There are two aspects to targeting and two kinds of victims.
The recipient of an email or text is the primary victim because they are the ones who'll suffer a loss or harm if they fall for the bait and disclose sensitive information.
The organization that's impersonated as part of the deception - Facebook, IRS, USPS, etc. - can be both primary and collateral targets. They are collateral targets when they are used as the bait, e.g., an IRS overdue payment scam.
Organizations are primary targets when the phisher's objective is to find a way into an organization, e.g., an email purportedly from your email admin asking you to reset your password.
When we measure phishing activity, we measure phishing attacks, but also measure "impersonated brands". If you're interested, read https://interisle.net/phishinglandscape2025
Individuals absorb the impact, but brands absorb the externalities trust erosion, support costs, and reputational damage, even when they’re only “used” as bait.
There are two aspects to targeting and two kinds of victims.
The recipient of an email or text is the primary victim because they are the ones who'll suffer a loss or harm if they fall for the bait and disclose sensitive information.
The organization that's impersonated as part of the deception - Facebook, IRS, USPS, etc. - can be both primary and collateral targets. They are collateral targets when they are used as the bait, e.g., an IRS overdue payment scam.
Organizations are primary targets when the phisher's objective is to find a way into an organization, e.g., an email purportedly from your email admin asking you to reset your password.
When we measure phishing activity, we measure phishing attacks, but also measure "impersonated brands". If you're interested, read https://interisle.net/phishinglandscape2025
Well said. This distinction is often missed.
Individuals absorb the impact, but brands absorb the externalities trust erosion, support costs, and reputational damage, even when they’re only “used” as bait.
Good read - btw curious, have you ran a phishing campaign, ever?
Thank you! I appreciate it!
I wasn’t the one responsible for it, but yes. I was part of the team that ran a phishing campaign.