that you can by using names, addresses, location, interests, etc. The more specific you can be, the less a user takes time to scrutinize it.

Have a Variety of Different Types of Phish

Have phish of every level to make the campaign as authentic as possible. Use obvious phish with spelling errors and clearly fake email addresses. Add in generic and well-constructed phish that look realistic, but don't contain any specifics about a person or group. Use phish that are active in the wild that you've seen in your own inbox. And of course, use highly custom phish.

Use Multiple Methods of Communication

While the focus is typically on email, phishing can be done with other forms of communication, like phone calls or text messages.

What Should You Do After a Phishing Simulation?


Educate employees and follow best practices.

No matter the outcome of a campaign simulation, an organization should always take the time to educate its employees. They need to learn how to identify phish—from lack of personalization to odd URLs. Urge caution when opening links or attachments, particularly those that come unprompted or from unusual sources. Follow best practices, like going directly to a website instead of using a link when possible. Encourage employees to keep an eye on OpenPhish and PhishTank to familiarize themselves with the most common phish currently floating around.

Retest on a regular basis.

Anti-phishing penetration tests can and should be utilized frequently. The best way to ensure your education efforts are effective is to test again. Additionally, new phish are constantly being introduced, so you’ll want to stay up to date on the latest tactics. Regular testing keeps employees accountable, vigilant, and ensures that new employees aren’t a security weakness that goes unaddressed for too long.

Read more>

What Are Phishing Tools?

Phishing simulators and tools are incredibly helpful in creating a social engineering pen test. Both open source and commercial tools are available, with varying capabilities and features. Some general penetration testing tools have phishing capabilities looped into their solutions. These tools make phishing campaigns more efficient, assisting in the design of phish, target selection, deployment, and management of the campaign.

More advanced tools have more reporting capabilities, and can help by tracking activity and do post campaign analysis with metrics like click rates, login numbers, and flagging instances will help show what an organization needs to work on. These reports can also be used to track  progress after regular retesting.

Read more>



Phishing Simulations Solutions from Core Security


Core Impact 

Simple enough for your first test, powerful enough for the rest.

Learn More > 

Penetration Testing Services 

Identify the security gaps that are putting your organization at risk.

Learn More >