Phishing
Phishing is the fraudulent message, most often email, that starts most breaches. Attackers impersonate a trusted party to trick recipients into revealing credentials, paying money, granting access or installing malware.
Phishing is the use of fraudulent messages, most often email, that impersonate a trusted party to trick recipients into revealing credentials, paying money, granting access or installing malware. It remains the most common starting point of successful breaches, and generative AI has removed its classic tells.
Key facts
- Phishing is a family, not a single attack. Mass phishing, spear phishing, whaling, BEC, quishing, smishing and consent phishing differ in channel and targeting but share the same psychology.
- The costliest variants often contain no link or attachment at all, which defeats filters that only scan payloads.
- AI-written phishing is fluent in every language; grammar-based "spot the phish" advice is obsolete.
The phishing family tree
| Variant | Channel / technique | Target |
|---|---|---|
| Mass phishing | Bulk email, fake brands | Anyone |
| Spear phishing | Personalized email | A researched individual |
| Whaling | Executive-grade personalization | Executives, or staff in their name |
| Business email compromise | Payload-free fraud in email threads | Whoever can move money |
| Quishing | QR codes in email or print | Mobile users, off the protected device |
| Smishing | SMS | Employees on personal phones |
| Consent phishing | Fake OAuth app permission requests | The account itself, bypassing passwords |
How a modern phishing attack lands
The pattern is consistent across variants: a credible sender (spoofed, lookalike or genuinely compromised), a pretext that justifies the ask, pressure (urgency, authority, confidentiality), and an action that looks routine: click, reply, scan, approve. Increasingly the first message is clean smalltalk to build trust before anything malicious appears, and the attack may hop channels (email to SMS to voice) to escape email security entirely.
Defense that survives 2026
Three layers, in order of leverage: behavioral email security that judges sender, relationship and intent rather than just payloads; verification procedures for money, credentials and data requests through a second known channel; and training focused on social engineering levers rather than yesterday's scam formats. MFA everywhere, with the caveat that consent phishing bypasses passwords and MFA by stealing permissions instead.
How Sentaro stops phishing
Sentaro's AI Threat Intelligence Agent evaluates every message across Message, Domain, App and Behavioral Intelligence layers: intent in the text, infrastructure behind the sender, OAuth permission requests, and deviation from each relationship's normal. Built AI-native for the payload-free, AI-written era of phishing, on Google Workspace and Microsoft 365.
FAQ
What is phishing in simple terms?
Fraudulent messages that pretend to be someone you trust to steal credentials, money or access. Email is the main channel, but SMS, QR codes and fake app permission requests are part of the same family.
What are the main types of phishing?
Mass phishing, spear phishing (targeted), whaling (executives), business email compromise (payment fraud), quishing (QR codes), smishing (SMS) and consent phishing (OAuth permissions).
How do I recognize a phishing email?
Check the actual sender address, be suspicious of urgency and unusual requests, and verify payment or credential requests in a second channel. Do not rely on bad grammar; AI-written phishing has none.
What is the most dangerous type of phishing?
By financial damage, business email compromise: payload-free fraud that filters rarely catch and that redirects real payments. By stealth, consent phishing, which survives password changes and MFA.
Does spam filtering stop phishing?
It stops bulk phishing, not targeted attacks. Spear phishing, BEC and consent phishing are designed to pass content filters, which is why behavioral detection is the modern baseline.