Phishing 101

Phishing is so prevalent these days, it's hard to imagine anyone's who's not aware of this threat. However, do you know all that you should about this pesky threat? If not, read on so that you're as up-to-date and ready to deal with it. 

That said, here are some of the more important concepts to understand and learn to help you protect your critical systems and information...

Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. The lures can come in the form of an email, text message, or even a phone call. If successful, this technique could enable threat actors to gain initial access to a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection, or ransomware.

Phishing susceptibility is the likelihood of an individual becoming a victim of a phishing attempt. High susceptibility increases the likelihood that cyber threat actors can exploit their target. 


1. Select the Bait

Threat actors pose as colleagues, acquaintances, or reputable organizations and solicit sensitive
information or lure victims into downloading and executing malware. Bait typically consist of an email
with a subject line that entices the user into opening the email, e.g., the subject line contains an
alert, an action, or request for information. CISA Phishing Campaign Assessments revealed these
most successful subject lines:

  • Financial security alerts and updates 
  • Organization-wide announcements and updates 
  • User-specific alerts, such as training updates 

2. Set the Hook

A single bite can lead to successful exploitation. Threat actors set multiple hooks to increase their chance of success and then wait for a victim to take the bait. 


3. Reel in the Catch of the Day

The threat actor reels in the catch of the day when an email is not blocked by network border or endpoint protections and reaches a victim who replies with valuable information or executes a spoofed link or attachment. The threat actor can then feast on sensitive information, credentials, or the ability to compromise the endpoint via malware disguised as links and attachments. 

  • 70% of all attached files or links containing malware were not blocked by network border protection services
  • 15% of all malicious attachments or links were not blocked by endpoint protections, which are set up to reduce the amount of unwanted or malicious activity
  • Within the first 10 minutes of receiving a malicious email, 84% of employees took the bait by either replying with sensitive information or interacting with a spoofed link or attachment
  • 13% of targeted employees reported the phishing attempts. Employee failure to report phishing attempts limits the organization's ability respond to the intrusion and alert others to the threat. 

actions to prevent being hooked 

1. Block the Bait

Implement strong network border protections — as an initial barrier to reduce the opportunity for
a successful phishing attempt to further its damage. 

Configure email servers to utilize protocols designed to verify the legitimacy of email communications, like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC) [CPG 8.3].

Incorporate denylists or cyber threat intelligence feeds into firewall rules to block known malicious
domains, URLs, and IP addresses. 
Mobility shines a spotlight on new risks, as sensitive information is carried outside the four walls of your office. Understand your company's requirements for data protection, especially in highly sensitive environments where there may be legal or compliance issues or special protection needs for senior executives’ communications.

2. Don't Take the Bait

Educate employees to recognize common indicators of phishing, such as suspicious sender email addresses, generic greetings, spoofed hyperlinks, spelling or layout errors, and suspicious attachments [CPG 4.3]. 

Teach employees to keep their guard up on all communications platforms, including social media, and flag suspicious correspondence for security review [CPG 4.3]. 

3. Report the Hook

Educate employees on what to do when they receive a phishing email—regardless of whether
they fell for it [CPG 4.3]:

  • Report the email to the appropriate security teams
  • Do not forward the malicious email to others within the organization

When employees report malicious communications, incident responders analyze the threat in the hopes of preventing the threat actor from widening the intrusion [CPG 7.1, 7.2]:

  • Incident responders can determine if the attack was an isolated incident or if it is an attack across the organization
  • Incident responders can identify indicators to implement within the security protection mechanism to prevent the attack from impacting the entire organization

4. Protect the Waters

After obtaining initial access via a successful phishing attempt, threat actors will often try to take control of its victim’s account or devices to move laterally within the organization’s network. To protect the network: 

  • Enforce phishing-resistant multifactor authentication to secure resources and protect from lateral movement [CPG 1.3]
  • Review and reduce the number of accounts with access to critical data and devices [CPG 1.7]
  • Restrict administrative password sharing and re-use and remove non-essential elevated privileges from users to reduce opportunities for privilege escalation [CPG 1.5, 1.6]
  • Add protection at the endpoint as the last line of defense between the user and a threat actor’s attack.
    • Automate mandatory security updates for browsers, applications, software, and antivirus on all internet-accessible end user devices [CPG 5.1]
    • Implement software restriction policies to allow only software necessary for business  purposes on end user devices [CPG 2.1, 2.2]
    • Implement an endpoint detection and response (EDR) solution to further monitor for and block malicious activity on end user devices
  • Continually assess and evaluate defense mechanisms by enrolling in no-cost CISA services, such as Phishing Campaign Assessments, to reduce risk [CPG 5.6]


So there you have it. A helpful overview as to how phishing works and how you can protect your information and systems. While it looks like a whole lot of work to protect yourself, naturally it's much easier if you work with the right technology partner, like FPA, to secure you. You shouldn't have to worry about all of this; you have a business to run!

What do you think? Has this info been helpful? What are you doing to prevent you and your business from this threat? Please let us know in the Comments box below or shoot me an email if you’d like to discuss this in more detail.

Managed Security Services

Subscribe here to get our "2 Minute Tuesday" email for valuable tips & tricks!


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.