Phishing

What is phishing?

Phishing is a social engineering attack in which an attacker masquerades as a trustworthy entity to trick individuals into revealing sensitive information or performing harmful actions. Typically carried out via fraudulent emails or messages, phishing lures the victim to click malicious links or attachments. 

For example, a phisher might send an email appearing to be from a bank, asking the user to log in at a fake website to “verify” their account, thereby stealing their credentials. Phishing can also involve attachments laden with malware or instructions to transfer money. In essence, the attacker exploits human trust rather than hacking technical defenses, often targeting login credentials, financial data, or personal information.

How does it affect identity security?

Phishing is one of the most common and effective ways attackers compromise user identities. No matter how strong an organization’s network security is, if a user is duped into handing over their password or MFA code, an attacker can log in as them. According to Verizon’s breach reports, a majority of hacking-related breaches start with phishing. 

For example, in 2016, Russian operatives gained access to thousands of emails from the U.S. Democratic National Committee by spear-phishing a top official and stealing his Gmail password. 

Phishing is a primary reason multi-factor authentication (MFA) is pushed so hard – even if a user falls for a phishing email and gives up their password, a second factor can stop the attacker from logging in. User training is also crucial; many companies run fake phishing simulations to teach employees to spot suspicious cues (misspelled domains, urgent tone, unexpected attachments). Technical controls help too: email filters block many phish attempts, and modern browsers and security suites often warn if you’re about to visit a known phishing site. 

Despite these, phishing continues to succeed because attackers constantly refine their pretexts (like COVID-19 themed scams, or tailored spear-phishes using info from LinkedIn). It’s important for identity security because phishing targets the weakest link – humans – to bypass strong authentication. A single clicked link can lead to an entire network breach or data theft, as seen in countless incidents. Therefore, identity security programs treat phishing prevention and response as top priorities, combining user awareness, robust authentication, and rapid takedown of phishing sites. 

In summary, phishing remains one of the easiest ways for attackers to steal valid credentials or hijack sessions, making it a fundamental threat to identity security.

Case studies:

One of the most impactful phishing attacks was the breach of John Podesta’s email during the 2016 U.S. election. Podesta, chairman of the Clinton campaign, received an email in March 2016 that looked like a Google security alert, warning of a suspicious sign-in. The email provided a link to change his password. Believing it legitimate, Podesta clicked the link and entered his Gmail credentials on a fake Google login page, handing them to the attackers. With full access to his Gmail, Russian hackers extracted over 50,000 emails and later leaked them publicly, influencing media narratives during the election. 

Another example occurred in 2014 at Sony Pictures Entertainment, where employees received emails purportedly from Apple asking them to verify their ID by opening an attachment. That attachment contained malware which gave attackers foothold into Sony’s network, ultimately leading to a catastrophic breach and data destruction. These cases underscore that whether it’s obtaining credentials (as with Podesta) or delivering malware (as with Sony), phishing is often the first domino in a chain of an identity breach. 

‍

‍