Phishing is a social engineering method where attackers use convincingly crafted emails, text messages, or websites to steal credentials or distribute malware. Variants include spear phishing (targeting a specific individual), whaling (targeting executives), and smishing (via SMS). Phishing is the most common initial attack vector in cyberattacks. Defenses combine technical controls (email filters, DMARC, link scanning) with employee awareness. In your ISMS, phishing awareness should be part of regular security training, complemented by phishing simulations to measure effectiveness.