Overview
Phishing is a social engineering technique in which attackers use fraudulent or manipulated electronic communications
to trick recipients into disclosing confidential information or performing harmful actions.
Common objectives include obtaining login credentials, payment details, or sensitive corporate information.
According to recent studies, in over 90% of successful corporate cyberattacks,
phishing or other social engineering techniques are used at the initial stage to bypass technical defenses.
Common Variants
Bulk Phishing
Mass distribution of non-personalized emails to a large group of recipients.
Recognizable by generic subject lines, numerous errors, or free email service senders.
Spear Phishing
Targeted attack against a specific individual, often containing personalized content and references to internal projects.
Sender addresses closely resemble legitimate internal addresses but with subtle alterations.
Whaling / CEO Fraud
Attacks targeting executives or financial officers to redirect large sums of money.
Characterized by extremely short deadlines, confidentiality requests, and slightly altered sender addresses.
Business Email Compromise (BEC)
Manipulation or spoofing of legitimate business correspondence to alter payment information.
Often involves minimally modified domains and urgent requests.
Clone Phishing
A previously legitimate email is replicated, with links or attachments replaced by malicious content.
Often identified by subject lines beginning with “Re:” or “Fwd:” and new password-protected attachments.
Example Scenario
An employee in the administration department receives a phone call:
Good morning, this is Mr. King from the auditing firm Müller & Partner.
We are on-site today to finalize the year-end closing.
Ms. Lehmann from accounting knows me – but she is currently unavailable.
To meet the deadline, I urgently require export access to the ERP system, client 123.
If this is not completed within the next hour, your closing will be delayed, and the financial regulator will impose penalties.
Analysis:
- External auditors arrange access exclusively in advance through known contacts.
- Time pressure and threats without a formal audit request indicate social engineering.
- No authentication provided (no auditor ID, no email from an official domain).
Risks and Impacts
Phishing can result in the following consequences:
- Compromise of user accounts and IT systems
- Theft of sensitive data and trade secrets
- Manipulation or redirection of financial transactions
- Disruption of critical business processes
- Significant financial and reputational damage
Preventive Measures
To reduce phishing risk, a combination of technical, organizational, and personnel measures is recommended:
- Email security solutions – Filtering, sandbox analysis, and DMARC/SPF/DKIM implementation
- Awareness training – Regular sessions on phishing detection and reporting procedures
- Technical hardening – Multi-factor authentication and restricted macro execution
- Clear processes – Formal requirements for payment and password changes
- Security monitoring – Analysis of suspicious emails and attack patterns
- Simulations – Regular controlled phishing tests to assess vigilance
Standards and Best Practices
The following frameworks and standards provide relevant guidance for phishing prevention:
- ISO/IEC 27001 – Annex A.12 & A.13: Communications Security
- NIST SP 800-53 – Awareness and Training (AT), System and Communications Protection (SC)
- BSI IT-Grundschutz – Modules ORP.4 “Awareness and Training” and CON.1 “Email Usage”
Conclusion
Phishing is one of the most common and effective social engineering methods,
as it circumvents technical security controls and exploits human factors.
Only through a coordinated combination of technical email security,
clear organizational processes, and ongoing awareness initiatives
can this risk be effectively mitigated.