Home Learn Phishing Attacks Explained
Learn · Northstar IT

Phishing Attacks Explained

Phishing is an attack where criminals send fake emails, texts, or calls that look legitimate, tricking your staff into clicking malicious links, entering credentials, or transferring money.

What is the difference between phishing and spear phishing?

Phishing is mass-targeted. Spear phishing targets a specific person, usually with information gathered from social media. Spear phishing has much higher success rates.

How do I train my team against phishing?

Run monthly simulated phishing campaigns combined with short training videos. Tools like KnowBe4 and Hoxhunt automate this. Combined with MFA, training reduces click-through rates dramatically.

Does MFA stop phishing?

MFA stops most credential phishing. Phishing-resistant MFA, like security keys or passkeys, also stops modern session token theft attacks. Standard SMS MFA is now considered weak.

What do I do if someone fell for a phishing email?

Immediately reset that user's password, revoke active sessions in Microsoft 365 or Google Workspace, check for inbox rules or forwarding, and review recent transactions. Then notify your team and use the event as training material.

FAQ

Quick answers.

What is phishing?

Phishing is an attack where criminals send fake emails, texts, or calls that look legitimate, tricking your staff into clicking malicious links, entering credentials, or transferring money.

What is the difference between phishing and spear phishing?

Phishing is mass-targeted. Spear phishing targets a specific person, usually with information gathered from social media. Spear phishing has much higher success rates.

How do I train my team against phishing?

Run monthly simulated phishing campaigns combined with short training videos. Tools like KnowBe4 and Hoxhunt automate this. Combined with MFA, training reduces click-through rates dramatically.

Does MFA stop phishing?

MFA stops most credential phishing. Phishing-resistant MFA, like security keys or passkeys, also stops modern session token theft attacks. Standard SMS MFA is now considered weak.

What do I do if someone fell for a phishing email?

Immediately reset that user's password, revoke active sessions in Microsoft 365 or Google Workspace, check for inbox rules or forwarding, and review recent transactions. Then notify your team and use the event as training material.

Have a specific situation in mind?

Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.

Get a Free Assessment More guides