Phishing is a type of information security incident that falls under the category of cracker/hacker

attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients

into revealing sensitive information, such as passwords, credit card numbers, bank account details,

etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of

urgency or curiosity to lure the victims into clicking on malicious links, opening malicious

attachments or providing personal information. Phishing is a common and serious threat to

information security, as it can lead to identity theft, financial loss, data breach, malware infection or

other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training

programs to make users aware of the risks of social engineering attacks, such as phishing, and how to

avoid them (see clause A.7.2.2). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor

Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information

security management systems — Requirements, What is Phishing?