Phishing is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a vendor, or an executive — to trick a target into revealing credentials or transferring funds. Malware-delivery variants can also execute malicious code without any user interaction beyond a single click. The name derives from “fishing”: attackers cast a wide lure and wait for someone to bite. It remains the single most common initial attack vector in corporate data breaches worldwide.

How it Works

Phishing attacks arrive via 3 main vectors: email (most common), SMS (smishing), and voice calls (vishing). Each uses social engineering to manufacture urgency.

A phishing attack typically begins with a deceptive message — usually an email, but increasingly SMS (smishing), voice calls (vishing), or direct messages on collaboration platforms. The message creates urgency or legitimacy: “Your account will be suspended” or “Your CEO needs you to wire funds urgently.” That manufactured pressure is designed to override the recipient’s caution.

The recipient is directed to click a link leading to a spoofed website that mimics a legitimate login page. When credentials are entered, the attacker captures them and gains access to the real account. In malware-delivery variants, clicking a link or opening an attachment installs ransomware, a keylogger, or a remote access trojan without any credential entry required.

Modern phishing kits are sophisticated. Attackers buy typosquatted domains (arnazon.com, rnicrosoft.com), obtain valid SSL certificates to show the padlock icon, and use adversary-in-the-middle proxies that relay the real site in real time — intercepting session tokens as they pass through.

Business Email Compromise (BEC) is a high-value variant: attackers gain access to or convincingly spoof an executive’s email account to authorize fraudulent wire transfers or request sensitive payroll data. FBI data consistently ranks BEC as the highest-dollar-loss form of cybercrime.

Why it Matters for B2B

The B2B context makes phishing particularly consequential. Corporate accounts have access to financial systems, customer data, source code, and supplier networks. A single compromised account can lead to a supply-chain attack affecting the vendor’s entire customer base.

For SaaS companies, phishing attacks targeting customers can trigger breach notification obligations, regulatory fines under GDPR or HIPAA, and irreparable reputational damage. Enterprise buyers conduct security due diligence that explicitly asks how vendors prevent phishing against their employees and their customers’ users.

The financial cost is severe: average BEC losses run an order of magnitude higher than ransomware. Cyber insurance premiums now depend directly on measurable anti-phishing controls — MFA adoption, email authentication (SPF, DKIM, DMARC), and employee training records.

Operationally, phishing is the leading root cause of ransomware deployments. A ransomware event can shut down operations for days or weeks, costing far more in lost revenue and recovery costs than any security investment would have.

Real-World Examples

A 120-person SaaS company receives a convincing email appearing to come from their payroll software provider, warning of a required “security reauthorization.” Three employees enter their credentials on the spoofed page. Within hours, attackers have accessed payroll data for all staff and attempted to redirect direct-deposit accounts. The company had not enforced MFA on the payroll platform.

An e-commerce platform’s accounts payable team receives an email appearing to be from their regular supplier, with updated banking details and a legitimate-looking invoice. They process a $80 000 payment to an attacker-controlled account. The real supplier’s email domain had been spoofed because the company had no DMARC policy in place.

A healthcare SaaS vendor’s customer success manager receives a Microsoft Teams message appearing to be from the CTO, asking for urgent access credentials to a client environment. The message comes from a compromised internal account. Because the company had implemented privileged access controls requiring a separate approval workflow, the attack is stopped before any data is accessed.

  • Encryption — encrypting data at rest and in transit limits the damage attackers can do once they gain access via phishing.
  • HIPAA — the US healthcare regulation that mandates security training and incident response plans covering phishing vectors.
  • MDM — Mobile Device Management helps contain phishing damage by enforcing conditional access and enabling remote wipe of compromised devices.