What is phishing? Types, examples & prevention - Email security - Learn

What it is#

Phishing is a social engineering attack delivered through deceptive communications, most commonly email, designed to trick recipients into revealing credentials, installing malware, or performing actions like transferring funds. It is consistently among the most common initial access vectors in cyberattacks and a leading entry point for data breaches.

Phishing succeeds because it targets people rather than systems. Hardened network perimeters, firewalls, and intrusion detection do little when an attacker can reach an employee directly through a legitimate communication channel. A single compromised credential can bypass layers of infrastructure security, giving the attacker a foothold inside the organization without triggering perimeter defenses.

The term covers a broad spectrum of techniques, from mass-distributed spam campaigns to highly targeted messages crafted for a single individual. What all phishing shares is the use of deception and impersonation to exploit human trust.

Phishing taxonomy#

Credential phishing is the most prevalent form. The victim receives a message with a link to a fake login page that captures their username and password. Modern variants use adversary-in-the-middle reverse-proxy tools to also capture session tokens, bypassing multi-factor authentication (MFA) entirely.

Malware delivery phishing attaches or links to a malicious payload (a document with macros, an executable disguised as an invoice, or a link to a drive-by download site). The goal is code execution on the victim's endpoint. Newer techniques like ClickFix trick users into pasting attacker-supplied commands directly.

Business email compromise (BEC) uses impersonation to manipulate victims into financial or data-sharing actions without any malicious links or attachments. The message itself is the weapon.

OAuth consent phishing tricks a victim into granting a malicious application access to their mailbox, files, or cloud resources through a legitimate-looking consent screen. No credentials are stolen directly; instead, the attacker obtains a persistent OAuth token that survives password resets.

Spear phishing targets a specific individual or small group, using personalized details (name, role, recent projects, known contacts) to increase credibility. Attackers mine social media profiles, corporate websites, and leaked data to build convincing pretexts. Spear phishing messages are harder to detect because they are low-volume, conversational, and lack the generic red flags of mass campaigns. They are frequently the initial vector in advanced persistent threat (APT) operations and high-value BEC attacks.

In contrast, mass phishing campaigns cast a wide net with generic lures: package delivery notifications, account suspension warnings, or tax refund scams. These rely on volume; even a low click rate across millions of recipients produces significant yield.

Vishing (voice phishing) and smishing (SMS phishing) apply the same principles through phone calls and text messages, respectively.

Post-compromise escalation#

The damage from phishing rarely ends with the initial compromise. Understanding the escalation chain explains why a single stolen credential can lead to organization-wide impact.

When an attacker captures email credentials, the immediate result is email account compromise (EAC). From a compromised mailbox, an attacker can read sensitive correspondence, search for financial records and credentials stored in email, and set up forwarding rules that persist even after a password reset. Because messages sent from a legitimately compromised account pass SPF, DKIM, and DMARC checks, recipients have no protocol-level reason to distrust them.

The compromised account becomes a launch point for internal phishing. Colleagues, vendors, and customers trust messages from a known sender, which makes internal phishing significantly more effective than external campaigns. An attacker can request wire transfers, share malicious documents, or reset passwords to other systems, all from a legitimate mailbox that the organization's own security controls treat as trusted.

This escalation path (phishing, then credential theft, then account compromise, then lateral movement) is the operational pattern behind many of the largest data breaches and financial fraud cases.

The role of infrastructure#

Every phishing campaign depends on infrastructure, and the domain layer is where much of it becomes observable:

Lookalike domains. typosquats, combosquats, and homoglyph domains host credential-harvesting pages that mimic legitimate login portals. The victim may arrive at a pixel-perfect replica of a login page, with the only observable difference being the domain name itself. This makes phishing domain detection a critical early-warning function.
Brand impersonation. Beyond domain names, attackers clone logos, CSS, and page structures to create full-fidelity replicas of legitimate sites. Automated malicious domain detection and screenshot comparison help identify these at scale.
Phishing kits. Pre-packaged toolkits that deploy functional phishing sites within minutes of domain registration. The availability of off-the-shelf kits on underground markets has dramatically lowered the skill barrier, turning phishing from a specialized technique into a commodity attack available to any motivated criminal.
TLS certificates. Attackers obtain certificates through automated CAs to serve HTTPS, making phishing pages appear trustworthy. These certificates are logged in Certificate Transparency and are observable before the campaign launches.
Mail infrastructure. When sending phishing email directly from domains they control, some attackers configure SPF/DKIM to improve deliverability. Others rely on compromised accounts or bulk-sending infrastructure instead, bypassing the need to set up mail on the phishing domain itself.

This infrastructure is created before the first phishing email is sent, which means domain monitoring and domain threat intelligence can provide early warning of campaigns in preparation.

Common lures and pretexts#

Phishing messages exploit predictable psychological triggers:

Urgency. "Your account will be suspended in 24 hours"
Authority. Messages appearing to come from IT, the CEO, or a government agency
Curiosity. "You have a new document shared with you"
Fear. "Unauthorized login detected on your account"
Reward. Fake invoices, refunds, or prize notifications

Lures often align with current events (tax season, major data breaches, pandemic relief programs) because they provide a plausible pretext for action.

AI-generated phishing#

Large language models have changed the phishing landscape in several ways. AI-generated messages lack the grammatical errors and awkward phrasing that once served as reliable detection signals. Attackers can produce fluent, contextually appropriate text in any language, removing one of the few advantages defenders had in identifying mass campaigns.

AI also enables personalization at scale. Previously, only spear phishing campaigns justified the effort of tailoring messages to individual targets. Generative models allow attackers to produce customized lures for thousands of recipients, blending the volume of mass phishing with the credibility of targeted attacks.

Detection signals#

Sender address mismatches (display name spoofing, such as "IT Help Desk" from a free email provider)
Urgency language combined with a call to action (click a link, open an attachment, reply with information)
Links that resolve to recently registered domains or known malicious domain infrastructure
Attachments with executable or macro-enabled file types
Unusual OAuth consent requests for high-privilege scopes

As AI-generated phishing improves, content-based detection signals become less reliable. Infrastructure-based signals (domain age, registration patterns, certificate issuance) are harder for attackers to disguise and increasingly important for detection.

Layered defense#

No single control stops all phishing. A defense-in-depth approach layers multiple controls so that each addresses the techniques that others miss:

Email authentication (SPF, DKIM, DMARC) prevents direct domain spoofing but not lookalike domains
Email gateways catch known malicious URLs and attachments but struggle with zero-hour campaigns
DNS filtering blocks known phishing domains at the network level
Phishing-resistant MFA (FIDO2/WebAuthn) prevents credential and session theft even when users click phishing links. Unlike TOTP or push-based MFA, phishing-resistant factors are bound to the legitimate origin and cannot be relayed through a proxy.
User awareness training reduces click rates but does not eliminate them. Training is most effective when paired with simulated phishing exercises that provide immediate feedback.
Domain monitoring detects phishing infrastructure during setup, before messages reach inboxes. Tools like Have I Been Squatted combine permutation generation, DNS enrichment, and certificate monitoring to surface lookalike domains targeting a brand as early as possible.

The combination of authentication, technical controls, and proactive domain threat intelligence provides the strongest defense, with each layer addressing phishing techniques that the others miss.

What is phishing?