Phishing is a scam in which an attacker pretends to be someone you trust, a bank, a colleague, a supplier, to trick you into giving up something valuable: a password, a card number, or a wire transfer. Most phishing arrives by email, but it also shows up in text messages, phone calls and fake login pages.

The classic example is the “your account has been suspended” email. It looks like it came from Microsoft or your bank, complete with a logo, and it pushes you to click a link and “verify” your details right now. The link leads to a fake page that captures whatever you type. The whole trick relies on urgency and trust, not on any clever code, which is why it works on smart people too. From there an attacker might steal money, or quietly install malware that opens the door to ransomware.

Targeted versions are worse. Spear phishing aims at one named person, often a finance manager, with an email that seems to come from the CEO asking for an urgent payment to a new supplier. Because it is tailored, with real names and real context, the usual generic warning signs are missing.

Phishing is the starting point for a large share of real-world breaches, because it skips your firewalls entirely and goes straight for the human. Training helps, but technical guardrails help more. A single click can lead to a costly data breach, so layered defences beat relying on people never making a mistake.

At TopDevs we reduce the blast radius by default, enforcing multi-factor authentication on the systems we build so a single stolen password is not enough to get in.