Phishing & Security Awareness Glossary

A reference for the language used in phishing simulation and security awareness training. Includes the major attack types, defense techniques, email-authentication standards and compliance frameworks. Each term is independently anchored - link to a specific definition with /glossary#<term>.

Phishing attack types

Phishing: A social-engineering attack in which an attacker disguises as a trusted entity to trick a target into revealing credentials, financial information or executing a malicious action.
Spear phishing: Phishing tailored to a specific individual, typically using public or insider information to make the lure more convincing. Read more ->
Whaling: Spear phishing aimed specifically at executives or other high-value targets, where the loss-per-incident is highest. Read more ->
Business Email Compromise (BEC): A targeted phishing attack focused on financial fraud, typically involving impersonation of an executive, vendor or HR contact to redirect wire transfers, invoice payments or payroll deposits. The FBI IC3 reports BEC as among the highest-loss cybercrime categories. Read more ->
Vishing: Voice phishing - phishing conducted over a phone call, increasingly with deepfake-cloned voices. Read more ->
Smishing: SMS phishing - phishing conducted over text message or messaging apps. Often bypasses email gateway filtering. Read more ->
Quishing: QR-code phishing - a malicious URL hidden inside a QR code, typically delivered as an image or printed sticker. Bypasses email URL scanning since the link is image-encoded. Read more ->
Clone phishing: A phishing technique that copies a legitimate email the target has already received and replaces the link or attachment with a malicious version, exploiting trust in the original sender.
Pharming: Manipulation of DNS or hosts files to silently redirect users to fake versions of legitimate sites without changing the URL the user typed or clicked.
Brand impersonation: A phishing pretext that mimics a specific known brand (Microsoft 365, DocuSign, FedEx, IRS, etc.) to leverage existing user trust.

Defense and program design

Simulated phishing: A controlled phishing campaign run by an organization against its own employees to measure susceptibility and trigger remediation training. Distinct from a real phishing attack - no credentials are stolen and no harm is intended. Read more ->
Security awareness training: Structured education delivered to employees to teach recognition of phishing and other social-engineering attacks. Most effective when paired with continuous simulated phishing rather than as an annual standalone. Read more ->
Click-through rate: The percentage of recipients who click a simulated phishing link within a campaign. The primary metric for measuring phishing susceptibility; mature programs trend below 5%. Read more ->
Completion rate: The percentage of users assigned remediation training who finish the module within the program's expected time window. Carriers and auditors weight completion rate as a program-quality signal alongside click-through rate.
Auto-assigned training: A program design pattern where remediation training is automatically delivered to a user the moment they fail a phishing simulation, rather than at quarterly all-hands. Behavior-triggered learning lands harder than scheduled training. Read more ->
Baseline test: An initial phishing simulation run before any training or notification, used to measure the organization's untrained click-through rate as the starting point for trend analysis.
Pretext: The fictional context an attacker uses to make a phishing message believable - e.g., "your password expires today", "please review the attached invoice" or impersonating a known colleague.
Lure: The specific phishing email, SMS or voice message used in a campaign - distinct from the pretext, which is the underlying narrative.

Email authentication and technical defenses

SPF (Sender Policy Framework): A DNS-based email authentication protocol that lets a domain owner declare which servers are authorized to send email on its behalf. SPF is one of three pillars (with DKIM and DMARC) of modern domain-spoofing defense.
DKIM (DomainKeys Identified Mail): A cryptographic email-authentication standard that signs outgoing messages so recipients can verify the message wasn't altered in transit and that the signing domain authorized it.
DMARC: Domain-based Message Authentication, Reporting and Conformance. A policy framework built on SPF and DKIM that tells receiving servers what to do with email that fails authentication and reports failures back to the domain owner.
Typosquatting: Registering domain names that are common typos of legitimate domains (e.g., gooogle.com, microsft.com) to capture mistyped traffic or send phishing email from a domain that looks correct at a glance.
Homograph attack: A phishing technique that uses Unicode characters from non-Latin scripts to create domain names visually identical to legitimate ones (e.g., аpple.com using a Cyrillic 'а').
Domain spoofing: Forging the sender domain on an email so it appears to come from a trusted organization. Modern email systems block most domain spoofing via SPF, DKIM and DMARC, but legacy receivers and lookalike domains remain attack surfaces.

Compliance frameworks

SOC 2: A widely adopted compliance framework based on the AICPA Trust Services Criteria. The CC1.4 and CC2.2 criteria translate to requirements for ongoing security awareness training and demonstrable phishing-program evidence. Read more ->
HIPAA: U.S. Health Insurance Portability and Accountability Act. The §164.308(a)(5) Security Awareness and Training administrative safeguard requires healthcare entities to maintain a security awareness program - phishing simulation evidence supports this under HHS OCR review. Read more ->
PCI DSS: Payment Card Industry Data Security Standard. Requirement 12.6 mandates a security awareness program for personnel handling cardholder data; PCI DSS 4.0 adds emphasis on continuous testing rather than annual checkbox training. Read more ->
NIST CSF: U.S. National Institute of Standards and Technology Cybersecurity Framework. CSF 2.0 maps phishing simulation programs to PR.AT (Awareness and Training), PR.PS (People), and DE.CM (Continuous Monitoring) categories. Read more ->
ISO 27001: An international standard for information security management systems. Annex A.6.3 covers Information Security Awareness, Education and Training; certification auditors expect documented, ongoing programs rather than ad-hoc training. Read more ->
NIS2: European Union Directive 2022/2555 (Network and Information Security 2). Article 21 obliges in-scope entities to implement basic cyber-hygiene practices and cybersecurity training. Transposed into national law across member states from 2024. Read more ->

Want a deeper read on any of these? Start with our blog, or jump straight to the cyber-insurance buyer guide if you are headed into a renewal. Ready to run a campaign? Start a free trial up to 25 users - no credit card.