Phishing is the most common entry point in European cyber incidents, and it has been for the better part of a decade. The attack is conceptually simple: an attacker sends a message that looks like it came from someone the recipient trusts, with the goal of getting them to click a link, open an attachment, or move money. The reason the attack persists is that it bypasses every technical control by exploiting the part of the system the controls were not designed to cover: human attention under time pressure.
The vocabulary has stratified. Bulk phishing is the wide-net version, dispatched at volume on the assumption that a small percentage of recipients will fall for it. Spear phishing is the targeted version, written to a specific individual with research-grade context about their role, their recent activity, or their relationships. Business Email Compromise (BEC) is the form most likely to cost a finance team money, typically through an invoice redirection or a fraudulent payment instruction that survives a casual second look.
Defending against phishing is a layered exercise rather than a single control. Email-platform filtering removes the obvious cases. Multi-factor authentication makes a stolen credential harder to weaponise. Awareness training raises the chance that an unusual message is recognised and reported. Reporting workflows turn a near-miss into intelligence the rest of the organisation can use. The Askara Solutions agent keeps the loop closed: detection signals, reported attempts, and training outcomes are tied to the same risk scenarios in the register, so the management review can ask whether the controls are actually reducing exposure rather than just generating activity.