Phishing is the practice of impersonating a trusted person, brand, or system to trick someone into handing over credentials, approving a fraudulent login, or running malicious code. It remains the single most common entry point into corporate networks: the FBI's Internet Crime Complaint Center logged 298,878 phishing complaints in 2023, more than any other crime category it tracks, and business email compromise — a phishing derivative — cost victims $2.9 billion that same year. For software supply chain security teams, phishing matters beyond stolen passwords. It is the technique attackers used to breach Twilio (August 2022), Uber (September 2022), Cisco (May 2022), and Reddit (February 2023) — all cases where a single employee's credentials or MFA approval gave attackers a foothold in internal tools, source code, or build systems. Understanding how phishing works, and where it intersects with CI/CD pipelines and package registries, is now a prerequisite for defending the software supply chain.
What Is Phishing?
Phishing is a social-engineering attack that uses fraudulent communications — usually email, SMS, or a fake login page — to manipulate a target into revealing credentials, session tokens, or sensitive data, or into executing malicious code. The term dates to the mid-1990s, coined by attackers who "fished" for AOL account credentials using instant messages that impersonated AOL staff. Modern phishing has evolved far past mass-mailed Nigerian-prince scams. Attackers now register lookalike domains (e.g., okata-login.com instead of okta.com), clone real login pages pixel-for-pixel, and time messages around real events — a password expiration notice, a DocuSign request, a Slack workspace invite — to reduce suspicion. The FBI's IC3 report and Verizon's Data Breach Investigations Report have both identified phishing as a top-three initial access vector for years running, and it is consistently the fastest and cheapest way for an attacker to bypass technical controls by targeting a person instead of a system.
How Is Phishing Different From Spear Phishing and Whaling?
Spear phishing and whaling are phishing narrowed to a specific target, rather than a distinct attack technique. Standard phishing is broadcast — the same fake PayPal email goes to millions of inboxes and relies on volume to find a few careless clicks. Spear phishing is researched and personalized: the attacker knows the target's name, role, manager, and recent projects, often pulled from LinkedIn, GitHub commit history, or a prior data breach, and crafts a message that references real internal detail. Whaling is spear phishing aimed specifically at executives or other high-value targets — a CFO receiving a fake wire-transfer request that appears to come from the CEO is a textbook whaling attempt. The Cisco breach in May 2022 illustrates the escalation path: attackers first compromised an employee's personal Google account (containing saved corporate credentials synced from a browser), then followed up with voice phishing calls impersonating trusted support organizations to get the employee to accept an MFA push — a combination of credential theft, vishing, and MFA fatigue layered on top of an initial phishing-adjacent compromise.
What Are the Most Common Types of Phishing Attacks?
The most common types are email phishing, SMS phishing (smishing), voice phishing (vishing), and MFA fatigue attacks, each exploiting a different communication channel but the same underlying trust. Email phishing still dominates by volume — fake invoices, shared-document notifications, and IT password-reset alerts are the most-reported lures. Smishing exploded alongside remote work: the August 2022 Twilio breach began with SMS messages sent to employees claiming their passwords had expired, linking to a cloned Okta sign-in page that harvested credentials in real time. Vishing pairs a phone call with a prior digital lure, as in the Cisco case, to add a human voice's credibility to the request. MFA fatigue (or "push bombing") is newer but was decisive in the Uber breach: after buying a contractor's VPN credentials on a dark web marketplace, the attacker triggered repeated MFA push notifications until the contractor approved one out of alert fatigue, granting access to Uber's internal Slack, Google Workspace, and vulnerability management tooling. Quishing — phishing via malicious QR codes — is the most recent addition, growing as organizations print QR codes on everything from parking meters to conference badges.
How Does Phishing Lead to Software Supply Chain Compromises?
Phishing leads to supply chain compromise when the credentials or access an attacker steals belong to someone with a foothold in the build, release, or dependency pipeline. A phished developer's SSO session can expose source repositories; a phished DevOps engineer's credentials can expose CI/CD secrets, artifact registries, or signing keys. In the Reddit breach (February 2023), employees were sent a phishing link disguised as an internal Slack login page; one employee's credentials and 2FA token were captured, giving the attacker access to internal documentation, dashboards, and portions of Reddit's source code. That pattern — phish an employee, pivot into developer tooling, exfiltrate code or inject a malicious commit — is structurally identical to how nation-state actors have compromised build pipelines in other well-documented incidents, even when the initial vector wasn't public. Once inside a CI/CD system, an attacker doesn't need to compromise every downstream customer directly; they only need to poison one build artifact, dependency, or signed release that gets distributed to everyone who trusts it — which is precisely what makes phishing a supply chain risk multiplier rather than a contained credential-theft event.
What Are Real-World Examples of Phishing-Driven Breaches?
Twilio, Uber, Cisco, and Reddit are four of the clearest recent examples, each showing a different downstream effect. Twilio's August 2022 breach, driven by SMS phishing of employees, compromised internal systems and cascaded to Twilio's Authy customers, exposing phone numbers linked to over 33 million Authy accounts. Uber's September 2022 breach, driven by purchased credentials plus MFA fatigue, let the attacker post messages in company-wide Slack and access internal tools including its bug bounty program's vulnerability reports — arguably worse than the initial access itself, since it revealed unpatched weaknesses. Cisco's May 2022 breach, driven by a combination of browser-synced credential theft and vishing, was claimed by a group with ties to Yanluowang ransomware, though Cisco stated no ransomware was deployed and no customer data was taken. Reddit's February 2023 breach, driven by a cloned internal login page, exposed limited internal source code and employee data but not user account credentials. None of these attacks used a technical zero-day; every one started with a message a human believed.
How Can Organizations Detect and Prevent Phishing Attacks?
Organizations detect and prevent phishing through a layered combination of technical controls, hardware-backed authentication, and continuous testing, because no single control stops every attempt. Phishing-resistant MFA — FIDO2/WebAuthn security keys instead of SMS codes or push notifications — directly neutralizes MFA fatigue and credential-replay attacks, and is why Google reported zero successful account takeovers among employees using physical security keys since requiring them in 2017. Email authentication standards (SPF, DKIM, and DMARC with a p=reject policy) block a large share of domain-spoofing attempts before they reach an inbox. Regular, unannounced phishing simulations — sending realistic test lures to staff and measuring click-through and report rates — turn phishing awareness from a once-a-year training slide into a measurable, improving metric. On the infrastructure side, segmenting access so that a single compromised account can't reach CI/CD secrets, source control, and production credentials all at once limits how far one successful phish can travel — which is the control most directly relevant to supply chain security teams, since it caps the blast radius of the human failure that will, eventually, happen.
How Safeguard Helps
Safeguard can't stop a phishing email from landing in an inbox, but it limits what a successful phish can do once an attacker is inside your pipeline. Reachability analysis shows which vulnerable dependencies are actually exploitable in your running code, so if a phished developer's access is used to introduce a malicious or vulnerable package, Safeguard flags whether that package's risky code paths are reachable rather than burying the finding in noise. Griffin AI correlates identity, access, and code changes to surface anomalous commit or dependency activity — the kind of pattern that follows a credential-theft incident — faster than manual review. Continuous SBOM generation and ingest give security teams a live inventory of what's actually running, so a compromised build produces a detectable deviation instead of a silent one. And auto-fix PRs let teams remediate any exposure that does slip through — a poisoned dependency, an exposed secret — with a reviewable, one-click patch instead of a manual scramble.