What is phishing, and what controls would you put in place to reduce it?
Short answer
Phishing is social engineering that tricks people into revealing credentials, sending money, or running malware, usually via fake emails or sites. Defense is layered: email filtering and authentication (SPF/DKIM/DMARC), MFA to limit stolen-credential damage, user awareness training, and an easy way to report suspicious messages.
Phishing is consistently one of the top initial-access methods in real breaches, which is why interviewers expect a clear definition and a layered defense — not just "train the users."
What phishing is
Phishing is a form of social engineering: the attacker impersonates a trusted party (a bank, IT, a colleague, a vendor) to manipulate a person into doing something harmful — entering credentials on a fake login page, opening a malicious attachment, or wiring money. Variants include spear phishing (targeted at a specific person), whaling (targeting executives), smishing/vishing (SMS and voice), and business email compromise (impersonating an executive to authorize payments).
The attack succeeds by exploiting human trust and urgency, so technology alone never fully stops it.
How to defend — in layers
- Email security: spam/malware filtering, link rewriting and sandboxing, and email authentication (SPF, DKIM, DMARC) to make spoofing your domain harder.
- MFA: even if someone enters their password on a fake site, MFA can block the login — and phishing-resistant MFA (FIDO2/passkeys) defeats real-time relay attacks.
- Least privilege: limit what a compromised account can reach.
- User awareness: ongoing training and simulated phishing so people recognize and resist lures.
- Easy reporting: a one-click "report phish" button so the SOC can react fast and pull the message from other inboxes.
- Detection and response: monitor for credential use from new locations and have a playbook to reset and contain compromised accounts.
Why this matters
Interviewers want to see that you treat phishing as both a human and a technical problem. A strong answer pairs prevention (filtering, DMARC, training) with damage limitation (MFA, least privilege) and fast response (reporting, containment) — recognizing that some phish will always get through.
Likely follow-ups
- How does MFA reduce the impact of a successful phish?
- What is spear phishing versus business email compromise?
- Why are SPF, DKIM, and DMARC useful?