Cyber Threats & Countermeasures

Phishing

About 5 min read

Last updated: 2026-03-25

What Is Phishing

Phishing is a cyberattack that impersonates a trusted organization or individual to steal passwords, credit card numbers, personal information, and other sensitive data. The term is believed to be a blend of "fishing" and "sophisticated."

According to reports by security organizations, phishing consistently ranks among the top 10 security threats every year, and the damage continues to grow. The rise of generative AI has made phishing emails and fake websites increasingly sophisticated, making them harder to distinguish from legitimate communications.

Common Tactics

  • Email Phishing: The most common method - emails impersonating banks or service providers direct victims to fake websites. Messages typically create urgency with phrases like "Your account has been suspended" or "Unauthorized access detected."
  • Smishing (SMS Phishing): Phishing via SMS. Cases impersonating delivery notifications or unpaid bills have surged. Smartphone users are particularly vulnerable because URLs are harder to verify on small screens.
  • Spear Phishing: Targeted attacks aimed at specific individuals or organizations. Attackers research the target's position, projects, and relationships to craft highly personalized messages. Used in Business Email Compromise (BEC) attacks.
  • Vishing (Voice Phishing): Phone-based phishing impersonating bank staff or tech support. Callers create urgency to extract passwords or one-time codes. Deepfake voice synthesis is making this tactic more convincing.
  • Clone Phishing: Copies a legitimate email the victim previously received, replaces attachments or links with malicious ones, and resends it. Extremely difficult to detect because the content appears familiar.

How to Spot Fake Sites

Checking the following points can help you identify phishing sites.

  • Check the URL: Watch for domains that differ by one character from the real one (e.g., amaz0n.com) or fake domains that include the real name as a subdomain (e.g., amazon.security-check.com).
  • HTTPS Alone Is Not Enough: Most phishing sites now use HTTPS. The lock icon only means the connection is encrypted - it does not guarantee the site is legitimate.
  • Examine the Design: Look for subtle differences from the real site - misaligned logos, unnatural fonts, broken links, or missing pages.
  • Verify the Sender: Check the email sender's actual address (not just the display name). Phishing emails often use addresses that closely resemble but differ from the real domain.
  • Hover Before Clicking: Hover over links to preview the destination URL. If it differs from what the text suggests, do not click.

What to Do If You Fall Victim

If you have entered information on a phishing site, take the following steps immediately.

  1. Change the password for the affected service immediately
  2. Change passwords for any other services where you reused the same password
  3. If you entered credit card information, contact your card issuer and request a freeze
  4. Enable two-factor authentication on all important accounts
  5. Monitor your account for unauthorized transactions or changes
  6. Report the phishing site (to Google Safe Browsing, the Anti-Phishing Working Group, or your national cybersecurity agency)

Latest Phishing Techniques

Phishing attacks are becoming more sophisticated every year, and simply "watching out for suspicious emails" is no longer sufficient.

QR Code Phishing (Quishing) uses QR codes embedded in emails or printed materials to redirect victims to fake sites. Since QR codes hide the URL visually, victims are taken to the phishing site the moment they scan the code on their smartphone.

Adversary-in-the-Middle (AiTM) Phishing uses a reverse proxy to relay communication between the victim and the real site in real time. It can steal session cookies even when two-factor authentication is enabled, bypassing MFA protections. This technique has been observed in large-scale attacks targeting Microsoft 365 and Google Workspace.

Browser-in-the-Browser (BitB) creates a fake browser popup window within the page to display a counterfeit login screen. The fake window mimics the URL bar, making it nearly impossible to distinguish from a real authentication popup.

To learn more about this topic, see How to Spot Phishing: A Practical Checklist to Avoid Scams.

Common Misconceptions

Phishing emails are easy to spot
Modern phishing emails are extremely sophisticated and often nearly indistinguishable from legitimate ones. Spear phishing in particular uses real names of business partners or colleagues, and even security experts can be deceived.
HTTPS (lock icon) means the site is safe
With the proliferation of free SSL certificates from Let's Encrypt, the vast majority of phishing sites now support HTTPS. The lock icon only indicates that the connection is encrypted - it does not guarantee the site's legitimacy.
Share

Related Terms

Social Engineering An attack methodology that exploits human psychological weaknesses rather than t… Credential Stuffing An automated attack that takes leaked username and password combinations from pa… Two-Factor Authentication (2FA) A security method that requires an additional authentication factor beyond a pas… Passkey A passwordless authentication technology based on the FIDO2/WebAuthn standard th… Data Breach An incident where personal information or confidential data held by an organizat… QR Code A two-dimensional matrix barcode developed by Denso Wave in 1994. It can store t…

Related Articles

How to Spot Phishing: A Practical Checklist to Avoid Scams Learn the latest phishing tactics and specific checkpoints to identify fake websites and fraudulent … Email Security Basics: How to Protect Yourself from Phishing Learn how to identify phishing emails, understand email encryption, and follow practical tips for sa… How to Read URLs Safely - Spotting Phishing Links Learn URL structure basics (scheme, domain, path), how to detect subdomain spoofing and homograph at…
← Glossary