Phishing

Phishing is the social-engineering attack where the adversary sends a message (email, SMS, voice call, chat) impersonating a trusted party to trick the recipient into surrendering credentials, opening malware, or wiring money. The single most common cause of account compromise across every measurement: Verizon DBIR 2024 puts phishing in the top three initial-access vectors year after year. Costs the global economy tens of billions annually.

What it means in practice

Modern phishing has industrialized. The “phishing kit” is a $50 bundle on cybercrime forums: ready-made clones of Microsoft 365, Google Workspace, Okta, banking, crypto-exchange login pages, with credential exfiltration and MFA-bypass relays built in. The 2024-era kits intercept TOTP codes in real time (the user enters the code on the fake page, the kit forwards it to the real service within the 30-second validity window). Domain typosquatting, homoglyphs (using Cyrillic characters that look like Latin), and lookalike subdomains all live. The structural defense is phishing-resistant authentication (FIDO2/WebAuthn hardware keys), because the cryptographic protocol binds the credential to the actual domain origin, not the domain that looks right to the user.

Who is targeted, and by whom

Targets stratified by attacker tier. Mass phishing (cybercrime crews): everyone with an email address, optimized for low-effort high-volume campaigns. Spear phishing (organized crime, commercial actors): specific individuals at specific organizations, customized message context drawn from LinkedIn, leaked corporate data, and prior breach corpora. Whaling (state actors, advanced operators): executives, politicians, dissidents, journalists, with messages tailored over weeks of reconnaissance. The common thread: the human is the vulnerability, the technical defenses are tools to remove the human from the critical path.

What you can change today

Three actions in order of leverage. First, enable hardware security keys (YubiKey or equivalent) on every account that supports them, especially primary email and password manager. Second, install a password manager and use the autofill behavior as a phishing detector: a password manager that does not autofill on the page you are looking at is telling you the domain is wrong. Third, when an urgent email asks you to click a link to verify or reset something, do not click; navigate to the service manually in a new tab and check from there. The instinct that something is off is correct more often than not; the discipline is to act on it.

Related articles