Knowledge base › Phishing

What is a phishing attack?

A phishing attack is a deliberate attempt by cybercriminals to trick employees into handing over passwords, payment details or access to company systems. It is the most common cyber threat facing businesses - and also the most underestimated.

Definition: what is a phishing attack?

The term phishing is a blend of "fishing" and "phreaking" (an early hacker term). The attacker "casts a line" and waits for someone to bite. In practice, this means a fake email, fake website or fake document that looks exactly like the real thing, designed to steal credentials or data.

A phishing attack always targets human behaviour, not technical vulnerabilities. The attacker exploits trust, urgency or curiosity to get someone to click. That is also why technical security measures alone are insufficient - the employee remains the last line of defence.

How does a phishing attack work, step by step?

A typical phishing attack unfolds in four stages:

  1. Preparation: The attacker selects a target - an employee, department or organisation. They gather information via LinkedIn, the company website or previously leaked data to make the attack convincing.
  2. Sending: A fake email is sent from an address that resembles a trusted sender - for example invoicing@rnicros0ft.com instead of microsoft.com. Modern phishing emails are virtually identical to genuine ones.
  3. Action: The recipient clicks a link, opens an attachment or enters login credentials on a cloned website. This is the moment the attack succeeds - or fails if the employee is alert enough.
  4. Exploitation: With the stolen credentials, the attacker logs into company systems, redirects invoices, encrypts files with ransomware or sells the data on the dark web.

Real-world examples of phishing attacks on businesses

Phishing attacks are not an abstract problem. They hit Dutch businesses every day:

Fake supplier invoice

A finance employee receives an email that appears to come from a regular supplier. The bank account number has changed. Without verification, a payment of €18,000 is transferred to the criminal's account.

Fake Microsoft login page

Employees receive an email warning that their Microsoft 365 account will be suspended. A link leads to a cloned login page. Within an hour, the attacker has full access to the mailbox, including customer data and contracts.

CEO fraud at an SME

An employee receives an email appearing to be from the CEO: "I'm in a meeting and urgently need an emergency transfer. Please keep this discreet." The email address looks correct but has a subtle variation that goes unnoticed.

Ransomware via attachment

An HR employee opens an attachment in a job application email. The file contains a macro that installs ransomware. Within 24 hours all files on the network are encrypted and a ransom demand of €50,000 follows.

Why are phishing attacks so effective?

Phishing attacks succeed because they exploit psychological mechanisms that nobody can fully switch off:

  • Urgency: "Your account will be suspended in 2 hours" - nobody takes time to check.
  • Authority: An email from the CEO or HMRC automatically triggers compliance.
  • Trust: When something looks familiar, vigilance drops immediately.
  • Curiosity: "Track your parcel" or "Your salary has been adjusted" provokes clicks.
  • Scarcity: "Offer valid today only" leads to impulsive clicking without thinking.

Key statistic: 91% of all cyber attacks begin with a phishing email. Even well-trained employees click an average of 1 in 5 phishing emails on a first test.

How can businesses protect themselves against phishing attacks?

Effective protection consists of three reinforcing layers:

1. Technical measures

Spam filters, email authentication (SPF, DKIM, DMARC), multi-factor authentication (MFA) and DNS filtering significantly reduce the attack surface. They filter out most automated attacks, but not carefully crafted targeted ones.

2. Awareness training

Employees learn through e-learning modules what phishing is, how to recognise it and what to do when they receive a suspicious email. Knowledge alone is not enough - it needs to be practised.

3. Phishing simulations

The most effective protection method is a controlled phishing simulation: a fake attack on your own organisation, run with formal authorisation. Employees learn through experience - and you discover exactly where the vulnerabilities lie.

Companies that run regular simulations see an average 70% reduction in successful attacks after the first year. That is the power of learning by doing.

Learn about phishing simulations Types of phishing attacks

Do you know how vulnerable your employees are?

CoBoo runs phishing simulations for companies with 20 to 250 employees. Find out exactly who would click - and we help you fix it.

Free consultation Dangers of phishing