Skip to main content
Informationssicherheit / NIS2

Phishing

Phishing is a social engineering attack in which adversaries use forged emails, websites or messages to steal credentials or trick the victim into executing malicious code.

Phishing is a form of social engineering in which attackers exploit a pretended trust relationship to make their victims disclose sensitive information or carry out harmful actions. The attack typically arrives through forged emails, convincingly cloned login pages or messenger messages that impersonate a seemingly legitimate sender such as a bank, a cloud service or the victim's own IT department. The goal is to capture credentials such as usernames, passwords or one-time codes, or to get the victim to open an attachment or click a link that downloads malicious code.

Phishing is regularly the initial access vector for serious security incidents: stolen credentials enable attackers to log in to corporate systems, bypass protective mechanisms and, as a consequence, often spread ransomware. In addition to broadly scattered mass phishing, there are targeted variants such as spear phishing against individual employees and whaling against senior management; in the CEO fraud variant an authority figure is also impersonated in order to obtain fraudulent payment instructions. Multi-factor authentication, technical safeguards such as SPF, DKIM and DMARC, and phishing-resistant methods such as FIDO2 significantly reduce the risk.

Within information security, standards and supervisory regimes require organisations to deal effectively with the threat of phishing. ISO/IEC 27001, together with its Annex A, calls among other things for measures to raise staff awareness and provide training as well as for access management. The NIS2 Directive and its national transpositions oblige essential and important entities to implement cyber hygiene measures, awareness training and incident reporting that can also cover successful phishing attacks. An effective Information Security Management System therefore combines technical controls, organisational processes and continuous training into a multi-layered defence concept.

Legal Basis

ISO/IEC 27001 (Annex A, incl. A.6 security awareness, A.8 access management); Art. 21 NIS2 Directive (EU) 2022/2555; BSI IT-Grundschutz (incl. ORP.3, CON.3)

Practical Example

An information security officer discovers that several employees have received an email allegedly from the internal IT support team, which uses a pretext to demand immediate confirmation of login details via a link. She locks the affected account of an employee who has already entered their credentials, resets the password and reviews the login logs for suspicious access. She then documents the incident in the incident response process, informs senior management and assesses whether a reporting obligation applies. In parallel, she launches a short-notice awareness campaign with simulated phishing emails to measurably increase the workforce's vigilance.

FAQ

Ordinary phishing is sent broadly and untargeted to many recipients. Spear phishing is aimed specifically at individual people or organisations and uses pre-researched, personal information to appear especially credible. This makes such attacks harder to detect and considerably more likely to succeed.
Multi-factor authentication makes phishing considerably harder, because a stolen password alone is no longer sufficient. However, classic one-time codes can be intercepted in real time. Phishing-resistant methods such as FIDO2 or passkeys therefore offer significantly stronger protection.
An ISMS based on ISO/IEC 27001 requires a combination of technical and organisational measures. These include regular awareness training, email security with SPF, DKIM and DMARC, strict access management and an incident response process for successful attacks.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Social engineering Security awareness Multi-factor authentication Incident response Ransomware
Back to Glossary