Fraudulent communications — typically emails — disguised as legitimate sources, designed to trick recipients into revealing credentials, clicking malicious links, or downloading malware.
Phishing is the most common initial access vector for ransomware attacks, involved in approximately 75-94% of incidents. Attackers craft emails that impersonate trusted entities — colleagues, vendors, banks, or service providers — to manipulate victims into taking actions that compromise security. These actions include clicking malicious links that lead to credential harvesting pages, opening weaponized attachments that install malware, or transferring funds to attacker-controlled accounts.
Phishing attacks range from mass-distributed spam campaigns to highly targeted spear-phishing operations. Modern phishing has grown increasingly sophisticated: attackers use adversary-in-the-middle (AiTM) techniques to intercept multi-factor authentication tokens in real-time, QR codes to bypass email security filters, and thread hijacking (replying to legitimate email conversations from compromised accounts) to establish trust.
In the ransomware context, phishing serves two primary purposes: delivering malware loaders that establish initial access to a victim network, and harvesting credentials that allow attackers to authenticate directly to VPNs, email accounts, or cloud services. Both paths lead to the same outcome — a foothold from which the attacker can conduct reconnaissance, escalate privileges, and eventually deploy ransomware. Effective phishing defenses include email authentication (SPF, DKIM, DMARC), advanced email filtering with attachment sandboxing and URL analysis, phishing-resistant MFA (FIDO2/WebAuthn), and regular security awareness training with phishing simulations.