What is Phishing?

Phishing is the dominant entry vector for credential theft, ransomware, and business email compromise on the modern internet. It is a social engineering attack where an adversary impersonates a trusted sender to harvest logins, payment data, or session tokens.

The FBI's Internet Crime Complaint Center (IC3) has ranked phishing as the most reported cybercrime in the United States for five years running, and the Anti-Phishing Working Group (APWG) regularly tracks well over a million unique phishing sites per quarter. What began as a niche hustle in the AOL warez scene is now a mature criminal economy with kits, affiliates, and SaaS-style infrastructure.

Origin and evolution

The term phishing first appeared in 1996 on the AOHell toolkit and the alt.online-service.america-online Usenet group, where attackers "fished" for AOL passwords and credit card numbers by impersonating staff in chat rooms. The "ph" spelling nods to phreaking, the earlier phone-hacking subculture. From those chatroom cons, the technique moved to email in the early 2000s, targeted online banking by the mid-2000s, and today reaches users through any channel they trust: SMS, voice, QR codes, collaboration tools, and ad networks.

Attack flow and variants

A typical phishing campaign has a predictable arc. There is a lure (an email or message manufacturing urgency or authority), a landing page that mimics a legitimate login, and a capture step that exfiltrates credentials or plants malware.

Modern kits automate each stage and often proxy the real login in real time to defeat one-time passwords.

• Spear phishing: tailored messages aimed at a specific individual using open-source intelligence.
• Whaling: spear phishing directed at executives, often to authorize wire transfers.
• Smishing: phishing over SMS, frequently impersonating delivery services or tax authorities.
• Vishing: voice-based phishing, now routinely augmented with voice cloning.
• Quishing: QR-code phishing that bypasses email link scanners by embedding the payload in an image.

AI-powered phishing

Generative models have removed the single most reliable tell of a phishing email: broken grammar.

Large language models produce fluent, context-aware lures in any language at effectively zero marginal cost, and they personalize at a scale that used to be reserved for spear phishing alone. Combined with cheap voice cloning and deepfake video, attackers can now stage convincing multi-channel impersonations of a CFO approving a transfer or an IT admin requesting an MFA reset. Defenders have responded by shifting weight away from content heuristics and toward identity, provenance, and behavioral signals.

Defenses and detection

Email authentication is still the foundation. SPF, DKIM, and DMARC let receiving servers verify that a message actually came from the claimed domain, and enforcing a DMARC reject policy is the single most effective step a brand can take against direct-domain spoofing. On the user side, phishing-resistant MFA, specifically FIDO2 security keys and passkeys, neutralizes credential replay because the authentication is cryptographically bound to the real origin. Browser safe-browsing lists, URL reputation feeds, and DNS filtering catch known-bad destinations.

Inside user-generated content platforms, phishing detection is a moderation problem. Systems like Moderation API combine URL scanning, brand-impersonation classifiers, homoglyph detection, and behavioral signals (new account, high outbound link volume, repeated templates) to flag phishing before a victim clicks.

The most effective pipelines treat phishing as a graph problem, correlating lure, landing page, and infrastructure across reports rather than evaluating each message in isolation.