I. Defining the context of the threat
1️. Definition of the risk
Phishing is a computer attack of the social engineering type consisting of deceiving a user to encourage them to disclose sensitive information (credentials, passwords) or to click on a malicious link. Attacks can be carried out by email, SMS (smishing) or calls (vishing). The goal is to impersonate a trusted identity to obtain data or install malicious software.
In companies, phishing is a major threat because a single human error can allow an attacker to access the information system or compromise confidential data.
2️. Key figures (2024–2026)
Incidence and cost of phishing
Phishing represents 60% of attacks reported by companies according to the CESIN 2023 barometer.
According to IBM’s annual report on the cost of data breaches, in 2024–2025, phishing represented about 16% of data breach incidents, with an *average cost per attack of about 4.8 million dollars for the companies concerned. This shows the high financial impact that these attacks can have on organizations.
Global financial losses due to phishing could reach between 12.2 and 14.7 billion dollars in 2026.
71% of ransomware attacks start with a phishing attack according to 2026 data.
Adoption and success
A study shows that 44% of users click on phishing links simply because they think the email is legitimate.
In some simulations, compromise rates can reach 10% or more, depending on the type of attack and the environment.
Total number of incidents analyzed
→ The ENISA report analyzes 4,875 incidents in total over one year (July 2024–June 2025) in all the Member States of the European Union.
This gives an idea of the overall scale of attacks, among which phishing is the dominant initial access method.
Other vectors compared
→ Still according to ENISA, after phishing:
≈ 21.3% of intrusions come from vulnerability exploitation,
≈ 9.9% via botnets,
≈ 8% via malicious applications.
This shows that phishing is the most frequently used method.
Important fact: phishing targeting companies is often more sophisticated (BEC — Business Email Compromise) and can cost hundreds of thousands of dollars in direct and indirect losses.
3️. Concrete examples of phishing
🔹 Orion Chemical Manufacturing attack (2024)
In August 2024, the company Orion Chemical Manufacturing suffered a BEC phishing attack. An employee was tricked by a fraudulent email resembling internal correspondence and carried out several financial transfers to accounts controlled by cybercriminals, resulting in an estimated loss of about 60 million dollars.
🔹 Mass targeting of major brands
Google and Facebook were trapped by phishing attacks involving fraudulent invoices that caused them to lose more than 100 million dollars each.
🔹 In June 2019, a U.S. healthcare network (PIH Health) suffered a phishing attack that compromised 45 employee email accounts and exposed the protected personal data of 189,763 patients. This attack led to an investigation by the Office for Civil Rights of the Department of Health and Human Services and a fine of 600,000 dollars for non-compliance with data protection rules (HIPAA). This case illustrates how a phishing campaign can lead to a massive data breach and significant financial penalties for organizations.
🔹 An employee may receive a fake email from the IT department requesting an urgent password reset. Another common example is the fake delivery message containing an infected attachment. There are also more targeted attacks, such as CEO fraud, where the attacker pretends to be an executive to request a bank transfer.
II. The technical foundations of phishing
The technical foundations of phishing bring together all the tools, methods and IT infrastructures used by attackers to design, distribute and make their attacks credible. These technical elements allow phishing to be effective and difficult to detect.
For successful phishing, it is not enough just to deceive the user: attackers exploit technical weaknesses in communication systems, authentication, messaging protocols or application protections. That is why understanding the technical basics is essential to put effective defense measures in place in companies.
1. Technical means used by attackers
Cybercriminals use email sending systems capable of distributing fraudulent messages on a large scale or in a targeted way. Emails are designed to look as legitimate as possible, with sender addresses similar to the originals, official logos and professional formatting.
The links present in the messages redirect to fraudulent websites, which are often exact copies of known sites (banks, cloud services, professional platforms). These sites are used to collect the credentials entered by victims.
Phishing attacks frequently use infected attachments, such as PDF, Word or Excel files. These files may contain scripts or malicious code that runs when the document is opened.
Once the attachment is opened, malicious software can be installed on the user’s computer, allowing the attacker to take control of the workstation or access the internal company network.
2. Technical vulnerabilities exploited
The success of phishing often relies on technical and organizational vulnerabilities. Insufficient email filtering, missing security updates or inappropriate configuration of messaging systems greatly increase the risk.
The absence of additional security mechanisms, such as strengthened authentication or access limitation, allows attackers to quickly exploit stolen information and move within the information system.
3. Authentication and phishing prevention
Even if passwords are strong and properly managed, this is not enough to protect against phishing if they are stolen or voluntarily provided to a fake site.
Multi-factor authentication (MFA)
Implementing MFA is one of the most effective lines of defense against phishing: even if a password is compromised, a second factor (code, mobile app, physical key) prevents access to an account.
Physical keys and FIDO2 standards are particularly resistant to phishing compared to SMS codes or traditional authentication apps, because the attacker would need to physically possess the key.
Studies show that properly configured MFA can block up to 99% of compromise attempts caused by phishing.
Contextual security and conditional access
Some modern systems can request additional checks or reject suspicious connections depending on time, IP address or device used.
4. Email security: technical anti-phishing
Since phishing attacks often go through fraudulent emails, securing messaging is essential.
Anti-spam and anti-phishing filters
These tools automatically block suspicious messages before they reach users, detecting known signatures or abnormal behavior.
Email authentication: SPF, DKIM and DMARC
These three technologies allow mail servers to verify whether an email really comes from the domain it claims to represent:
SPF (Sender Policy Framework) checks whether the sending server is authorized for that domain.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails proving that it has not been modified.
DMARC allows the domain owner to define how to handle emails that fail SPF or DKIM, reducing the impact of identity spoofing.
These protocols drastically reduce the success of email spoofing and targeted phishing attacks.
5. Technical detection and response tools
Link/URL analysis and blocking
Advanced anti-phishing solutions inspect links in emails in real time, blocking access to fraudulent pages before a user clicks.
Attachment sandboxing
Some tools run attached files in a secure environment to detect malicious behavior before they reach users.
EDR (Endpoint Detection and Response)
EDR systems monitor suspicious behavior after a click (e.g., malware download or execution) and quickly alert or isolate a compromised workstation.
6. Awareness and human behavior
Even with strong technologies, humans often remain the weak link if they are not given the tools to recognize attacks.
Companies must train their employees to spot phishing signs (suspicious sender, repeated urgency, spelling mistakes, deceptive URLs).
Internal simulations allow measurement of user vigilance and adjustment of training programs.
III. Possible impacts on the company
1️ Risk scenarios
Direct financial loss
Fraudulent transfers, loss of revenue, ransom demands (ransomware).
Sensitive data breach
Customer data, trade secrets, HR information exposed or stolen.
Operations disruption
Ransomware or compromise of key systems leads to production or activity stoppages.
Damage to image & customer trust
Loss of customers, increased churn, damaged reputation.
Legal penalties / compliance
Failure to comply with GDPR / breach notification obligations may result in fines.
2. Risk matrices (examples)
| Risk | Example | Probability | Impact | Level |
|---|---|---|---|---|
| Credential theft | Password entered on a fake site | High | High | 🔴 Critical |
| Malware infection | Opening an infected attachment | Medium | High | 🔴 Critical |
| Financial fraud | Fake email requesting an urgent transfer | Low to medium | Very high | 🔴 Critical |
| Data leak | Unauthorized access to internal files | Medium | High | 🟠 Important |
| Damage to image | Data publicly disclosed | Low | High | 🟠 Important |
| Internal spam | Phishing emails received but not opened | High | Low | 🟡 Moderate |
| Productivity loss | Employee spends time checking a suspicious email | Medium | Low | 🟡 Moderate |
| Detected credential theft attempt | Account blocked after phishing attempt | Medium | Low | 🟢 Low |
| Minor harmless malware | Infected file isolated by antivirus | Low | Low | 🟢 Low |
IV. Policies implemented in companies to mitigate phishing risk
This part presents the concrete security policies implemented by companies to reduce risks related to phishing and ransomware. These policies combine technical, organizational and strategic measures.
1. Identity and access management
Companies implement strict identity management policies based on the principle of least privilege, in order to limit the exploitation of compromised credentials during a phishing attack. Strong authentication (MFA) is generalized, especially for sensitive and privileged accounts, which greatly reduces the impact of password theft. Access traceability is ensured by audit logs allowing quick detection of abnormal connections.
2. Securing messaging
A security policy dedicated to email is essential against phishing. It includes the configuration of email authentication mechanisms (SPF, DKIM, DMARC), the use of anti-spam and anti-phishing filters, as well as automatic blocking of suspicious links or attachments. These measures greatly reduce identity spoofing attempts and fraudulent emails reaching users.
3. Awareness and user training
Companies deploy continuous training policies to improve employee vigilance against phishing attempts. These actions include awareness campaigns, regular reminders of good practices and phishing simulations. The objective is to reduce the human factor, often at the origin of the success of attacks.
V. The human factor in phishing risk in companies
The human factor remains one of the most vulnerable elements in a company’s security chain. Cybercriminals exploit human behaviors, emotions and routines to succeed in their attacks, despite technical protections.
1. Lack of awareness and training
Many employees are not sufficiently trained to recognize fraudulent emails. Phishing messages often imitate internal communications or professional partners, making their detection difficult without specific knowledge.
2. Psychological manipulation and social engineering
Phishing attacks do not rely only on technical aspects, but on human manipulation: urgency, apparent authority, false trust relationships… This social engineering is at the heart of many attacks.
3. Real examples of successful attacks linked to the human factor
(Example) Facebook & Google – fake supplier
A hacker managed to impersonate a supplier (Quanta Computer) and send fake invoices to the finance departments of Facebook and Google. Result: nearly 100 million dollars were transferred before the fraud was detected.
The human factor here: employees executed payments without verifying the authenticity of the invoices or contacting the supplier directly.
4. Human consequences of phishing attacks
Phishing attacks have significant human impacts in companies. Victim employees may feel stress, guilt and a loss of confidence, especially when the incident leads to financial losses or data leaks.
These attacks can also create a climate of mistrust within teams and increase hierarchical pressure, with stricter controls and higher mental load. Finally, they show that cybersecurity strongly depends on employee training and vigilance, who must be supported rather than blamed.
5. Importance of awareness and good practices
To reduce these human-related risks, companies must:
Train employees regularly to recognize phishing signs.
Implement attack simulations to test and strengthen vigilance.
Define clear verification procedures (e.g., double validation for payments).
VI. Pentest, controls and audits (Phishing)
| Type | Example / Description | Objective | Source |
|---|---|---|---|
| Social engineering pentest | Simulated phishing campaigns sent to employees | Measure click rate, credential entry rate and improve awareness | https://www.oci.fr/5-bonnes-pratiques-contre-le-phishing/ |
| Technical control | Verification of SPF, DKIM and DMARC configuration | Reduce identity spoofing and email phishing | https://fr.wikipedia.org/wiki/DMARC |
| Email audit | Analysis of the effectiveness of anti-spam and anti-phishing filters | Evaluate automatic detection capacity of fraudulent emails | https://www.mimecast.com/fr/content/phishing-protection/ |
| Authentication audit | Verification of MFA usage on sensitive accounts | Limit the impact of credential theft | https://www.isdecisions.com/fr/blog/mfa/ |
| Post-phishing test | Analysis of reactions after click (EDR, SOC alerts) | Verify detection and incident response | https://www.itsystemes.fr/articles/quest-ce-que-le-fishing |
(cyberly.org)
(oodrive.com)
(bluefin.com)
(techopedia.com)
(comparecheapssl.com)
(ico.org.uk)
(arxiv.org)
(hoxhunt.com)
(expertinsights.com)
(hipaajournal.com)
(economie-gestion.wp.ac-dijon.fr)
(isdecisions.com)
(itsystemes.fr)
(okoone.com)
(wikipedia.org)
(oci.fr)
(mimecast.com)
(cyber.gouv.fr)