Security Threats High Threat Description

Understanding Phishing Attacks

08 October 2025 Updated: 15 Feb 2026
Back to articles
Phishing is one of the most common cyber threats. Learn how to identify and protect against phishing attacks.

Understanding Phishing Attacks

This guide is part of the documentation available in SecBoard. It explains what phishing is, how attacks work, and how the SecBoard Gophish module helps you run simulated phishing campaigns and train staff so your organisation can recognise and report real threats.

What is phishing?

Phishing is a type of social engineering in which attackers use email, SMS, or other channels to impersonate a trusted brand or person and trick recipients into revealing credentials, opening malicious links or attachments, or handing over sensitive data. Phishing exploits human trust and emotions (e.g. urgency, fear, curiosity) rather than technical flaws alone. A single successful phishing email can lead to account takeover, malware installation, or data breach, which is why understanding phishing attacks and training users are essential parts of security.

In SecBoard, the Gophish integration lets you run controlled phishing simulations: you send safe, simulated phishing emails to staff, track who opens or clicks, and use the results to target awareness training. When a real phishing incident occurs, you can record it in the SecBoard Incident Register and link it to your response process.

Types of phishing attacks

Attackers use different tactics depending on their goal and target. Common types you can reference when designing simulations or reporting real incidents:

Bulk phishing — Mass emails to many recipients with a generic message (e.g. fake password reset, delivery notice). Low effort; relies on a small percentage of people responding.
Spear phishing — Targeted at specific people or roles. Attackers research the victim (job, contacts, projects) to craft convincing, personalised messages and increase the chance of a click or credential entry.
Whaling — Spear phishing aimed at senior executives or high-value targets. Often used to authorise payments, expose sensitive data, or gain access to strategic systems.
Smishing — Phishing via SMS or other messaging apps. Messages may contain short links or prompts to call a number or reply with sensitive information.
Vishing — Voice phishing: attackers call and pretend to be support, the bank, or IT to persuade the victim to reveal credentials or perform actions (e.g. disable MFA).
Business email compromise (BEC) — Impersonation of a trusted contact (e.g. CEO, supplier) to request wire transfers, invoice changes, or data. Often little or no link; relies on authority and context.

How phishing attacks work

A typical phishing flow:

  1. Preparation — Attacker chooses a target (person or organisation), may harvest emails and names from public sources or prior breaches.
  2. Bait — Creates a message that looks legitimate (sender, branding, subject) and triggers action: click a link, open an attachment, reply with data, or call a number.
  3. Delivery — Sends the message via email, SMS, or another channel. May use compromised accounts or spoofed addresses to appear trusted.
  4. Action — If the victim clicks, they may land on a fake login page (credential harvest), download malware, or submit data. In BEC, the victim may wire money or change processes based only on the message.
  5. Exploitation — Attacker uses stolen credentials, installed malware, or obtained data for further access, fraud, or exfiltration.

Understanding this flow helps you design better simulations in Gophish (realistic scenarios and landing pages) and explain to staff why every click and reply matters.

Red flags: how to spot phishing

Staff should be trained to look for common signs of phishing (and to report even if unsure):

  • Unexpected or urgent requests — e.g. “verify your account now” or “your access will be suspended”.
  • Sender address or domain that looks wrong or is slightly misspelt (e.g. support@companny.com).
  • Generic greetings (“Dear user”) when the sender supposedly knows you.
  • Links that don’t match the stated destination (hover to see the real URL).
  • Attachments you didn’t expect, especially executables or archives.
  • Requests for passwords, codes, or sensitive data by email or phone.

Simulated campaigns in SecBoard Gophish help you test whether staff notice these signs; events (opened, clicked, credentials submitted) show where training is needed.

Why use phishing simulation?

Real attackers constantly test your people. Phishing simulation with a tool like Gophish lets you:

  • Measure risk — See open rates, click rates, and credential/data submission rates without real harm.
  • Target training — Identify teams or individuals with higher risk and deliver focused awareness or remedial training.
  • Test reporting — Check whether staff report suspicious emails to the right channel (and record real incidents in the SecBoard Incident Register when they occur).
  • Support compliance — Many frameworks expect security awareness and periodic testing; simulations provide evidence and metrics.

In SecBoard, the Gophish module connects to your Gophish server(s), syncs campaigns and events, and gives you a single place to view results alongside other SecBoard capabilities (e.g. incident register, SOC).

How SecBoard uses Gophish

SecBoard integrates with Gophish so you can manage and monitor phishing simulations without leaving SecBoard:

Component Role
Gophish servers SecBoard stores one or more Gophish server connections (URL, API key). Each server is linked to a company. You can sync data and launch campaigns from SecBoard or from Gophish; SecBoard reflects status and results.
Campaigns Each campaign has a name, email template, landing page, sending profile, and target groups. Status in SecBoard: Draft, Running, Completed, Paused, or Error. You can view launch/send-by dates and result metrics (e.g. emails sent, opened, clicked, credentials submitted).
Events For each campaign, SecBoard stores events: Email Sent, Email Opened, Link Clicked, Credentials Submitted, Data Submitted, or Error. Events are tied to target email, timestamp, and optional details (IP, user agent). This is how you see who opened, clicked, or submitted data in a simulation.
Groups, templates, landing pages Target groups (recipients), email templates, and landing pages are synced from Gophish so you can build and analyse campaigns in SecBoard. Sending profiles define how simulation emails are sent.

Use the Guide button on the Gophish dashboard or campaign pages in SecBoard to open this text. Access to Gophish (view campaigns, manage servers, sync) is controlled by SecBoard permissions and company assignment.

Campaign events: what SecBoard tracks

When a recipient interacts with a simulated phishing email, Gophish records an event and SecBoard stores it. Typical event types you will see in SecBoard Gophish:

Event type Meaning
Email Sent The simulation email was delivered to the recipient’s address.
Email Opened The recipient opened the email (tracked e.g. via tracking pixel or link).
Link Clicked The recipient clicked a link in the email (e.g. to the simulated landing page).
Credentials Submitted The recipient entered credentials on the landing page. High-risk behaviour; indicates need for training.
Data Submitted The recipient submitted other data (e.g. form fields) on the landing page.
Error Delivery or tracking failed for this recipient (e.g. bounce, block).

Reviewing these events in SecBoard helps you identify which users need follow-up training and whether your campaigns are reaching targets as intended.

Best practices

  • Start with clear policy — Define that simulated phishing is authorised for awareness only, who runs it, and how staff can report real and simulated emails.
  • Vary scenarios — Use different templates and themes (e.g. IT support, HR, external brand) so staff don’t rely on one “test” pattern.
  • Follow up with training — When someone clicks or submits credentials, deliver short, relevant training (e.g. how to spot phishing, how to report).
  • Report real phishing — If staff receive a real phishing email or suspect a breach, ensure they report it and that you record it in the SecBoard Incident Register so response and metrics are consistent.
  • Secure Gophish and SecBoard — Restrict access to Gophish servers and the SecBoard Gophish module; protect API keys and use least-privilege permissions.

Understanding phishing and SecBoard Gophish

This guide is part of the documentation available in SecBoard. The SecBoard Gophish module connects to your Gophish server(s), syncs campaigns and events, and lets you view open/click/submit rates and run awareness programmes. Use the "Guide" button on the Gophish dashboard or campaign pages to open this text. For real phishing incidents, use the SecBoard Incident Register to record and track response.

Understanding phishing attacks and combining simulation (Gophish) with incident management (SecBoard Incident Register) helps your organisation reduce risk and improve reporting.

Frequently asked questions

What is phishing? — Phishing is social engineering via email, SMS, or other channels where attackers impersonate a trusted party to steal credentials, deliver malware, or obtain sensitive data. Understanding phishing attacks and training users are key to defence.

What is Gophish? — Gophish is an open-source platform for phishing simulation. You create campaigns (templates, landing pages, target groups), send simulated emails, and track who opens, clicks, or submits data. SecBoard integrates with Gophish so you can manage servers, campaigns, and events from SecBoard.

How does SecBoard use Gophish? — SecBoard stores Gophish server connections, syncs campaigns, groups, templates, landing pages, and sending profiles, and imports campaign events (email sent, opened, link clicked, credentials submitted, data submitted). You view results and metrics in the SecBoard Gophish dashboard and campaign/event views.

What if someone reports a real phishing email? — Treat it as a potential security incident. Record it in the SecBoard Incident Register with the appropriate classification and type, assign responsibility, and follow your incident response process. Use the same register for both real incidents and (if you choose) references to simulation campaigns for consistency.

Why simulate phishing? — Simulation measures how staff respond to realistic phishing without real risk. Results (open/click/submit rates) show where awareness is weak and help target training. Combined with reporting and the SecBoard Incident Register, simulation supports a stronger human layer of defence.

Tags: phishing social engineering email security threats
Attachments

No attachments for this article.

Next Article
ISO 27001 Overview

Related Articles

Security Threats
Ransomware: Prevention and Response

Ransomware attacks can cripple organizations. Learn how to prevent attacks and respond effectively if targeted.
Article Info
  • Category:
    Security Threats
  • Type:
    Threat Description
  • Priority:
    High
  • Published:
    08 Oct 2025
Share