Phishing Fundamentals

What it is

Phishing is the use of deception, usually impersonation of a trusted brand or person, to manipulate a target into doing something that benefits the attacker. The classic outcome is credential theft, but phishing campaigns also deliver malware, redirect payments, harvest session tokens, and trick people into approving OAuth grants or MFA pushes.

The mechanics have changed dramatically over the past decade. Phishing in 2014 was mostly poorly translated emails with obvious typos and broken links. Phishing in 2026 is a reverse proxy that sits transparently between the victim and the real Microsoft login page, captures both the password and the session cookie, and hands the attacker an authenticated browser session that bypasses MFA entirely.

The variants worth knowing by name:

• Mass phishing. Generic lures sent to millions of addresses. Low conversion rate per message, but the volume produces real victims. The Nigerian prince era, plus everything since.
• Spear phishing. Targeted at a specific individual or small group, using research about the target to make the lure credible. The email mentions a real project, a real colleague, a real vendor.
• Whaling. Spear phishing aimed specifically at executives. The targets have authority over money, access to sensitive data, and tend to receive less scrutiny when they ask for unusual things.
• Smishing. Phishing over SMS. Often used for one-time password capture, package delivery scams, and fake bank fraud alerts. The shorter format and lack of visible URLs make smishing harder to inspect than email.
• Vishing. Voice phishing, conducted over a phone call. The Caesars and MGM breaches in 2023 both started with vishing calls to IT help desks. Increasingly augmented with deepfaked voices of real executives.
• QR code phishing (quishing). A QR code embedded in an email or printed on a poster directs the victim to a phishing page. QR codes bypass URL inspection on most email security gateways and route the victim to a mobile browser, which often has weaker phishing protection than corporate desktops.
• Browser-in-browser attacks. A fake browser window rendered inside a real one, designed to look like a popup OAuth login from Google, Microsoft, or Apple. The URL bar is HTML, not a real chrome element. Users who check "the URL looks right" miss it because there is no real URL to check.
• Calendar phishing. A meeting invite with a malicious link, automatically added to the victim's calendar before they accept. The link arrives with the implicit trust of "this meeting was on my schedule, I must have agreed to it."

Each variant exists because it solves a specific delivery or trust problem the attacker was facing. Together they cover almost every channel a human uses to communicate.

Why it matters

Phishing remains the dominant initial access vector for serious breaches because it works against humans, and humans are the constant in every security architecture. Verizon's annual breach report has put phishing or stolen credentials in the top three causes of breaches every year for over a decade. The 2024 IBM Cost of a Data Breach study put the average cost of a phishing-initiated breach at $4.88 million.

A few specific reasons phishing has not gone away:

Adversary-in-the-middle kits defeat most MFA. Tools like evilginx, Modlishka, and Muraena run a transparent reverse proxy between the victim and the real login page. The victim types their password, completes the MFA prompt, and gets logged in successfully. The attacker captures the session cookie and is also logged in. Push-based MFA, SMS codes, and TOTP all fall to this. Only phishing-resistant factors (FIDO2, passkeys, certificate-based authentication) hold up.

Delivery has expanded beyond email. Email security gateways have improved significantly, so attackers route around them. SMS, WhatsApp, LinkedIn messages, Slack, Microsoft Teams, and even Discord are now routine phishing channels. Many of these have weaker filtering than corporate email.

AI has lowered the cost of personalisation. A spear phishing email that looks legitimately written in the target's language, references real public information about their company, and matches the tone of an internal communication used to require an attacker who could write English well. Now any operator can produce credible spear phishing in any language at scale. The 2024 Anthropic and OpenAI threat reports both documented this shift in active campaigns.

Phishing kits are commoditised. Caffeine, EvilProxy, Greatness, Tycoon, and others sell phishing-as-a-service for a few hundred dollars per month. The buyer gets a working AitM proxy, hosted infrastructure, evasion against major email security vendors, and templates for the most-targeted brands. The operator does not need to write any code.

The result is that phishing has more reach, higher trust, and better technical capability than it did three years ago, while defender controls have improved more slowly than the offence has.

How attackers exploit it

A modern phishing operation has several moving parts.

1. Lure development. The pretext that makes the victim engage. Common patterns include fake invoice emails, fake voicemail notifications, shared document links from impersonated colleagues, fake security alerts, and HR communications about benefits or payroll. The lure has to be plausible enough to get a click, urgent enough to short-circuit careful inspection.
2. Infrastructure. A phishing domain (often a lookalike of a real brand), a TLS certificate (free from Let's Encrypt), hosting (often behind Cloudflare to obscure the origin), and an AitM kit or static credential capture page.
3. Delivery. Email through compromised legitimate accounts, SMS through bulk SMS providers, abuse of legitimate file-sharing services to host phishing links, or compromised marketing platforms.
4. Capture. Credentials, session cookies, MFA approvals, OAuth grants, or wire transfer redirects, depending on the goal.
5. Use. Account takeover, lateral movement into corporate environments, BEC fraud, ransomware deployment, or sale of access to other operators.

The psychology is consistent across variants. Attackers exploit authority ("this is from your CEO"), urgency ("the document expires in two hours"), fear ("your account will be locked"), and curiosity ("here is the document you requested"). When the lure pushes hard enough on these levers, careful inspection drops sharply.

How to detect it

Detection happens at three layers, and each catches different things.

• Infrastructure detection. Monitor for newly registered lookalike domains using your brand. Watch certificate transparency logs for certs issued to suspicious names. Track DNS for subdomain takeover candidates that could be repurposed for phishing. The earlier you spot the infrastructure, the more time you have to take it down.
• Email and message detection. Modern secure email gateways inspect attachments, follow URLs, and analyse sender behaviour. AI-driven detection looks for anomalies in tone, sender history, and embedded links. None of this is perfect, but the layered approach catches most mass campaigns.
• Endpoint and identity signals. Failed authentications from unusual locations, MFA prompts the user did not initiate, sudden creation of mailbox forwarding rules, and OAuth grants to unknown applications all suggest a successful phish in progress. Identity-based detection often catches what email filtering missed.

User reporting is also a real signal. A well-staffed phishing inbox where employees forward suspicious messages turns each potential victim into a sensor. Organisations that train users to report rather than ignore typically catch campaigns hours before any technical control flags them.

How to remediate

When a phishing incident is confirmed:

1. Identify the affected accounts. Authentication logs, mailbox audit logs, and the original phishing email tell you who clicked and who entered credentials.
2. Force a credential reset and session invalidation. A password change without session invalidation leaves the attacker logged in.
3. Check for persistence. Mailbox forwarding rules, OAuth grants to unknown apps, and new MFA devices registered are all common attacker persistence mechanisms after a successful phish.
4. Take down the phishing infrastructure. Registrar abuse complaints, hosting provider reports, and certificate revocation requests. Add the URL to browser blocklists (Google Safe Browsing, Microsoft SmartScreen).
5. Communicate to potentially affected users. A clear message about what happened, what they should do, and how to recognise follow-up scams.
6. Review what the attacker accessed. If they were inside an account, what did they see? Did they exfiltrate data? Did they pivot anywhere?

The faster the response, the smaller the blast radius. AitM phishing in particular tends to escalate within hours of a successful credential capture.

Best practices

• Move to phishing-resistant MFA wherever you can. FIDO2 keys and passkeys defeat AitM proxies because the cryptographic challenge is bound to the legitimate origin. Push-based MFA, TOTP, and SMS do not.
• Block legacy authentication. Protocols that do not support modern MFA (basic auth on Exchange, IMAP, POP3) are a free pass for stuffed credentials. Disable them at the tenant level.
• Filter at multiple layers. Email gateway, browser-level URL inspection, DNS filtering, and endpoint detection each catch different things. Defence in depth is real here.
• Restrict OAuth consent. Limit which third-party applications users can grant access to without review. Consent grant phishing is a quiet but growing technique.
• Train for reporting, not just recognition. The annual click-through phishing simulation does little to change behaviour. Training that makes reporting easy and rewards it shifts the curve.
• Monitor your brand on the supply side. Lookalike domains, fake login pages targeting your customers, and abandoned subdomains repurposed for phishing all start as infrastructure your security team can detect and disrupt before the campaign reaches victims.
• Plan for the inevitable click. Some percentage of users will always click. Architect so that a single click does not equal a domain compromise. Network segmentation, least-privilege access, and rapid session revocation matter as much as the prevention layer.

What does not work as well as people think

A few controls underperform against modern phishing and are worth flagging:

• Annual security awareness training as the main control. A one-hour video once a year does not change behaviour. The studies on this are clear.
• SMS-based MFA. Better than no MFA. Defeated by AitM proxies, SIM swapping, and increasingly by carrier-level interception.
• URL inspection that only checks reputation. Brand-new phishing domains have no reputation when they are weaponised. Reputation-based filters miss them by design.
• "Hover over the link" guidance. AitM kits use legitimate-looking domains that pass casual inspection. The advice was useful in 2010. It is much weaker today.

Phishing has not been solved and is unlikely to be solved soon. The practical goal is to raise the cost of successful phishing, narrow the blast radius when it succeeds, and detect and respond fast enough that the incident does not escalate.