Getting compromised by "clicking links or downloading attachments", implies some kind of technical vulnerability, beyond phishing alone.