Phishing Wiki
The phishing encyclopedia for security and IT teams
Clear, practical explainers on phishing tactics, attack techniques, and the controls that defend against them - written by offensive-security practitioners.
Pillar guides
Pillar guides
Start with these in-depth guides covering the essentials of phishing and defense.
What is phishing? Definition, examples, and how attacks work
Phishing is a social-engineering attack in which criminals impersonate a trusted person or brand to trick people into revealing credentials, approving payments, or installing malware. According to EU incident-response reporting, phishing is the leading way attackers gain their first foothold inside an organization. This guide explains the phishing definition, how a phishing attack unfolds, the channels it uses, and how to stay safe.
Types of phishing: a complete taxonomy
Understanding the types of phishing is the first step to defending against them. From bulk email phishing to smishing, vishing and quishing, this guide maps the main phishing types, how each one works, the lures attackers favour in Europe, and the tell-tale sign that gives each away.
How to recognize phishing: red flags and warning signs
Knowing how to recognize phishing is one of the most valuable skills you can have at work, because phishing remains the leading way attackers break into organizations. This guide walks through the phishing red flags, how to check a link or sender safely, and exactly what to do when something feels off.
How to prevent phishing: a layered defense guide for organizations
No single control stops phishing, the leading initial-access vector behind breaches in Europe. Effective phishing prevention layers technical filtering, identity hardening, continuous awareness training, and a fast reporting culture so threats are caught before they spread. This guide shows IT and security leaders how to build anti-phishing defense that is both practical and measurable.
Spear phishing and business email compromise (BEC)
Spear phishing is targeted, researched deception aimed at a specific person or role, and it is the engine behind business email compromise (BEC) - the fraud responsible for some of the costliest losses in cybercrime. This guide explains how attackers research their targets, the main BEC variants such as CEO fraud and invoice fraud, why email filters so often miss these messages, and the layered defenses that actually work.
Modern phishing techniques: how attackers bypass MFA and outsmart filters
Modern phishing techniques have moved far beyond the misspelled fake login page. Today's attackers use adversary-in-the-middle proxies, MFA fatigue, browser-in-the-browser popups, OAuth consent phishing, quishing and ClickFix to defeat the very controls that once stopped them. This guide explains how each technique works - conceptually, for defenders - and how to build resilience.
Phishing glossary
Phishing glossary
Quick definitions of the terms you will meet across the wiki.
- Adversary-in-the-Middle (AiTM)
- A real-time phishing technique that proxies traffic between victim and the real service, capturing both the password and the live session, thereby defeating most MFA.Learn more
- BEC (Business Email Compromise)
- A targeted scam in which attackers impersonate executives, colleagues, or suppliers to divert payments or sensitive data, often without any malware or links.Learn more
- Browser-in-the-Browser (BitB)
- A technique that draws a fake pop-up login window - complete with a convincing address bar - entirely inside a web page to imitate a trusted single sign-on prompt.Learn more
- ClickFix
- A lure disguised as a fix or verification step (a fake CAPTCHA or error) that tricks the victim into copying and running a malicious command themselves.Learn more
- Credential harvesting
- The collection of usernames, passwords, and second-factor codes through fake login pages or forms so attackers can later access the real accounts.Learn more
- DMARC (with SPF & DKIM)
- A set of email-authentication standards: SPF and DKIM verify that a message truly comes from the claimed domain, and DMARC tells receivers how to handle messages that fail, reducing spoofing.Learn more
- Homoglyph attack
- Replacing characters in a domain or name with visually identical ones from another alphabet (for example a Cyrillic "а") so a fake address looks indistinguishable from the real one.Learn more
- Landing page (phishing page)
- The fraudulent web page a phishing link leads to, usually a pixel-perfect copy of a real login or form built to capture whatever the victim enters.Learn more
- MFA fatigue (push bombing)
- An attack that floods a user with repeated multi-factor approval prompts until they tap Approve out of annoyance or confusion, handing over access.Learn more
- OAuth consent phishing
- An attack that lures the user into granting a malicious app OAuth permissions, gaining persistent access to mailbox or files without ever needing the password.Learn more
- Passkey / FIDO2
- A phishing-resistant sign-in standard that replaces passwords with cryptographic keys bound to the genuine website, so credentials cannot be entered on a fake page or replayed by a proxy.Learn more
- Payload
- The harmful part an attack ultimately delivers - such as a malicious attachment, link, or script - as opposed to the lure that persuades the victim to engage.Learn more
- Phishing
- A form of social engineering in which attackers send fraudulent messages impersonating a trusted party to trick people into revealing credentials, payments, or sensitive data.Learn more
- Pretexting
- Inventing a believable scenario and false identity - such as IT support or an auditor - to build trust and justify a request for information or action.Learn more
- Quishing (QR-code phishing)
- Phishing that hides a malicious link inside a QR code, pushing the victim onto a personal phone where corporate filtering and inspection are weaker.Learn more
- Smishing (SMS phishing)
- Phishing delivered through SMS or messaging apps, often posing as a parcel courier, bank, or government office with a short link.Learn more
- Social engineering
- The manipulation of people into revealing information or taking actions, exploiting trust, authority, urgency, or helpfulness rather than technical flaws.Learn more
- Spear phishing
- A targeted phishing attack tailored to a specific person or role, using prior research to make the message far more convincing than mass phishing.Learn more
- Typosquatting (lookalike domains)
- Registering domains that mimic a legitimate one through common typos or small changes, so a careless glance at the address bar reads it as genuine.Learn more
- Vishing (voice phishing)
- Phishing carried out by phone call, where the caller pressures the victim into disclosing codes or approving transactions, increasingly using voice deepfakes.Learn more
Next step
Ready to measure your phishing and training program?
Book a demo and see how PhishGun can support your simulation and training program, reporting needs, and compliance evidence.