Social engineering

Phishing

Tricking users into revealing passwords or sensitive info via fake emails, sites, or messages.

What it is

Phishing is when an attacker impersonates a trusted brand or person to get a victim to hand over credentials, install malware, or wire money.

How attackers exploit it

Attackers register lookalike domains, copy your branding, and send mass emails or targeted (spear-phishing) messages. They often defeat 2FA by routing the victim through a real-time proxy.

How to protect against it

Publish strong SPF, DKIM, and DMARC records so providers can reject spoofed mail.
Use phishing-resistant 2FA (passkeys / WebAuthn) instead of SMS.
Train staff with simulated phishing and short, clear reporting steps.
Use a password manager — it won't autofill on lookalike domains.

Reference videos

How phishing attacks work

IBM Technology

Anatomy of a real phishing kit

John Hammond

Want to see if your site is at risk?

Run a free scan and get a Hackability Score for your site.