Skip to content
NeoGuard

Phishing

A social engineering attack that tricks users into revealing credentials, clicking malicious links, or downloading malware by impersonating a trusted entity.

Phishing is the most common initial attack vector in cybersecurity. Attackers impersonate a trusted entity (a bank, a colleague, a service provider) to trick you into revealing sensitive information, clicking a malicious link, or downloading malware.

Types of Phishing

  • Email phishing: Mass-sent emails that mimic legitimate services (“Your account has been suspended, click here to verify”).
  • Spear phishing: Targeted attacks against specific individuals, often using personal details gathered from LinkedIn or company websites.
  • CEO fraud / business email compromise: Attackers impersonate executives to request wire transfers or sensitive data from employees.
  • SMS phishing (smishing): Phishing via text messages, often impersonating delivery services or banks.
  • AI-powered phishing: With tools like large language models, attackers can now generate highly convincing, personalized phishing messages at scale, in any language.

Why Phishing Works

Phishing exploits trust and urgency, not technical vulnerabilities. Even security-aware employees make mistakes when under pressure. A well-crafted spear phishing email can be nearly indistinguishable from a legitimate message.

How to Reduce Phishing Risk

  • Password managers: Auto-fill only works on the correct domain, so a lookalike phishing site won’t trigger the fill. This is one of the most effective passive defenses.
  • 2FA: Even if credentials are stolen, 2FA prevents account takeover. Hardware keys are immune to phishing by design.
  • Email filtering: Modern email security tools detect and quarantine phishing attempts before they reach inboxes.
  • Training: Regular, realistic phishing simulations help employees recognize attacks.
  • Reporting culture: Make it easy and blame-free to report suspicious messages.

Phishing and Swiss Regulations

Under the nDSG, a successful phishing attack that leads to a data breach triggers mandatory notification to the FDPIC. For critical infrastructure, the 24-hour reporting requirement to BACS applies. Demonstrating that you had reasonable anti-phishing measures in place can mitigate liability.

Related Terms

2FA (Two-Factor Authentication)Password ManagerRansomware