Phishing


Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the Federal Bureau of Investigation's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.
Modern phishing campaigns increasingly target multi-factor authentication systems, not just passwords. Attackers use spoofed login pages and real-time relay tools to capture both credentials and one-time passcodes. In some cases, phishing kits are designed to bypass two-factor authentication by immediately forwarding stolen credentials to the attacker's server, enabling instant access. A 2024 blog post by Microsoft Entra highlighted the rise of adversary-in-the-middle phishing attacks, which intercept session tokens and allow attackers to authenticate as the victim.
The term "phishing" was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600. It is a variation of fishing and refers to the use of lures to "fish" for sensitive information.
Measures to prevent or reduce the impact of phishing attacks include [|legislation], user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising from 72% in 2017 to 86% in 2020, already rising to 94% in 2023.
Phishing techniques and vectors include email spam, vishing, targeted phishing, smishing, quishing, cross-site scripting, and MiTM 2FA attacks.

Types

Email phishing

Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are "bulk attacks" that are not targeted and are instead sent in bulk to a wide audience. The goal of the attacker can vary, with common targets including financial institutions, email and cloud productivity providers, and streaming services. The stolen information or access may be used to steal money, install malware, or spear phish others within the target organization. Compromised streaming service accounts may also be sold on darknet markets.
This type of social engineering attack can involve sending fraudulent emails or messages that appear to be from a trusted source, such as a bank or government agency. These messages typically redirect to a fake login page where users are prompted to enter their credentials.

Spear phishing

Spear phishing is a targeted phishing attack that uses personalized messaging, especially e‑mails, to trick a specific individual or organization into believing they are legitimate. It often utilizes personal information about the target to increase the chances of success. These attacks often target executives or those in financial departments with access to sensitive financial data and services. Accountancy and audit firms are particularly vulnerable to spear phishing due to the value of the information their employees have access to.
The Russian government-run Threat Group-4127 targeted Hillary Clinton's 2016 presidential campaign with spear phishing attacks on over 1,800 Google accounts, using the domain to threaten targeted users.
A study on spear phishing susceptibility among different age groups found that 43% of youth aged 18–25 years and 58% of older users clicked on simulated phishing links in daily e‑mails over 21 days. Older women had the highest susceptibility, while susceptibility in young users declined during the study, but remained stable among older users.

Voice phishing (Vishing)

is used in vishing or voice phishing attacks, where attackers make automated phone calls to large numbers of people, often using text-to-speech synthesizers, claiming fraudulent activity on their accounts. The attackers spoof the calling phone number to appear as if it is coming from a legitimate bank or institution. The victim is then prompted to enter sensitive information or connected to a live person who uses social engineering tactics to obtain information. Vishing takes advantage of the public's lower awareness and trust in voice telephony compared to email phishing.

SMS phishing (smishing)

SMS phishing or smishing is a type of phishing attack that uses text messages from a cell phone or smartphone to deliver a bait message. The victim is usually asked to click a link, call a phone number, or contact an email address provided by the attacker. They may then be asked to provide private information, such as login credentials for other websites.
The difficulty in identifying illegitimate links can be compounded on mobile devices due to the limited display of URLs in mobile browsers.
Smishing can be just as effective as email phishing, as many smartphones have fast internet connectivity. Smishing messages may also come from unusual phone numbers.

Page hijacking

Page hijacking involves redirecting users to malicious websites or exploit kits through the compromise of legitimate web pages, often using cross site scripting. Hackers may insert exploit kits such as MPack into compromised websites to exploit legitimate users visiting the server. Page hijacking can also involve the insertion of malicious inline frames, allowing exploit kits to load. This tactic is often used in conjunction with watering hole attacks on corporate targets.

QR code phishing (quishing)

In "quishing", scammers exploit the convenience of QR codes to trick users into giving up sensitive data, by scanning a code containing an embedded malicious web site link. Unlike traditional phishing, which relies on deceptive emails or websites, quishing uses QR codes to bypass email filters and increase the likelihood that victims will fall for the scam, as people tend to trust QR codes and may not scrutinize them as carefully as a URL or email link. The bogus codes may be sent by email, social media, or in some cases hard copy stickers are placed over legitimate QR codes on such things as advertising posters and car park notices. When victims scan the QR code with their phone or device, they are redirected to a fake website designed to steal personal information, login credentials, or financial details.
As QR codes become more widely used for things like payments, event check-ins, and product information, quishing is emerging as a significant concern for digital security. Users are advised to exercise caution when scanning unfamiliar QR codes and ensure they are from trusted sources, although the UK's National Cyber Security Centre rates the risk as lower than other types of lure.

Man-in-the-Middle phishing

Traditional phishing attacks are typically limited to capturing user credentials directly inputted into fraudulent websites. However, the advent of Man-in-the-Middle phishing techniques has significantly advanced the sophistication of these attacks, enabling cybercriminals to bypass two-factor authentication mechanisms during a user's active session on a web service. MitM phishing attacks employ intermediary tools that intercept communication between the user and the legitimate service.
Evilginx, originally created as an open-source tool for penetration testing and ethical hacking, has been repurposed by cybercriminals for MitM attacks. Evilginx works like a middleman, passing information between the victim and the real website without saving passwords or login codes. This makes it harder for security systems to detect, since they usually look for phishing sites that store stolen data. By grabbing login tokens and session cookies instantly, attackers can break into accounts and use them just like the real user, for as long as the session stays active.
Attackers employ various methods, including phishing emails, social engineering tactics, or distributing malicious links via social media platforms. Once the victim interacts with the counterfeit site, the MitM tool intercepts the authentication process, effectively bypassing 2FA protections.

Techniques

Link manipulation

Phishing attacks often involve creating fake links that appear to be from a legitimate organization. These links may use misspelled URLs or subdomains to deceive the user. In the following example URL,, it can appear to the untrained eye as though the URL will take the user to the example section of the yourbank website; this URL points to the "yourbank" section of the example website. Another tactic is to make the displayed text for a link appear trustworthy, while the actual link goes to the phisher's site. To check the destination of a link, many email clients and web browsers will show the URL in the status bar when the mouse is hovering over it. However, some phishers may be able to bypass this security measure.
Internationalized domain names can be exploited via IDN spoofing or homograph attacks to allow attackers to create fake websites with visually identical addresses to legitimate ones. These attacks have been used by phishers to disguise malicious URLs using open URL redirectors on trusted websites. An example of this is in http://www.exаmple.com/, where the third character is not the Latin letter 'a', but instead the Cyrillic character 'а'. When the victim clicks on the link, unaware that the third character is actually the Cyrillic letter 'а', they get redirected to the malicious site http://www.xn--exmple-4nf.com/ Even digital certificates, such as SSL, may not protect against these attacks as phishers can purchase valid certificates and alter content to mimic genuine websites or host phishing sites without SSL.