Glossary

A reference for the language used in phishing simulation and security awareness training. Includes the major attack types, defense techniques, email-authentication standards and compliance frameworks. Each term is independently anchored - link to a specific definition with /glossary#<term>.

Phishing attack types

Social engineering

The umbrella discipline of manipulating people (rather than exploiting software) into revealing information, granting access or executing actions that benefit an attacker. Phishing, spear phishing, whaling, BEC, vishing, smishing and pretext-driven attacks are all subsets of social engineering. The defense is human-layer: training, simulation, reporting culture and authentication friction that reduces the value of any single human compromise.

Phishing

A social-engineering attack in which an attacker disguises as a trusted entity to trick a target into revealing credentials, financial information, sensitive data or executing a malicious action (clicking a link, opening an attachment, granting an OAuth permission, calling a phone number, scanning a QR code, authorizing a wire transfer). The single highest-volume cyber-attack category since the early 2000s. Per the Verizon DBIR, phishing is consistently the top initial-access vector across breaches involving the human element; the FBI IC3 ranks phishing as the most-reported cybercrime by complaint volume year over year. Five primary delivery channels: email phishing (the historical dominant), SMS phishing (smishing), voice phishing (vishing), QR-code phishing (quishing) and OAuth consent phishing. Targeted variants include spear phishing (specific individual), whaling (executives) and Business Email Compromise (financial-fraud-focused executive impersonation). Modern phishing tooling - Phishing-as-a-Service platforms (Tycoon, EvilProxy, Greatness), Adversary-in-the-Middle reverse proxies that defeat standard MFA and AI-generated grammatically-clean lures - has industrialized the discipline. Defense is layered: phishing-resistant MFA (FIDO2/passkeys) at the credential layer, OAuth admin-policy at the consent layer, sandbox detonation at the attachment layer, behavior analytics at the post-compromise layer, DMARC at p=reject at the domain-spoof layer and continuous simulated phishing programs at the user-recognition layer. Read more ->

Spear phishing

Phishing tailored to a specific individual or small set of named targets, typically using public or insider information to make the lure believable in a way generic mass phishing cannot. The defining shift versus mass phishing is reconnaissance: the attacker invests time learning the target's role, manager, current projects, vendor relationships, travel calendar, internal terminology and writing style before sending the lure. Common reconnaissance sources: LinkedIn (employer, role, tenure, named projects in profile), corporate websites (org charts, press releases, conference talk announcements), Hunter.io and similar email-pattern enumeration tools, breach-data dumps (HaveIBeenPwned, paid attacker forums), social-media metadata (vacation announcements, conference check-ins) and OSINT aggregators. Common high-value target categories NAMED: executive administrative assistants (have full inbox visibility and signature authority on calendar items), finance and accounts-payable staff (wire-transfer authority and vendor-banking-detail access), IT administrators (privileged credentials and consent-policy authority), legal and HR (sensitive-data access and organizational signaling). AI-generated tooling has compressed the time-cost of personalization at scale: an attacker with API credit can run reconnaissance and lure-authoring as a single pipeline, producing thousands of locale-tailored personalized lures per hour where the same volume in 2020 would have required a phishing-kit team of human authors. Whaling is the executive-targeted subset of spear phishing; Business Email Compromise is the financial-fraud-focused subset that increasingly chains spear-phishing reconnaissance with attorney or vendor impersonation. Defense layers: phishing-resistant MFA at the credential layer (FIDO2/passkeys defeat AiTM-class spear-phishing regardless of lure quality), out-of-band verification for high-stakes actions, role-differentiated security awareness training (privileged-user training emphasizes the named target categories), and continuous simulated phishing programs that include hard-difficulty spear-phishing templates seeded with target-specific context. Read more ->

Whaling

Spear phishing aimed specifically at executives or other high-value targets (CEO, CFO, COO, board members, general counsel) where the loss-per-incident is highest. The targeting rationale: a single successful whaling attack can authorize multi-million-dollar wires, expose M&A or litigation data, or cascade into a full Business Email Compromise chain that subordinates trust because the request appears to come from named senior leadership. Five common whaling patterns: (1) urgent-wire-transfer instruction citing a confidential M&A deal or vendor closeout; (2) tax or compliance pretext asking for W-2s or sensitive HR records "for the auditors"; (3) gift-card scheme aimed at executive admin assistants ("buy 50 Apple gift cards for client appreciation, send the codes"); (4) deepfake-voice CEO call instructing finance to release a wire (cloned from earnings calls or conference recordings); (5) calendar-injection attack using a compromised meeting-invite to deliver a follow-on link or attachment to executive recipients. Documented historical incidents include Mattel ($3 million attempted CFO impersonation, 2015 - partially recovered), Ubiquiti Networks ($46.7 million CFO-impersonation loss disclosed 2015), Pathé ($21 million CEO-impersonation loss across two transfers, 2018), Crelan Bank ($75 million BEC loss, 2016), FACC ($61 million CEO-fraud loss, 2016), and the Save the Children $1 million 2017 incident. Defense layers: phishing-resistant MFA on all executive accounts (the highest-loss-target tier should run on the strongest authentication available), pre-shared code-word challenge for any executive-instruction wire request, two-person approval mandatory at all wire amounts (no exceptions for executive-claimed urgency), executive-admin training that explicitly covers the five named patterns, mailbox-rule monitoring on executive accounts (forwarding rules are a common post-takeover indicator), and continuous simulated phishing at hard difficulty targeting the executive cohort separately so the training reflects the elevated threat model. Read more ->  |  overview

Business Email Compromise (BEC)

A targeted phishing attack focused on financial fraud, typically involving impersonation of an executive, vendor, HR contact or attorney to redirect wire transfers, invoice payments, payroll deposits or sensitive data. Five established sub-types: (1) CEO/CFO impersonation - email purportedly from a senior executive instructing an urgent wire transfer to a "new banking partner"; (2) vendor invoice fraud (also called false-invoice scheme) - attacker compromises or impersonates a real supplier and updates the banking instructions on a legitimate invoice; (3) payroll redirect - attacker impersonates an employee asking HR to change direct-deposit account before next payroll run; (4) attorney impersonation - the legal-pretext variant where the lure cites confidential M&A or litigation requiring secret immediate wire; (5) data theft / W-2 / sensitive-document scheme - attacker impersonates an executive requesting tax-document or HR-record exports. The FBI IC3 has reported BEC among the highest-loss cybercrime categories every year since 2016, with 2024 reported losses exceeding $2.9 billion in the United States alone. Distinguished from generic phishing by financial-fraud focus, executive-impersonation pretext and the absence of malware in many cases (the "compromise" is conversational rather than technical). Defense layers: out-of-band verification through a known phone number for any wire-transfer instruction, two-person approval on wires above a threshold, vendor-banking-change protocol that requires phone verification with a pre-existing contact, mailbox-rule monitoring (attackers commonly auto-forward mail to hide reply threads), DMARC at p=reject for direct domain-spoof variants, whaling-tier simulated phishing targeting executive accounts and finance-team-specific security awareness training on the named sub-types. Read more ->

Threat actor

An entity (individual, group, or organization) intentionally conducting cyberattacks or other malicious activity, characterized by motivation, capability and target preferences. Industry taxonomy groups threat actors into four primary classes: (1) **nation-state threat actors** -- intelligence-service-affiliated groups with high capability and strategic/geopolitical motivation (Mandiant's APT-numbered groups like APT28, APT29, APT40; CrowdStrike's ANIMAL/BEAR/PANDA/KITTEN family); they conduct espionage, supply-chain compromise and selective infrastructure disruption. (2) **organized cybercrime groups** -- financially motivated, often ransomware affiliates or PhaaS operators (LockBit, BlackBasta, Akira, Scattered Spider, Lazarus when crossing into financial fraud); these groups produce the bulk of high-loss commercial breaches. (3) **hacktivists** -- ideologically motivated, lower capability, target visibility-rather-than-profit (defacement, DDoS, doxxing). (4) **insiders / malicious insiders** -- employees, contractors or partners with legitimate access who exfiltrate or sabotage; high impact, low technical sophistication required. Phishing-program implications: different threat-actor classes use different lure patterns -- nation-state actors invest in spear-phishing reconnaissance and whaling; cybercrime groups operate phishing kits at scale; hacktivists rely on opportunistic generic phishing; insiders exploit context rather than external lure. Threat intelligence feeds attribute observed campaigns to threat-actor groups so defenders can tune detection patterns and simulation content to the actors most likely to target their sector. MITRE ATT&CK includes a Groups taxonomy mapping ~150+ named threat actors to specific techniques. Read more ->

Breach notification

The legal and regulatory obligation to inform affected individuals, regulators and (in some regimes) the public after a confirmed security incident involving personal or sensitive data. Multiple regimes with materially different timelines: (1) **GDPR Article 33** requires notification to the supervisory authority within 72 hours of becoming aware (Article 34 covers data-subject notification "without undue delay"); (2) **SEC Material Cyber Incident Disclosure** rule (effective December 2023) requires public-company Form 8-K filing within 4 business days of determining materiality; (3) **HIPAA Breach Notification Rule** (45 CFR 164.400-414) sets a 60-calendar-day window for individual and HHS notice plus media notice for breaches affecting 500+ residents of a state; (4) **state breach notification laws** -- all 50 US states have their own variants with timelines ranging from "without unreasonable delay" to specific day counts (e.g., NYDFS Section 500.17 at 72 hours); (5) **PCI DSS Requirement 12.10.6** mandates breach response procedures that include cardholder-data notification chain. Dwell time directly impacts breach-notification posture: the longer an attacker dwells undetected, the larger the determined scope and the harder the materiality assessment becomes within the 4-business-day SEC clock. Phishing programs reduce breach-notification frequency at two layers: lower click-through rate reduces successful initial-access events that become breaches, and higher report rate shortens detection time so incidents are smaller and possibly fall below materiality thresholds. Incident response playbooks should integrate breach-notification triggers explicitly (which roles authorize what notice, what the materiality test looks like, where regulator-facing communications go). Read more ->

Persistence

The attacker activity of establishing durable access to a compromised environment so the attacker survives common defensive responses (password rotation, session revoke, endpoint reboot, single-system reimage). MITRE ATT&CK enumerates persistence as Tactic TA0003 with two-dozen+ techniques across endpoint, identity, mailbox, browser and cloud surfaces. Phishing-driven persistence is typically established within minutes of credential theft or account takeover. Five common phishing-led persistence mechanisms: (1) **inbox auto-forward rule** that copies replies and password-reset emails to attacker-controlled address (survives password rotation); (2) **OAuth app grant** from consent phishing that retains API access regardless of credential changes (the highest-priority remediation gap because most playbooks miss it); (3) **secondary-credential creation** -- the attacker creates a new admin account or service principal while inside, leaving a clean entry point for re-entry; (4) **MFA-method tampering** -- adding an attacker-controlled phone number or authenticator app to the compromised account as a recovery option; (5) **endpoint persistence** -- scheduled tasks, registry run keys, autostart entries, browser-extension installs, EDR-bypassing loaders. Detection signal patterns: anomalous mailbox-rule creation, new OAuth-app grants, MFA-method additions outside expected workflows, new admin-role assignments, scheduled-task creation on workstations. Defenses: phishing-resistant MFA at credential layer (prevents initial compromise that enables most persistence), mailbox-rule monitoring with alerts on auto-forward creation, OAuth admin-policy restricting consent grants, conditional-access re-evaluation on suspicious behavior, EDR/XDR coverage tuned for persistence IOCs, and incident-response playbook explicitly enumerating persistence-mechanism hunt steps post-breach (not just password rotation). Read more ->

Incident response

The structured organizational process of detecting, containing, investigating, eradicating and recovering from a security incident (and learning from it afterwards). The dominant framework is NIST SP 800-61 Rev. 3 (Computer Security Incident Handling Guide) which defines four phases: (1) Preparation -- runbooks, tooling, staffing, communications templates ready before an incident occurs; (2) Detection & Analysis -- identifying that an incident is happening and characterizing its scope; (3) Containment, Eradication & Recovery -- bounding the impact, removing the attacker, restoring service; (4) Post-Incident Activity -- lessons-learned review and runbook updates. SANS uses a closely-related PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). ISO/IEC 27035 defines an equivalent five-phase model. For phishing programs specifically, incident response covers two distinct workflows: (a) simulation-click response (the auto-assigned remediation training pipeline that fires when a user clicks a simulated phish -- which is preparation for real-incident pattern recognition), and (b) real-phish-click response (the runbook executed when a user reports a real phishing email or one slips past gateway controls -- session revoke, mailbox-rule audit, password reset, lateral-movement search, downstream-contact notification). The clicked-phishing-link IR runbook covers the specific phishing-incident response playbook. Cyber-insurance underwriting in 2026 commonly asks about written IR runbooks; NIST CSF Respond function (RS.MA, RS.AN, RS.MI, RS.CO, RS.IM subcategories) maps to the NIST SP 800-61 phases. SOC 2 CC-7 (System Operations) and ISO 27001 Annex A.5.24-A.5.27 require documented IR processes as audit evidence. Mature programs validate the IR runbook through periodic tabletop exercises. Read more ->

Out-of-band verification

A procedural security control where a high-stakes instruction received through one channel (email, SMS, voice, chat) is independently confirmed through a separate, pre-trusted channel before the instructed action is taken. The "out-of-band" qualifier means the verification does NOT use the same channel as the original request -- so a phone call instruction is verified by callback to a known directory number (not by replying to the caller), and an email wire-transfer instruction is verified by phone call to the executive's known direct line (not by replying to the email). **Why it works against phishing:** the attacker controls the channel the lure arrives on (spoofed sender domain, AiTM-proxied URL, cloned voice, compromised account), but typically does not control the legitimate alternative channel (the executive's known phone number, the vendor's known portal). Cross-channel verification breaks the attack. **High-stakes scenarios that warrant out-of-band verification:** wire transfers above policy threshold, vendor banking-detail changes, payroll-redirect requests, W-2 / W-9 release requests, password-reset requests received by IT helpdesk from voice callers, OAuth admin-consent escalations, and any executive-impersonation instruction received during the executive's travel calendar window. **Implementation patterns:** documented two-person approval workflows that include the verification step, pre-shared code-word challenges for executive-instruction wires, vendor-portal-only banking-detail-change protocols (no email or call), and IT-helpdesk callback verification on a stated phone number from a corporate directory. Cyber-insurance underwriting in 2026 routinely asks about out-of-band verification policies for wire-transfer authorization and vendor-banking-change procedures; documented controls correlate to measurable premium-reduction outcomes. Read more ->

Tabletop exercise

A discussion-based incident-response exercise where the IR team (plus business stakeholders, often including legal, communications, executive sponsor and external IR retainer) walks through a hypothetical incident scenario from initial-detection through containment and recovery, identifying gaps in the IR runbook, communication chains and decision authority. Distinct from technical drills (red-team exercise, purple-team exercise, IR simulation): tabletop is conversation, not execution. Standard duration 2-4 hours. Standard cadence: quarterly to annually, with scenario types rotating across phishing-led BEC, ransomware encryption, vendor compromise, data-breach notification timeline and insider-threat scenarios. Phishing-program relevance: phishing-led BEC and ransomware-initial-access are the two highest-frequency tabletop scenarios because they are the dominant breach causes; the exercise tests whether the team can navigate the 72-hour breach-notification clock under GDPR Article 33, the 4-business-day SEC Material Cyber Incident Disclosure rule and sector-specific obligations. Cyber-insurance underwriting in 2026 frequently asks whether the organization conducts regular tabletop exercises with documented findings and remediation tracking. PCI DSS 12.10.6, NIS2 Article 21(2)(c), HIPAA Security Rule and SOC 2 CC7.3 all reference tabletop-style exercises as evidence of mature IR capability. Output: written after-action report documenting gaps, owner assignment and remediation timeline; the report is itself audit-evidence. Read more ->

Threat intelligence

Structured information about adversaries, their tradecraft and the active threat landscape, collected and analyzed to inform defensive decisions. Three operational tiers: (1) **strategic threat intelligence** -- adversary-group attribution, geopolitical motivations, sector-targeting trends; consumed by CISOs and risk committees; (2) **operational threat intelligence** -- specific TTPs (Tactics, Techniques and Procedures per MITRE ATT&CK), campaign signatures, lure-content trends; consumed by detection engineers and SOC analysts; (3) **tactical threat intelligence** -- IOCs (indicators of compromise: IPs, domains, file hashes, email-header signatures), shared via STIX/TAXII feeds, MISP, ISACs and commercial feeds; consumed by automated detection systems. For phishing programs specifically, threat-intelligence feeds enable: simulation-template freshness keyed to current real-world lure patterns (defenders see what attackers are actually sending), URL/domain reputation scoring at the email gateway, mailbox-rule alerting on attacker-signature indicators, and SOC pivoting from a single reported phish to broader campaign detection. Common feed sources: CISA AIS (Automated Indicator Sharing), FBI IC3 advisories, sector ISACs (FS-ISAC for financial, H-ISAC for healthcare), MS-ISAC for state/local government, commercial feeds (Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence), open-source feeds (PhishTank, AlienVault OTX, abuse.ch). Mature phishing-simulation programs route freshly-published lure-pattern intelligence into the template-refresh cadence -- testing the workforce against what attackers are currently sending rather than templates seeded with stale 2022 patterns. Read more ->

SIEM (Security Information and Event Management)

A platform category that ingests log and event data from across the IT estate (endpoints, servers, identity providers, email gateways, network devices, cloud workloads, SaaS APIs), correlates events in real time and produces alerts on patterns that match attacker behavior. SIEM is the backbone of most operational incident response programs and the system most often referenced when phishing-program reporting integrates with broader security operations. Major commercial SIEM platforms in 2026: Splunk (Cisco), Microsoft Sentinel, IBM QRadar, Sumo Logic, Securonix, Exabeam, Google Chronicle (formerly Mandiant), Elastic Security. Open-source / lower-cost alternatives include Wazuh, Graylog and the OpenSearch Security Analytics stack. The category is increasingly converging with XDR (Extended Detection and Response) and SOAR (Security Orchestration, Automation and Response) into unified platforms; the term SIEM continues to be the most common umbrella. For phishing programs, SIEM relevance is threefold: (1) ingestion of phishing-report events from a Report Phish button or mailbox add-in to correlate against email-gateway logs, (2) detection of post-click indicators (anomalous sign-ins, mailbox-rule creation, OAuth-app grant from a previously-unknown app) using the campaign click event as a pivot, (3) audit-evidence export of phishing-program operational logs alongside the broader SOC data. Cyber-insurance underwriting in 2026 routinely asks about SIEM coverage and retention period (90 days is the minimum baseline; 12 months is typical for regulated industries). Compliance frameworks reference SIEM-equivalent logging in HIPAA Security Rule 164.312(b), PCI DSS Requirements 10.1-10.7, NIST SP 800-53 AU family, ISO 27001 Annex A.8.15 and SOC 2 CC7.2. Read more ->

Lateral movement

The attacker activity that occurs AFTER an initial phishing-led breach where the adversary moves from the first compromised endpoint or account to other systems, accounts and data stores inside the environment to expand reach, escalate privileges and stage the eventual impact (ransomware encryption, mass data exfiltration, financial fraud). Lateral movement is the bridge between initial-access (typically phishing-led credential theft or malware delivery) and the high-loss outcomes that drive cyber-insurance claims. Common techniques per MITRE ATT&CK Lateral Movement tactic (TA0008): pass-the-hash, pass-the-ticket and golden-ticket attacks using stolen Kerberos credentials; Remote Desktop Protocol (RDP) and SMB-share traversal with reused passwords; remote-execution tooling abuse (PsExec, WMI, WinRM, PowerShell remoting); web-application session pivoting; abuse of legitimate IT-admin tooling (BloodHound for graph mapping, Cobalt Strike for command-and-control beacons, AnyDesk/ScreenConnect for remote-control persistence). Dwell time is the metric that bounds how far lateral movement can progress: shorter dwell time means fewer hops, less privilege-escalation, smaller blast radius. Defenses: network segmentation and microsegmentation; least-privilege identity policy; just-in-time admin rights; phishing-resistant MFA on lateral-pivot-relevant accounts (domain admin, service accounts, infrastructure accounts); EDR/XDR coverage tuned for lateral-movement IOCs (anomalous remote-execution, unusual cross-system authentication, large outbound mailbox download). Cyber-insurance underwriting in 2026 frequently asks whether lateral-movement detection (typically via EDR/XDR + SIEM correlation) is in place; the combined posture of strong initial-access controls (phishing-resistant MFA + simulation programs) AND lateral-movement detection produces the best premium outcomes. Read more ->

Account takeover (ATO)

The attack outcome where an attacker gains operational control of a legitimate user's account and uses it as a trusted identity to send phishing emails, exfiltrate data, change banking instructions, modify mailbox rules or pivot to other accounts. Account takeover is the typical second stage after credential theft and is the prerequisite for most Business Email Compromise incidents, internal-phishing waves and consent-phishing follow-on attacks. Five common post-takeover actions: (1) auto-forward inbox rule to hide replies from the legitimate user; (2) password reset on the compromised account plus on adjacent services tied to the same identity; (3) outbound phishing from the takeover address to contacts (the lure inherits the trusted-sender reputation); (4) OAuth token issuance under the compromised identity to establish persistence even after password reset; (5) data exfiltration via SharePoint/OneDrive/Workspace mass-download. Indicators of compromise: new mailbox forwarding rules, sign-ins from unusual geographies or device fingerprints, password-reset emails the user did not initiate, OAuth-app grants the user does not recognize, anomalous outbound mail volume. Defenses: phishing-resistant MFA at credential layer (FIDO2/passkeys); conditional-access requiring compliant device + trusted location; mailbox-rule monitoring with alerts on auto-forward creation; continuous-access evaluation for token revocation on suspicious behavior; user training on the recognition pattern (suspicious password-reset emails, unexpected OAuth-app prompts). Verizon DBIR consistently ranks credential-theft-into-account-takeover as the top initial-access vector behind breaches involving the human element. Read more ->

Credential theft (credential harvest)

The attacker outcome where stolen username + password pairs (and increasingly session cookies or refresh tokens) are obtained, most commonly via phishing. "Credential harvest" describes the active capture process; "credential theft" describes the resulting compromise. Common harvest mechanisms: cloned login pages mimicking brand-impersonated sites (Microsoft 365, Google Workspace, Okta), AiTM reverse proxies that capture both credentials AND the post-MFA session token in real-time, browser-form autofill injection, fake password-reset workflows, and OAuth consent phishing that captures access tokens directly. The Verizon DBIR consistently ranks credential theft as the top initial-access vector behind breaches involving the human element; CISA Known Exploited Vulnerabilities catalogs document credential-theft staging for ransomware and BEC operations. Defenses are layered: phishing-resistant MFA (FIDO2 / passkeys / hardware security keys) defeats password-only credential theft AND blocks AiTM cookie-theft for the credential-bound session; conditional-access (compliant-device + trusted-location requirements) constrains use of stolen credentials from attacker infrastructure; auto-assigned training on credential-protection patterns after a click event; session-binding to device identity; continuous-access evaluation for token revocation on suspicious behavior; mailbox-rule monitoring to catch attacker auto-forwarding of password-reset emails. Credential theft typically chains forward into BEC, ransomware, lateral movement and data exfiltration -- which is why the dwell time between theft and detection is the operative metric. Read more ->

Refresh token

A long-lived credential issued by an OAuth 2.0 / OpenID Connect authorization server that an application uses to obtain new short-lived access tokens without re-authenticating the user. Standard authorization-server practice: a successful login produces an access token (typically 1-hour lifetime) PLUS a refresh token (typically 14-90 days or longer, depending on provider policy and offline_access scope). The refresh token is the persistent credential -- it survives password resets, session revocations and most routine security responses unless the issuing administrator explicitly revokes the grant. **Phishing-program relevance:** refresh tokens are the durable artifact attackers extract in AiTM reverse-proxy attacks (alongside session cookies) and the primary persistence mechanism in OAuth consent phishing (the attacker registers a malicious app, the user grants offline_access scope, the attacker obtains refresh tokens valid for 90 days or until admin revocation). This is why password reset alone does not remediate a consent-phishing or AiTM compromise -- the refresh token continues to mint access tokens until explicitly revoked at the OAuth admin level. **Defenses:** OAuth admin-policy restricting consent to admin-approved apps (Azure AD "User consent settings: Do not allow user consent"; Google Workspace "App access control"), conditional-access policies requiring compliant device + trusted location for token use, continuous-access evaluation (CAE) for near-real-time revocation on risk signals, and explicit token-revocation playbooks in IR runbooks for any reported consent-phishing or AiTM event. Token-theft incidents accounted for an increasing share of breach-response invoices reported by major IR retainers through 2025-2026. Read more ->

Vishing

Voice phishing - phishing conducted over a phone call, increasingly with deepfake-cloned voices. Five common pretext categories: (1) IRS or HMRC tax-debt threat with arrest-warrant urgency; (2) Social Security Administration suspended-number scare requiring "verification"; (3) tech-support refund scams (Geek Squad, McAfee, Norton subscription cancellation pretexts) that route victims into remote-access tools (AnyDesk, ScreenConnect, TeamViewer); (4) bank-fraud-alert pretext asking the victim to "verify" or "transfer to a safe account"; (5) executive-impersonation wire fraud where a deepfake-cloned CEO voice instructs a finance staffer to authorize a wire. AI voice-cloning (a few minutes of public audio - earnings calls, podcast appearances, conference talks - is enough for modern open-source models to generate real-time speech) has crossed the human-discrimination threshold for most listeners since 2024. Vishing increasingly chains with email or SMS as the lure: the victim gets an email with a callback number (see callback phishing / TOAD) or a text from a "fraud team" requesting a return call - the phone call is the actual attack vector. Defense is process-based, not detection-based: mandatory callback verification through a known channel (the number on the back of the credit card, the corporate directory, the official IRS contact line at irs.gov), pre-shared code-word challenge for executive-instruction calls, two-person approval on wires above a threshold, and continuous vishing simulation that exercises the deepfake and pretext patterns directly. Read more ->

STIR/SHAKEN

A pair of US-and-Canada-mandated telecom standards (STIR = Secure Telephone Identity Revisited; SHAKEN = Signature-based Handling of Asserted information using toKENs) that cryptographically authenticate caller-ID on calls traversing the public telephone network. STIR (IETF RFCs 8224-8226) defines how an originating carrier signs the caller's number with a private key; SHAKEN (ATIS-1000074) defines the carrier-to-carrier handoff including attestation levels (A: full attestation, B: partial, C: gateway only). FCC required full implementation by US carriers in 2021 and extended to small/rural carriers by 2023. Practical impact on vishing: terminating carriers can flag or block calls failing STIR/SHAKEN verification or with low attestation, materially reducing caller-ID spoofing -- the dominant historical pretext for IRS-impersonation and tech-support-refund smishing/vishing scams. Adoption gaps remain: international calls (no equivalent mandate outside North America), small carriers with delayed enforcement, and TDM-to-VoIP gateway segments that strip the SHAKEN headers. Phishing-program implication: STIR/SHAKEN is a meaningful but incomplete control at the carrier layer -- multi-channel simulation programs should continue to exercise vishing scenarios because the gaps remain exploitable. UK Ofcom Network-Level Blocking and EU eIDAS digital-signature framework address adjacent problems in their respective jurisdictions. Read more ->

Smishing

SMS phishing - phishing conducted over text message (160-character SMS, MMS or RCS) or chat-app channels (WhatsApp, iMessage, Signal, Telegram). Routes around email-gateway filtering entirely. Five common attack categories: (1) delivery-failure pretexts impersonating USPS, FedEx, UPS, DHL or Royal Mail asking the recipient to "reschedule delivery" via a redirect link; (2) MFA-prompt impersonation - fake codes purportedly from a bank or M365 with a callback number for "fraud verification"; (3) banking-fraud-alert - "we blocked a transaction, click to verify" with attacker-controlled URL; (4) HR/payroll-redirect lures targeting employees with "your direct deposit needs verification"; (5) IT-helpdesk MFA-reset asking the user to "approve a pending login" or share a token. Mobile devices are systematically underserved by enterprise security tooling - no SafeLinks-equivalent URL rewriting on most carriers, no inline phishing warnings, no display of full URLs before tap, and link-shorteners (bit.ly, t.co, tinyurl) are normalized in mobile UX. The attacker exploits the format constraint: 160 characters compresses pretext to a single hook, urgency cue and link, eliminating the longer-form red flags trained users are taught to recognize in email. Defense layers: carrier-side filtering (US carriers' STIR/SHAKEN for caller-ID and short-code-spam blocking), link-preview-before-tap browser settings, MDM policies that auto-block known-bad URLs, simulation programs that include smishing campaigns alongside email and continuous security-awareness reinforcement on the mobile-channel pattern. Read more ->

Quishing

QR-code phishing - an attack pattern that hides a malicious URL inside a QR code, exploiting the user's trust in scan-and-go affordance and bypassing email-gateway URL scanning because the link is encoded inside an image rather than as anchor text. Five common deployment vectors: (1) email-attached or email-embedded QR images delivering MFA-pretext or document-share lures past gateway URL filters; (2) physical stickers placed over legitimate parking-meter, restaurant-menu, charging-station or invoice QR codes (the "QR-jacking" pattern); (3) printed mailers impersonating utilities, banks, IRS or USPS with a "scan to pay" or "scan to verify" call to action; (4) fake invoice or receipt QR codes routing wire payments to attacker accounts; (5) boarding-pass and shipping-label impersonation in transit and logistics. The mobile-channel underservice problem applies: most mobile camera apps display only a truncated preview of the URL or none at all before tap-to-open, and the destination opens in the default browser without the SafeLinks-equivalent inline-warning layer enterprise users get on desktop email. Quishing volume increased materially through 2023-2025 as commercial spam filters became proficient at flagging URL-bearing emails; switching the URL to an image-encoded representation reset the gateway scanning baseline. Defense: enterprise email gateways with image-OCR + URL-extraction-from-image (Microsoft Defender for Office 365, Mimecast, Proofpoint TAP all added this in 2023-2024); user training on the image-link pattern; mobile camera apps configured to show full URL preview before opening; default-app browser configuration that surfaces the destination domain prominently; simulated phishing programs that include quishing campaigns alongside email and SMS. Read more ->

Clone phishing

A phishing technique where the attacker copies a legitimate email the target has already received - matching subject line, sender styling, signature block, attachment naming - and replaces the link or attachment with a malicious version. The attack relies on the user remembering the original message and not noticing the substitution. Common vectors: meeting invites, document-share notifications (Microsoft 365, Google Workspace, Dropbox), order confirmations, password reset emails. The attacker either compromises a sender's mailbox to access the original or harvests examples from data breaches and reuses them as templates. Defense: simulation training that includes clone-phishing patterns, mailbox-rule monitoring to detect post-takeover mailbox-forwarding (the source of the cloned originals), DMARC at p=reject for direct-domain spoofing, and out-of-band verification for high-stakes actions referenced in the cloned message.

Pharming

Manipulation of DNS resolution or local hosts files to silently redirect users to fake versions of legitimate sites without changing the URL the user typed or clicked. The address bar shows the correct domain (e.g., bank.example.com) but the IP behind it is attacker-controlled. Three main attack vectors: (1) DNS cache poisoning at a recursive resolver (rare against modern DNSSEC-validating resolvers but possible against legacy infrastructure); (2) router/home-network DNS hijacking via compromised default credentials or firmware vulnerabilities; (3) malware-modified hosts file on the endpoint, often delivered via classic phishing or malicious download. Defense: DNS-over-HTTPS or DNS-over-TLS at the endpoint, DNSSEC validation at the recursive resolver, endpoint EDR that monitors hosts-file modification, certificate-pinning in the browser/app (the TLS certificate mismatch is the failure point modern browsers detect), and HSTS preload on sensitive domains. Pharming is rarer than pure phishing in 2026 because TLS deployment closed most of the attack surface, but residual cases against legacy infrastructure or compromised home routers continue.

Brand impersonation

A phishing pretext that mimics a specific known brand visually and tonally - logo, color palette, signature block, common email layout - to leverage existing user trust and authority recognition. The single most-impersonated category in 2026 phishing. Top-tier impersonation targets per Check Point Brand Phishing reports, Cofense annual phishing intelligence and APWG quarterly trends: Microsoft (M365 password expiry, Teams meeting share, OneDrive document share dominate), Google (Workspace document share, security alert), DocuSign (envelope ready to sign), Adobe (file share via Acrobat Sign), Apple (iCloud account verification, App Store receipt), Amazon (order confirmation, delivery exception, account hold), FedEx and UPS and DHL (delivery exception, customs clearance), IRS (tax refund, audit notice - peaks January-April annually), banking (Chase, Wells Fargo, Bank of America, Barclays, HSBC for fraud-alert pretext), Geek Squad / McAfee / Norton (subscription cancellation refund pretexts that route to callback phishing / TOAD) and HR/payroll platforms (ADP, Workday for payroll-redirect lures). Brand-impersonation lures often combine with typosquatting or homograph domains so the visible from-address reinforces the impersonation; modern campaigns increasingly skip domain-spoofing in favor of brand-pixel-perfect lookalike domains hosted on attacker infrastructure with valid TLS certificates from automated CAs. Defense layers: brand-protection-monitoring services NAMED (CSC, MarkMonitor, BrandShield, ZeroFox) that surveil typosquatted and lookalike registrations of major brands; DMARC at p=reject for the legitimate brand domains (forces attackers off direct-spoof onto lookalike domains); user training that emphasizes hover-to-reveal-link patterns and out-of-band verification for any brand-claimed action; simulated phishing programs that include the top-tier brand-impersonation templates so users encounter the patterns under safe conditions; and email gateways with brand-resemblance detection that flag visual-similarity scores against known logos. Read more ->

Defense and program design

Simulated phishing

A controlled phishing campaign run by an organization against its own employees to measure susceptibility and trigger remediation training. Also called "phishing simulation," "phishing test" or "phishing exercise." Five attack-intent categories typically tested: credential harvest, attachment-based malware delivery, BEC/wire-fraud, link-based info theft and account-spoof prompts. Three difficulty levels in mature programs: easy (obvious red flags - bad grammar, mismatched URLs), regular (representative real-world lures), hard (well-crafted spear-phishing with target-specific personalization including AI-generated templates). Recommended cadence is monthly with quarterly as the practical minimum; annual-only programs draw audit observations. Programs are required or strongly recommended by HIPAA §164.308(a)(5), PCI DSS 12.6.3, NIST CSF PR.AT, ISO 27001 Annex A.6.3, NIS2 Article 21(2)(g) and SOC 2 CC1.4. Distinct from a real phishing attack: no credentials are exfiltrated to attackers, captured form data is redacted or discarded by the platform, and users land on a remediation page rather than a credential-stealer. Cyber-insurance underwriting questionnaires in 2026 now treat documented simulation-program evidence as a standard underwriting input alongside MFA coverage and DMARC enforcement. Multi-channel coverage (email + SMS smishing + voice vishing) is the 2026 expected baseline for mature programs as attackers route increasingly around email-only defenses. Read more ->

Security awareness training

Structured education delivered to employees to teach recognition of phishing, other social-engineering attacks and broader cyber-hygiene practices (password and MFA hygiene, data handling, incident reporting, device security, malicious software, AI-generated lure recognition). Also called "security awareness," "cybersecurity awareness training" or "SAT." Content categories typically delivered: video micro-modules (5-10 minutes per topic, watched on a rotating quarterly schedule), interactive scenario walk-throughs (decision-tree exercises against a phishing email or pretext call), gamified knowledge checks (short quizzes with leaderboards), and remediation training auto-assigned the moment a user fails a simulated phishing test. Effective programs differentiate by role: general workforce coverage on the broad topics; privileged-user training (IT admins, finance, executives) on threats specific to their access (consent phishing for IT, BEC/wire-fraud for finance, whaling and deepfake voice for executives); supply-chain training for third-party staff with scoped access. Cadence is at least annual for compliance-floor coverage with quarterly micro-module rotation as the practical maturity standard; monthly delivery is the high-maturity benchmark. Required or strongly recommended by HIPAA §164.308(a)(5)(i)(A), PCI DSS 12.6.1-12.6.3 (training upon hire and at least annually), NIST CSF PR.AT-01 / PR.AT-02 sub-categories, ISO 27001 Annex A.6.3, NIS2 Article 21(2)(g) cyber-hygiene baseline and SOC 2 CC1.4. Most effective when paired with continuous simulated phishing rather than as an annual standalone -- behavior-triggered learning lands harder than calendar-scheduled training. Read more ->

Click-through rate

The percentage of recipients who click a simulated phishing link within a campaign. Calculated as `(unique users who clicked / total recipients) x 100` and reported per campaign and on rolling 90-day and 12-month trend lines. The primary phishing-susceptibility metric. Industry benchmarks vary by published source: untrained organizations cluster around 25-35% baseline click rate per the published KnowBe4 Phishing By Industry report and Verizon DBIR human-element data; programs running monthly simulation with auto-assigned remediation typically reach 5-10% within 12 months and below 5% within 24 months. Mature programs trend below 5% sustained, with industry-vertical variation - financial services and government tend to land lower (3-5%), healthcare and manufacturing higher (6-9%) due to template-context familiarity and workforce composition. Click-through rate alone is increasingly insufficient as a program-quality signal; mature programs report it alongside completion rate, time-to-click distribution, repeat-clicker percentage and report-rate (the share of users who reported the simulation as suspicious). Cyber-insurance underwriting questionnaires in 2026 commonly request both 12-month click-rate trend and report-rate trend as evidence of program effectiveness rather than just point-in-time click numbers. Read more ->

Completion rate

The percentage of users assigned remediation training who finish the module within the program's expected time window. Calculated as `(users who completed / users assigned) x 100` and reported per-cohort and on rolling trend. Standard time windows: 7-day completion is the maturity benchmark; 14-day is the practical floor; anything beyond 14 days indicates a broken auto-assigned-training escalation chain. Mature programs sustain 90%+ completion at 7 days and 95%+ at 14 days; below 80% at 14 days is an audit observation in most compliance regimes. PCI DSS 12.6 evidence requires both training-content artifacts and completion records; NIST CSF PR.AT-01 evidence weights completion documentation alongside content; ISO 27001 Stage 2 audits regularly request 12-month completion-rate trend by department. Cyber-insurance underwriting questionnaires in 2026 commonly request both click-through rate and completion-rate trend as paired program-quality signals -- click-rate alone with no completion-rate evidence is treated as an incomplete control demonstration. Repeat-non-completer escalation chain (day 1 user notification -> day 4 user reminder -> day 7 manager copy -> day 14 next-level-management or HR cc) is the standard pattern that drives the metric upward; programs without escalation typically plateau at 60-75% and stay there. Read more ->

Time-to-remediation

The median elapsed time between a user clicking a simulated phishing link and completing the auto-assigned remediation training module. Calculated as `median(training_completion_timestamp - click_timestamp)` per campaign and on rolling 90-day and 12-month trend lines. The metric measures the responsiveness of the remediation pipeline rather than the susceptibility of the workforce. Industry benchmarks: mature programs sustain below 24 hours; 24-72 hours is normal for first-year programs; above 7 days indicates a broken auto-assignment or escalation chain (the user got the assignment but no one followed up). Mature programs report time-to-remediation alongside completion rate -- a healthy program has BOTH high completion (90%+) AND short time-to-remediation (under 24 hours); high completion at long time-to-remediation typically reflects an escalation chain doing the work the auto-assignment should have done; short time-to-remediation at low completion typically reflects motivated users completing quickly but others not completing at all. Cyber-insurance underwriting questionnaires in 2026 frequently request time-to-remediation alongside completion-rate trend as evidence of the remediation pipeline working end-to-end; brokers read 72+ hour median as a residual-control-gap signal. Required as evidence by SOC 2 CC-7 (system operations) and aligned with NIST CSF RS.MI-2 (incident response mitigation) when phishing is treated as a managed-incident category. Read more ->

Dwell time

The elapsed time between an attacker's initial compromise of an environment and the moment defenders detect the intrusion. Measured in days, calculated as `(detection_date - initial_compromise_date)`. The lower the dwell time, the smaller the blast radius -- shorter dwell time bounds data exfiltration volume, lateral-movement scope and ransomware-staging depth. Mandiant M-Trends published median global dwell time of approximately 10-16 days in recent reporting (down from ~200 days a decade ago); internally-detected median is shorter than externally-disclosed median (notified by FBI/CISA/vendor) by a meaningful margin. Phishing matters to dwell time because phishing is the most common initial-access vector behind dwell-time-extending breaches per the Verizon DBIR human-element data; defenders' ability to detect phishing-initiated compromise depends partly on user-reporting volume (the "active detection" signal that report rate measures). The SEC Material Cyber Incident Disclosure rule requires public-company disclosure within 4 business days of determining materiality -- a long dwell time stretches the regulatory clock as well as the breach impact. Security awareness training programs reduce dwell time at the user layer by turning the workforce into a distributed sensor; mature programs report dwell-time-contribution alongside click-rate trends. NIST SP 800-61 incident response, NIST CSF DE (Detect) function and ISO 27001 A.16 incident-management requirements all implicitly target dwell time even when the term itself is not used. Read more ->

Repeat-clicker rate

The percentage of users who click a simulated phishing link in two or more consecutive campaigns. Calculated as `(unique users who clicked in N consecutive campaigns / total users tested in all N campaigns) x 100` and reported on rolling 6-month and 12-month trend lines. The 2-campaign-consecutive definition is the most common; some programs use 3-of-last-6 instead. Industry benchmarks: mature programs sustain below 5%; 5-10% is normal mid-program; above 10% indicates concentrated risk in a small population that needs targeted intervention. A flat or rising repeat-clicker rate alongside falling click-through rate is a critical diagnostic -- the population at large is learning but the repeat-clicker cohort is not retaining the lesson, signalling a content-quality or delivery-cadence problem rather than a coverage problem. Mature programs run a documented threshold-exceedance playbook for the repeat-clicker cohort (manager notification, role-specific template families, additional auto-assigned training, executive-cohort referral) rather than relying on standard cadence to surface the gap. Cyber-insurance underwriting questionnaires in 2026 frequently request repeat-clicker-rate trend alongside click-rate trend; underwriters increasingly read concentrated repeat-clicker risk as a residual-control-gap signal. Read more ->

Report rate

The percentage of recipients who actively report a simulated phishing message as suspicious through the organization's reporting channel (one-click Outlook add-in button, dedicated phishing@ mailbox, embedded report-button in webmail). Calculated as `(unique users who reported / total recipients) x 100` and reported alongside click-through rate as a paired engagement metric. Mature programs target a 30-50% report rate at 12 months and 50%+ at 24 months -- when more users report than click, the population has shifted from passive susceptibility to active detection. Report rate is the program's "active detection" signal and the click-rate's "passive susceptibility" signal are complementary; cyber-insurance underwriting in 2026 commonly weights both as paired program-quality signals on renewal questionnaires. The report-rate metric requires a low-friction reporting channel: a one-click Outlook/M365 add-in or Gmail/Workspace add-on that turns the reported message into both a remediation-training trigger and a real-detection signal for the security operations team. Multi-channel programs include report mechanics for SMS (forward-to-shortcode pattern with auto-acknowledgment) and voice (dedicated voicemail or chat-based report) so smishing and vishing simulations produce comparable measurement. ENISA awareness-raising guidelines, CISA Cyber Hygiene resources and the FBI IC3 phishing-reporting guidance all cite end-user reporting as the leading-indicator signal for both real-attack detection and program effectiveness. Read more ->

Auto-assigned training

A program design pattern where remediation training is automatically delivered to a user the moment they fail a phishing simulation (clicked the link, opened the attachment, submitted credentials, called the callback number), rather than waiting for the next scheduled training cycle. Time-to-assignment is the operative metric: mature platforms assign within 60 seconds of the click event so the lesson lands while the failure context is still salient. Standard pattern: 5-10 minute micro-module specific to the failed attack-intent (credential-harvest training for a credential-harvest click, BEC training for a wire-fraud click, OAuth-consent training for a consent phishing click) with a 7-day completion window. Repeat-non-completer escalation chain is standard: day 1 user notification -> day 4 user reminder -> day 7 manager copy -> day 14 next-level-management or HR cc. Behavior-triggered learning produces measurably better retention than calendar-scheduled training -- failure-context salience activates the retrieval cues better than abstract policy review. Cyber-insurance underwriting questionnaires in 2026 commonly request both auto-assignment configuration evidence (screenshot of the platform's auto-assign rule) and completion-rate trend data. Required or strongly recommended in mature program-design guidance from NIST SP 800-50r1 (Building a Cybersecurity and Privacy Awareness Program), CISA Cyber Hygiene resources and ENISA awareness-raising guidelines. Read more ->

Baseline test

An initial phishing simulation run before any training rollout or program-launch announcement, used to measure the organization's untrained click-through rate as the starting point for longitudinal trend analysis. Methodology fundamentals: send to the entire in-scope workforce or a representative random sample (5,000+ users for statistical power below 1% margin); use a regular-difficulty lure matching the broader 2026 commercial-mail baseline (M365 password expiry, DocuSign envelope, FedEx delivery exception, vendor invoice are standard category exemplars); avoid extreme-difficulty templates because the baseline is meant to predict mainstream attacks; do not pre-announce. Untrained baseline cluster published in KnowBe4 Phishing By Industry and Verizon DBIR human-element data: 25-35% click rate is the normal untrained range across most verticals, with healthcare, manufacturing and retail trending higher (28-40%) and financial services and government trending lower (18-28%) due to pre-existing security-culture differences. Follow-up campaigns after baseline use the same difficulty class for valid comparison; jumping to harder lures in month two will produce misleading "regression" trends that reflect difficulty change rather than user behavior. Baseline data drives the first-year click-rate-reduction goal (typical target: cut baseline by 50% in 12 months) and feeds the report-rate trend as the complementary engagement metric. Read more ->

Pretext

The fictional context an attacker uses to make a phishing message believable. Pretext is the attacker-craft layer where social engineering happens; the lure is the specific email or SMS, the pretext is the underlying narrative the lure relies on. Common 2026 pretexts: M365 password expiry, DocuSign envelope ready to sign, FedEx delivery exception, vendor invoice overdue, IT help-desk MFA reset, Geek Squad subscription cancellation, executive impersonation for wire-transfer urgency, fake legal hold or subpoena, M&A confidential-document-share. AI-generated phishing has compressed the lure-quality gap (no more bad-grammar tells); pretext design is now the primary differentiator between easy-to-catch and hard-to-catch phishing - which is why the simulation-difficulty axis maps directly to pretext sophistication. Read more ->

Lure

The specific delivered artifact in a phishing attempt - the email, SMS, voice script, OAuth consent screen or QR-code image the target actually encounters. Distinct from the pretext, which is the underlying narrative the lure relies on (e.g., the lure is the email reading "your DocuSign envelope is ready to sign"; the pretext is the impersonation of an executive expecting a document signature). Five channel formats are standard in modern campaigns: email lure (subject line + opening line + body + call-to-action button or link), SMS lure or smishing (160-character compressed pretext + URL), voice lure or vishing (phone-call script for live or AI-cloned delivery), OAuth consent lure (a malicious app's permission-request screen rendered by the legitimate IDP), and QR-code lure or quishing (printed or pasted code that decodes to an attacker URL bypassing email URL-scanning). Lure quality maps directly to simulation difficulty axis: easy lures contain obvious red flags (mismatched URLs, generic greetings); regular lures match real-world commercial mail; hard lures use target-specific personalization, brand-pixel-perfect templates and AI-generated body content tuned past commercial spam filters via A/B-tested variants. Mature simulation platforms expose the lure as a parameterized template so the same attack-intent (e.g., credential harvest for an M365 password expiry) can be deployed at three difficulty levels with the lure varying while the pretext stays constant. Recognition cues taught in security awareness training have shifted from spelling-error-spotting to context-checking: does the request match what this sender would actually ask, does the URL match the brand domain, does the timing make sense, and is there an out-of-band channel to verify before taking action. Read more ->

Email authentication and technical defenses

SPF (Sender Policy Framework)

A DNS-based email authentication protocol specified in RFC 7208 (April 2014, obsoleting RFC 4408). The domain owner publishes a TXT record (e.g., `v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all`) listing which sending servers are authorized for the domain. Receiving servers query the record at delivery time and check the connecting IP against the allowed list. Mechanisms NAMED in records: `include:` (delegate evaluation to another domain's SPF, used for ESPs and platform tenants), `a` (authorize the domain's A records), `mx` (authorize the domain's MX records), `ip4:` / `ip6:` (literal IP authorization), `exists:` (DNS-existence check), `all` qualified by `-` (hard fail, treated as policy reject), `~` (soft fail, mark suspicious), `?` (neutral, no policy assertion). Hard limit: 10 total DNS lookups per evaluation per RFC 7208 - exceeding triggers `permerror` and the receiver typically treats as no SPF. Common deployment: include the platform tenant (Microsoft 365 `spf.protection.outlook.com`, Google Workspace `_spf.google.com`) plus marketing-platform includes (Salesforce, Mailchimp, SendGrid). SPF alone is not sufficient defense - it only authenticates the SMTP envelope sender (MAIL FROM), not the From header users see. DMARC is what ties SPF (and DKIM) to the From header through alignment. Read more ->

DKIM (DomainKeys Identified Mail)

A cryptographic email-authentication standard specified in RFC 6376 (September 2011, obsoleting RFC 4871). The sending domain signs outgoing messages with a private key; the corresponding public key is published as a DNS TXT record at `._domainkey.` (e.g., `google._domainkey.example.com` or `selector1._domainkey.example.com`). The signature is added to the message as a `DKIM-Signature:` header that includes the signing domain (`d=`), the selector (`s=`), the canonicalization algorithm (`c=relaxed/relaxed` is standard), the signed-header list (`h=From:To:Subject:Date:Message-ID:...`) and the body hash. Receivers fetch the public key by selector and verify the signature mathematically. Unlike SPF which authenticates the SMTP envelope, DKIM authenticates the message body and selected headers - it survives forwarding (so long as the forwarder doesn't modify signed headers/body). Key-size guidance: 1024-bit RSA was the historical default but is now considered weak (Microsoft 365 deprecated it for new tenants in 2024); 2048-bit RSA is the current standard. Rotation cadence: annually for general use, quarterly for high-security domains; rotate by publishing a new selector and switching the signing infrastructure to it, leaving the old selector in place long enough for in-flight mail to verify before retiring. ARC (RFC 8617, Authenticated Received Chain) extends DKIM-style signing to mailing lists and forwarders that need to break the original signature. DMARC is what ties DKIM (and SPF) to the user-visible From header through alignment. Read more ->

DMARC

Domain-based Message Authentication, Reporting and Conformance. Specified in RFC 7489 (March 2015) with successor draft DMARCbis (RFC 9091 + ongoing standards-track work). A policy framework built atop SPF and DKIM: it sits at the receiving server and instructs the receiver what to do with messages claiming to be from the domain that fail underlying authentication. Three policy levels published in the domain owner's `_dmarc` TXT record: `p=none` (monitor only, do not affect delivery, used for initial deployment to gather data), `p=quarantine` (deliver suspicious messages to spam/junk folder), `p=reject` (refuse delivery entirely - the only configuration that actually blocks domain-spoofing phishing). DMARC reporting comes in two streams: aggregate reports (RUA, sent daily as XML to the configured rua= address summarizing pass/fail counts per source IP - feeds analysis platforms like dmarcian, Valimail, EasyDMARC, Postmark) and forensic/failure reports (RUF, per-message detail, far less commonly enabled due to privacy-data-handling concerns). DMARC alignment requires the underlying SPF or DKIM to align with the From header domain (relaxed alignment matches organizational domains; strict alignment requires exact match). Common misconfiguration: deploying at `p=none` and never progressing - the policy reports threats but does not block them. Major mailbox providers (Gmail, Yahoo, Microsoft 365) since February 2024 require DMARC `p=quarantine` minimum for bulk senders (5,000+ messages/day to their respective recipients). DMARC enforcement is also the prerequisite for BIMI brand-logo display, which incentivizes organizations to complete the `p=none` -> `p=quarantine` -> `p=reject` progression. Read more ->

ARC (Authenticated Received Chain)

An email-authentication extension specified in RFC 8617 (July 2019) that preserves authentication results across mail-flow hops where SPF or DKIM would otherwise break. The problem ARC solves: when mail traverses an intermediary that modifies the message (mailing lists adding subject prefixes, forwarders rewriting envelope, security gateways rewriting URLs), the original DKIM signature breaks and SPF fails against the new sending IP. The receiver sees authentication failure even though the message was legitimately authenticated at the original sender. ARC works by having each intermediate hop sign its own ARC-Authentication-Results, ARC-Message-Signature and ARC-Seal headers, building a verifiable chain back to the original authenticator. The final receiver inspects the chain and can choose to trust the original authentication even though the immediate hop's SPF/DKIM does not pass. Practical relevance: deployed by Google Workspace, Microsoft 365, mailing-list managers (Mailman 3, GNU listserv), and many email security gateways. ARC failure is a common cause of mail from forwarded sources landing in spam folders despite the underlying sender being legitimate. DMARC with relaxed alignment partially addresses the forwarding-breakage problem; ARC addresses it more comprehensively but requires intermediate-hop cooperation. Read more ->

BIMI (Brand Indicators for Message Identification)

An email-authentication-adjacent standard that lets a domain owner publish a brand logo in a DNS TXT record so participating mailbox providers display the verified logo next to authenticated mail in the inbox. Specified across IETF drafts (the BIMI working group at AuthIndicators.org publishes the canonical specifications). The DNS record is a TXT entry at `default._bimi.example.com` containing the URL of an SVG-formatted logo and (for the Verified Mark variant) a Verified Mark Certificate URL. **Critical prerequisite:** BIMI requires DMARC at `p=quarantine` or `p=reject` -- mailbox providers will not display the logo for domains stuck at `p=none`. **Two BIMI tiers:** (1) self-asserted SVG logo for early adopters; (2) Verified Mark Certificate (VMC) issued by a Mark Verifying Authority -- DigiCert and Entrust are the two MVAs at scale -- which adds trademark verification on the logo. Apple Mail added BIMI display support in macOS 14 / iOS 17 (2023); Gmail since 2021; Yahoo since 2020; Apple expanded to require VMC in 2024. The brand-protection rationale: visible logo signals legitimate authenticated mail to users, raising the bar for impersonation by attackers operating typosquatted or lookalike domains. Phishing-program implication: BIMI deployment is a forcing function for completing DMARC enforcement -- organizations that want logo display must reach `p=quarantine` minimum. Cyber-insurance underwriting questionnaires in 2026 increasingly cite BIMI deployment as a positive signal alongside DMARC enforcement and phishing simulation evidence. Read more ->

Typosquatting

Registering domain names that are common typos of legitimate domains (e.g., gooogle.com, microsft.com, paypa1.com using digit-1 for letter-l, amaz0n.com using zero for o) to capture mistyped traffic or send phishing email from a domain that looks correct at a glance. Distinct from homograph attack: typosquatting uses ASCII typos (extra/missing letters, character substitutions, transposed letters); homograph uses Unicode lookalikes from non-Latin scripts. Common variants: character-doubling (gooogle.com), character-omission (gogle.com), QWERTY-adjacent-key swaps (gpogle.com), digit-for-letter substitution (paypa1.com), TLD swap (google.co instead of google.com), hyphenated-version (g-oogle.com). Defense: brand-protection monitoring services (CSC, MarkMonitor, BrandShield), defensive registration of major typo variants, DMARC at p=reject for the legitimate domain to block typosquatted senders, user training on hover-to-reveal-link patterns.

Homograph attack

A phishing technique that uses Unicode characters from non-Latin scripts to create domain names visually identical to legitimate ones, also called an IDN (Internationalized Domain Name) homograph attack. Common substitutions: Cyrillic 'а' (U+0430) for Latin 'a', Cyrillic 'е' (U+0435) for Latin 'e', Cyrillic 'о' (U+043E) for Latin 'o', Greek small letter 'omicron' (U+03BF) for Latin 'o'. Examples: аpple.com, micrоsoft.com, gооgle.com - all visually identical but with one or more Cyrillic/Greek substitutions. The domain registers as Punycode (xn--... format) but renders as the lookalike in browsers that don't enforce IDN display rules. Defense: modern Chrome/Firefox/Safari all enforce same-script-only display by default (mixing Cyrillic and Latin in one label triggers Punycode rendering); enable hover-to-reveal-Punycode browser extensions for high-risk users; enterprise email gateways flag IDN-encoded sender domains; typosquatting defenses overlap (brand-protection monitoring catches both).

Domain spoofing

Forging the sender domain on an email so it appears to come from a trusted organization. Modern email systems block most domain spoofing via SPF, DKIM and DMARC, but legacy receivers and lookalike domains remain attack surfaces. Read more ->

Multi-factor authentication (MFA)

An authentication method that requires two or more independent factors before granting access. Also called two-factor authentication (2FA), two-step verification or strong authentication. The three classic factor categories: something you know (password, PIN, security question), something you have (phone, hardware token, smart card, passkey) and something you are (fingerprint, face scan, voice biometric, behavioral biometric). MFA significantly raises the cost of credential-only phishing because a stolen password alone is no longer sufficient. Common MFA implementations ranked by phishing resistance: SMS one-time-code (weakest, susceptible to SIM swap and AiTM relay), email one-time-code (susceptible to mailbox compromise), TOTP authenticator app (Google Authenticator, Authy, Microsoft Authenticator - susceptible to AiTM relay and real-time phishing), push notification (susceptible to MFA fatigue and AiTM), number-matching push (closes the fatigue gap), passkey / FIDO2 hardware key / WebAuthn (cryptographically phishing-resistant - the WebAuthn ceremony binds the challenge to the legitimate origin so an AiTM proxy cannot complete it). Five primary MFA-bypass attack patterns defeat standard MFA: AiTM reverse proxy capturing the live session cookie, OAuth consent grants routing around the credential ceremony, MFA push fatigue, SIM swap intercepting SMS codes and session-cookie theft from a compromised browser. CISA, NIST SP 800-63B, FBI IC3 guidance and the cyber-insurance underwriting baseline all now treat phishing-resistant MFA (FIDO2/passkeys) as the recommended default rather than push or TOTP. Major mailbox providers (Microsoft 365, Google Workspace) since 2024 require MFA on all administrator accounts and the regulatory floor for sensitive data access. Read more ->

Passkey

A WebAuthn-based authentication credential stored in a device's secure enclave (Apple Secure Enclave, Android StrongBox, Windows Hello) and synchronized via the platform vendor's cloud (iCloud Keychain, Google Password Manager). The consumer-friendly implementation of FIDO2: same cryptographic origin-binding that defeats AiTM phishing, but with vendor-managed sync and recovery instead of hardware-key procurement. Together with hardware security keys, passkeys are the CISA-recognized phishing-resistant authentication factor (alongside PKI smart cards). The 2026 default for general workforce rollout; hardware keys remain appropriate for the highest-privilege accounts where cross-vendor portability matters. Read more ->

FIDO2 / WebAuthn

FIDO2 is the open authentication standard from the FIDO Alliance that defines hardware-key and platform-authenticator credentials cryptographically bound to a specific website origin. WebAuthn is the W3C-standardized browser API that exposes FIDO2 credentials to web applications. The two specifications together form the technical foundation of phishing-resistant authentication. **How origin-binding defeats phishing:** when a user registers a FIDO2 credential at https://login.example.com, the authenticator records the exact origin and refuses to release the credential to any other origin -- including an attacker-controlled lookalike like https://login-example.com or an AiTM reverse proxy at https://example-com.attacker.tld. The cryptographic challenge-response cannot be relayed, replayed or reproduced by an intermediate proxy. **Form factors:** hardware security keys (Yubico YubiKey, Feitian, Google Titan, SoloKeys), platform authenticators built into operating systems (Windows Hello, Apple Touch ID/Face ID, Android Biometrics) and passkeys (the synced FIDO2 implementation that survives device replacement via iCloud Keychain / Google Password Manager / Microsoft Authenticator). **Adoption trajectory through 2026:** federal civilian executive-branch users required to deploy phishing-resistant MFA under OMB M-22-09; CISA's Phishing-Resistant Authentication guidance names FIDO2 as the leading implementation category; cyber-insurance underwriters increasingly require FIDO2 coverage on privileged accounts in 2026 renewal questionnaires. Major identity providers (Microsoft Entra, Google Workspace, Okta, Duo, Ping) all support FIDO2 as both registration and sign-in factor. **Defense coverage:** defeats AiTM credential-and-cookie theft, defeats traditional credential phishing at the authentication step, immune to MFA-fatigue push-bombing. Does NOT prevent OAuth consent phishing (which operates after legitimate authentication) -- that residual channel requires OAuth admin-policy as a separate control. Read more ->

WebAuthn

The W3C Web Authentication standard (specification approved March 2019; second revision Level 2 in April 2021; Level 3 in 2024). WebAuthn is the browser-side JavaScript API that lets web applications register and authenticate users with public-key cryptography via the `navigator.credentials.create()` and `navigator.credentials.get()` methods. The browser brokers the authentication ceremony between the web application (the relying party) and the user's authenticator (which can be a platform authenticator like Windows Hello / Apple Touch ID / Android Biometrics, or a roaming authenticator like a YubiKey hardware security key). **Relationship to FIDO2:** WebAuthn is the browser-API half of the FIDO2 specification family; CTAP (Client-to-Authenticator Protocol) is the device-side half that connects external authenticators (USB / NFC / Bluetooth security keys) to the browser. Together WebAuthn + CTAP = FIDO2. See FIDO2 for the broader-protocol view. **Key cryptographic property:** the assertion produced by the authenticator includes the relying-party-ID (the legitimate site's origin) which the browser refuses to expose to any other origin. This is the origin-binding that defeats AiTM reverse-proxy phishing. **Browser support:** all major browsers (Chrome, Firefox, Safari, Edge) have shipped WebAuthn since 2019; passkey registration and authentication flows in 2024-2026 are built on top of the WebAuthn API. **Phishing-program relevance:** WebAuthn is the protocol-level enabler of phishing-resistant authentication; security teams should verify their identity provider and any custom-built apps support WebAuthn registration + authentication flows as part of phishing-resistant MFA rollout. Read more ->

Phishing-resistant MFA

An authentication category in which the second factor is cryptographically bound to the legitimate site's origin, so even a user fooled into typing credentials at an attacker-controlled lookalike site cannot deliver a usable factor. Defined in NIST SP 800-63B AAL3 and required for federal agency users under OMB M-22-09 (Federal Zero Trust Strategy, January 2022) with a target compliance deadline of end of FY2024. CISA's Phishing-Resistant Authentication guidance (2022, updated 2024) names three implementation categories: FIDO2/WebAuthn hardware security keys (YubiKey, Feitian, Google Titan), passkeys (the synced FIDO2 implementation across iCloud Keychain, Google Password Manager and Microsoft Authenticator) and PKI smart cards (PIV, CAC). Traditional MFA factors are NOT phishing-resistant: SMS one-time codes are SIM-swap and AiTM-relay susceptible; TOTP authenticator apps and email OTP are AiTM-relay susceptible; push approval is MFA-fatigue susceptible; even number-matching push falls to sophisticated AiTM. The cryptographic property that makes FIDO2/passkeys phishing-resistant is origin binding: the authenticator signs a challenge that includes the actual site's origin (e.g., https://login.microsoftonline.com), and the browser refuses to expose the credential to any other origin, so an AiTM proxy at a lookalike domain cannot complete the signing dance. Cyber-insurance underwriters in 2026 ask explicitly about phishing-resistant MFA coverage on privileged accounts: 100% of executive, admin, finance and vendor-payment accounts is the emerging baseline. Deployment maturity: hardware keys for the highest-privilege roles where cross-vendor portability matters; passkeys for general workforce rollout because they remove the procurement and shipping logistics. Coverage of MFA-bypass phishing patterns: phishing-resistant MFA defeats AiTM credential-and-cookie theft, defeats consent phishing at the authentication step (consent phishing requires a separate OAuth admin-policy control), and is immune to MFA-fatigue. Read more ->

EDR (Endpoint Detection and Response)

A software category that continuously monitors endpoint activity (laptop, desktop, server) to detect, investigate and respond to threats that bypass perimeter and email defenses. Distinguished from legacy antivirus by behavioral and ML detection rather than signature-only scanning; from XDR (extended detection and response) by single-domain endpoint focus rather than cross-domain correlation; and from MDR (managed detection and response) which is the service wrapper around EDR or XDR operated by a SOC vendor. Mechanism: a kernel-level or user-mode agent on the endpoint collects telemetry (process creation, file operations, network connections, registry changes, in-memory artifacts), ships it to a cloud backend in real time and applies behavior-based, signature-based and machine-learning detection rules. Vendor landscape: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne Singularity, Carbon Black Cloud, Sophos Intercept X, Trellix, Cybereason, Palo Alto Cortex XDR (XDR-positioned). Phishing-program relevance: EDR is the layer that catches the post-click payload an email gateway and user training missed - info-stealer malware (RedLine, Vidar, Lumma, Raccoon) attempting session-cookie theft from browser stores, ransomware loaders staging encryption infrastructure, RAT installers establishing persistence, lateral-movement tools enumerating Active Directory. Detection telemetry feeds the incident response workflow with timeline data, indicators of compromise and containment-action recommendations. Cyber-insurance underwriting in 2026 treats EDR coverage as a baseline requirement: most carriers ask whether the organization has EDR on all endpoints, the vendor name, the deployment percentage and the SOC monitoring posture. Mature programs pair EDR with continuous-access evaluation at the identity layer, network segmentation at the lateral-movement layer and immutable backups at the recovery floor. Read more ->

Conditional Access

A policy-based access-control architecture that evaluates contextual signals (user identity, device compliance, location, application sensitivity, sign-in risk score) at the moment of authentication and decides whether to grant access, require additional MFA challenge, restrict permissions or block outright. Originated in Microsoft Entra ID (Azure AD) Conditional Access but the architectural pattern is now general across identity vendors: Okta Adaptive MFA and Workflows, Cisco Duo Beyond, Google BeyondCorp Enterprise, Ping Identity DaVinci. Foundation of Zero Trust architectures per NIST SP 800-207 and OMB M-22-09 (Federal Zero Trust Strategy). Phishing-program relevance: Conditional Access is the layer that limits damage even when phishing succeeds in capturing credentials - common policies block sign-ins from non-compliant devices, anomalous geographies, anonymizer IPs or sessions failing risk scoring; require MFA step-up for high-sensitivity applications; restrict legacy authentication protocols that bypass MFA entirely; revoke sessions on detected risk via continuous-access evaluation. Standard policy set for phishing-defense maturity: device-compliance gate on all SaaS, location/named-network policies for admin roles, risk-based policies that step up to phishing-resistant MFA when sign-in risk crosses threshold, session controls limiting cookie lifetime on sensitive apps to bound session-cookie theft replay window. Cyber-insurance underwriting in 2026 frequently asks about Conditional Access policy coverage on privileged accounts. Pairs structurally with phishing-resistant MFA, session-binding and EDR signals to form the modern identity-layer defense stack. Read more ->

Sandbox detonation

An email-gateway defense technique where suspicious attachments and embedded URLs are executed inside an isolated virtual environment before delivery to the user's inbox, with the environment instrumented to observe file-system writes, registry modifications, network connections, process spawning and other behaviors that distinguish malware from benign content. Common vendor implementations: Microsoft Defender for Office 365 Safe Attachments and Safe Links (Plan 1/Plan 2), Proofpoint Targeted Attack Protection (TAP), Mimecast Targeted Threat Protection, Cisco Email Threat Defense, Barracuda Advanced Threat Protection. Phishing-program relevance: sandbox detonation is the layer that catches phishing payloads that evade signature-based gateway filters - novel malware, AI-generated lures with unfamiliar attachment formats, polymorphic payloads, supply-chain-compromise documents from trusted senders, malicious PDFs with embedded JavaScript or remote-template loading. Standard attacker bypasses: time-delayed execution (malware sleeps past the sandbox timeout window before activating), sandbox-environment detection (checking for VM indicators, mouse-movement patterns, kernel artifacts and refusing to detonate), legitimate-cloud-redirect chains (initial URL points to Google Drive, Dropbox or OneDrive which only redirects to the phish after the sandbox has cleared the URL), encrypted attachments where the password arrives in the email body (sandbox cannot open without the password). Mature programs pair sandbox detonation with URL rewriting at the gateway, EDR on the endpoint and continuous simulated phishing training so detection-and-prevention covers the layers where sandbox-evasion succeeds. Read more ->

Compliance frameworks

SOC 2

A widely adopted compliance framework based on the AICPA Trust Services Criteria. The CC1.4 and CC2.2 criteria translate to requirements for ongoing security awareness training and demonstrable phishing-program evidence. Read more ->

HIPAA

U.S. Health Insurance Portability and Accountability Act. Applies to "covered entities" (healthcare providers, health plans, healthcare clearinghouses) and "business associates" (vendors with access to protected health information / PHI). The §164.308(a)(5) Security Awareness and Training administrative safeguard requires four sub-specifications: security reminders, protection from malicious software, log-in monitoring and password management - phishing simulation evidence directly supports the first two. The §164.308(a)(1)(ii)(A) Risk Analysis requirement is the foundational standard that names phishing and social engineering as identified risks. HHS OCR (Office for Civil Rights) is the enforcement agency; documented training delivery + completion records retained for at least 6 years per §164.316(b)(2)(i) is the auditable artifact. Common HIPAA breach categories that phishing programs reduce: credential-theft account takeover (Mail.Read scope harvest of clinical communications), ransomware initial access (CommonSpirit, Universal Health, Ascension all started with phishing), wire-fraud / BEC against accounts payable. Read more ->

PCI DSS

Payment Card Industry Data Security Standard. Applies to any merchant or service provider that stores, processes or transmits cardholder data; enforced by the card brands (Visa, Mastercard, Amex, Discover, JCB) via QSAs (Qualified Security Assessors). Requirement 12.6 mandates a security awareness program for personnel handling cardholder data, with three sub-requirements in PCI DSS 4.0: 12.6.1 (program implementation), 12.6.2 (annual review and update for new threats), 12.6.3 (training upon hire and annually, covering specific threats including phishing and social engineering). PCI DSS 4.0 (effective March 2024 / fully enforceable March 2025) emphasizes continuous testing rather than annual checkbox training and adds 12.6.3.1 requiring evolving threat coverage - which is exactly where simulation-program currency becomes audit evidence. Common QSA evidence requests: 12-month campaign reports, training completion records tied to personnel, sample template content covering current threat landscape, remediation evidence for users who clicked. Common breach categories phishing programs reduce: web-skimmer credential theft for e-commerce admin accounts, payment-app account takeover, BEC against accounts payable in retail, ransomware initial access for retail-chain operational disruption.

NIST CSF

U.S. National Institute of Standards and Technology Cybersecurity Framework. Voluntary framework adopted across U.S. federal agencies (mandatory for federal civilian agencies), state and local government, defense industrial base, healthcare and critical infrastructure. CSF 2.0 (released February 2024) introduced the Govern function and reorganized into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Phishing simulation programs map directly to PR.AT (Awareness and Training - PR.AT-01 personnel are trained, PR.AT-02 specialized training for high-risk roles), PR.PS (Platform Security including PR.PS-05 around malicious code prevention), and DE.CM (Continuous Monitoring including DE.CM-09 personnel-activity anomaly detection). Implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) align with simulation-program-maturity stages. CSF is the most-cited compliance framework in U.S. cyber-insurance underwriting questionnaires; documented PR.AT evidence directly supports the "do you have a phishing simulation program" question. Read more ->

ISO 27001

An international standard for information security management systems (ISMS) published jointly by ISO and the IEC. The 2022 revision (ISO/IEC 27001:2022) reorganized Annex A from 114 controls down to 93 controls across four themes: Organizational, People, Physical and Technological. Annex A.6.3 (People theme) covers Information Security Awareness, Education and Training; certification auditors require documented, ongoing programs with measurable participation evidence rather than ad-hoc training. Phishing simulation results, click-rate trending and report-rate metrics are commonly cited in Stage 2 audit evidence. ISO 27001 certification runs a three-year cycle with annual surveillance audits and is required by most enterprise procurement teams in Europe, Asia-Pacific and increasingly in North America. Frequently paired with SOC 2 Type II for transatlantic vendor due-diligence. Read more ->

NIS2

European Union Directive (EU) 2022/2555 (Network and Information Security 2), in force since January 16 2023 with a member-state transposition deadline of October 17 2024. Replaces the 2016 NIS Directive and dramatically widens scope from approximately 1,500 to over 100,000 entities across 18 sectors (energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal/courier, manufacturing of medical devices/computers/electronics/transport equipment, food production/processing/distribution, chemicals, research, digital providers). Splits in-scope organizations into Essential and Important entities. Article 21 enumerates ten cybersecurity risk-management measures including incident handling, business continuity, supply-chain security, vulnerability handling, basic cyber-hygiene practices and cybersecurity training. Article 23 mandates 24-hour early warning + 72-hour incident notification to national CSIRTs. Article 32 imposes fines up to 10 million EUR or 2% of global annual turnover (Essential) and 7 million EUR or 1.4% (Important) plus personal liability for management bodies. National transposition status varies: Belgium, Croatia, Hungary, Italy, Latvia and Lithuania met the October 2024 deadline; Germany (NIS2UmsuCG), France (in legislative process), Netherlands, Spain and Ireland missed the deadline and the European Commission opened infringement proceedings against 23 member states in November 2024. Phishing simulation programs satisfy the Article 21(2)(g) basic cyber-hygiene + training requirement. Read more ->

Buyer & program drivers

Cyber insurance

A financial-risk-transfer product covering losses from cyber incidents (ransomware, business email compromise, data breach, business interruption). Underwriting questionnaires from major carriers increasingly require evidence of MFA, phishing simulation programs and DMARC enforcement; documented phishing-simulation evidence is now treated as a meaningful underwriting signal that can produce premium discount, higher sub-limits or affirmative coverage on social-engineering exclusions. The insurance buying journey is one of the strongest non-compliance drivers of phishing-simulation adoption. Read more ->

Vendor risk management (TPRM)

The discipline of assessing and continuously monitoring the security posture of third-party suppliers, SaaS vendors and service providers - also called Third-Party Risk Management (TPRM) or Vendor Security Assessment. Phishing simulation evidence is now standard scope in enterprise vendor questionnaires alongside SOC 2 Type II reports, ISO 27001 certifications and penetration-test attestations. Common questionnaire frameworks NAMED: SIG (Standardized Information Gathering, Shared Assessments) Lite/Core/Detailed tiers, CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire) for SaaS, the HITRUST CSF assessment for healthcare-vendor scope, and bespoke enterprise questionnaires that copy-paste questions from these baselines. Specific phishing-program questions consistently asked: "Do you operate a continuous phishing simulation program for your workforce?", "What is your 12-month click-rate trend?", "Do you require phishing-resistant MFA on production-system access?", "Have you trained employees on AI-generated phishing recognition in the past 12 months?". The 2025-2026 trend: large enterprise customers (Fortune 1000, federal contractors, EU operators of essential services under NIS2 Article 21(2)(d) supply-chain measures) increasingly require attestation evidence rather than just a checkbox - dashboard exports, completion-rate trend graphs and named-platform attestation letters. SaaS vendors that cannot produce phishing-program evidence on request face procurement delays or outright displacement. Defense-and-evidence layer: documented phishing simulation program with monthly cadence, exportable click-rate and report-rate trend, named platform vendor (e.g., Bait & Phish), and mapping of program controls to the questionnaire's compliance-framework references (SOC 2 CC1.4 / ISO 27001 A.6.3 / NIST CSF PR.AT). Read more ->

Verizon DBIR (Data Breach Investigations Report)

An annual industry report from Verizon's Threat Research Advisory Center analyzing reported security incidents and confirmed data breaches across global contributing partners. Published annually since 2008, the DBIR is the most-cited industry data source in the phishing-program decision space. The 2024 edition analyzed over 30,000 security incidents and over 10,000 confirmed breaches across 94 countries. Methodology: Verizon combines its own caseload with submissions from 80+ contributing organizations including law enforcement (US Secret Service, FBI, Europol), national CERTs, industry ISACs (FS-ISAC, H-ISAC, MS-ISAC), incident-response firms (Mandiant, Crowdstrike, Coveware) and government agencies (CISA, ENISA). Findings standard across editions: phishing remains the dominant initial-access vector for breaches involving the human element; Business Email Compromise is consistently among the highest-loss attack categories by reported dollar value; credential theft is the most common compromise outcome chaining forward to lateral movement and ransomware. Reported categorical patterns include System Intrusion, Social Engineering, Basic Web Application Attacks, Miscellaneous Errors, Privilege Misuse and Lost or Stolen Assets. The DBIR is the primary citation source for phishing-program ROI arguments, cyber-insurance underwriting baselines and board-level threat-landscape briefings. The Summary section and the industry-specific appendix tables are the highest-cited portions of any year's edition. Mature programs use the published click-through-rate baselines by industry as benchmark anchors for in-house simulation programs. Read more ->

FBI IC3 (Internet Crime Complaint Center)

An FBI division receiving complaints about internet-enabled crime from the public and industry partners and aggregating the data into the annual Internet Crime Report (IC3 Report). Founded in 2000, the canonical US public-sector source for cybercrime victim and dollar-loss statistics. The 2024 IC3 Report documented over $16 billion in reported losses across all internet-crime categories, the highest annual figure since the report series began. Business Email Compromise is consistently among the highest-loss categories by reported dollar value, ranking above ransomware in dollar terms for several recent years. Investment scams, tech-support scams and confidence/romance fraud have grown into the highest-volume categories alongside BEC. Methodology: complaints submitted at ic3.gov are triaged for FBI investigation, then aggregated statistics are published annually by category, victim demographics and state. Phishing-program relevance: IC3 BEC loss data drives cyber-insurance underwriting baselines; the most-cited US-government source for phishing-program ROI arguments; year-over-year trend data documents persistence of phishing as initial-access vector. Often cited alongside Verizon DBIR and ENISA Threat Landscape in industry research synthesis reports. Use IC3 categorical breakdowns to inform simulation-template intent-mix (BEC + tech-support pretexts + delivery-impersonation should appear in regular rotation). Read more ->

ENISA (European Union Agency for Cybersecurity)

The European Union Agency for Cybersecurity, headquartered in Athens, Greece. Established in 2004 as the European Network and Information Security Agency; rebranded ENISA with an expanded permanent mandate under the EU Cybersecurity Act (Regulation 2019/881). Primary EU equivalent of the US-focused FBI IC3 for cybersecurity threat reporting. Key publications used in phishing-program decision-making: ENISA Threat Landscape report (annual since 2013, the most-cited EU industry-source for phishing-program ROI and threat-prevalence framing); ENISA guidance for NIS2 implementation (Article 21 and 22 cybersecurity-risk-management measures); ENISA Cybersecurity certification framework (EUCC); sector-specific threat assessments for healthcare, energy, finance and transportation. Phishing-specific findings: ENISA Threat Landscape consistently tracks phishing as a top initial-access vector across years; the 2024 edition flagged AI-generated social engineering as the dominant trend for the year. Phishing-program relevance: ENISA guidance is cited in national-supervisory-authority enforcement decisions under GDPR Article 32 (where absent awareness measures elevate fine severity); ENISA's basic-cyber-hygiene guidance is the operational anchor for NIS2 Article 21(2) awareness-training measures. Often cited alongside Verizon DBIR and FBI IC3 in industry research synthesis reports as the third primary citation source. EU operators of essential services and EU-headquartered phishing-program operators should treat ENISA publications as primary alongside US sources. Read more ->

CISA (Cybersecurity and Infrastructure Security Agency)

A US federal agency under the Department of Homeland Security responsible for protecting the nation's cyber and physical critical infrastructure. Established in 2018 by the Cybersecurity and Infrastructure Security Agency Act; reorganized from the National Protection and Programs Directorate (NPPD). Key resources used in phishing-program decision-making: Joint Cyber Advisories (issued with FBI, NSA and international partners; usable as a threat-intel feed for simulation-template freshness); Cybersecurity Performance Goals (CPGs, voluntary baseline naming phishing simulation and security awareness training as core controls for critical-infrastructure entities); Phishing-Resistant Authentication guidance (2022, updated 2024, the primary US-government anchor for phishing-resistant MFA adoption); Known Exploited Vulnerabilities (KEV) catalog; Stop Ransomware initiative; State, Local, Tribal and Territorial (SLTT) program; free Cyber Hygiene scanning services for federal civilian agencies and SLTT entities. Phishing-program relevance: CISA CPGs are the operational anchor for phishing-program-evidence requirements at most US critical-infrastructure sectors and a recurring citation in cyber-insurance underwriting questionnaires; CISA advisories drive simulation-template-cadence refresh on emerging lure patterns; CISA's Phishing-Resistant MFA guidance is cited in NIST SP 800-63 implementation references and OMB M-22-09 (Federal Zero Trust Strategy) implementation. Often cited alongside FBI IC3, Verizon DBIR and ENISA in industry research synthesis reports -- together with APWG these five form the primary citation set for phishing-program ROI and threat-landscape briefings. Read more ->

APWG (Anti-Phishing Working Group)

An international industry consortium and nonprofit focused on unifying global response to cybercrime, with primary emphasis on phishing-attack data sharing, victim assistance and research. Founded in 2003 by Internet industry leaders and law-enforcement representatives; headquartered in Cambridge, Massachusetts. Membership exceeds 1,500 organizations across ISPs, banks, security vendors, e-commerce platforms, government agencies and academic institutions. Key publications used in phishing-program decision-making: APWG Phishing Activity Trends Reports (quarterly, the canonical industry-consortium source for total reported phishing URLs by quarter, attack-target sector breakdowns, hosted-domain TLD analysis and email-phish vs URL-phish split); APWG eCrime Trends reports synthesizing member-contributed data on attack-volume trajectory; PhishTank URL feed (merged into APWG in 2008, the primary canonical source for URL-domain reputation used by many security products). Phishing-program relevance: APWG quarterly reports are the primary citation for quarter-over-quarter phishing-volume trend statements; the eCrime Researchers Summit annual conference is the principal academic-industry research venue for phishing studies; APWG's industry-consortium structure complements government sources (FBI IC3, CISA, ENISA) and industry-vendor sources (Verizon DBIR). Often cited alongside the other four as the 5th primary citation source in phishing-program threat-landscape synthesis reports. Read more ->

Mandiant

A cybersecurity incident-response and threat-intelligence firm, now part of Google Cloud Security. Founded in 2004 by Kevin Mandia; acquired by FireEye in 2013 with combined operations rebranded FireEye-Mandiant in 2021; acquired by Google Cloud in September 2022 and operating as Mandiant within Google Cloud Security since 2023. Key publications used in phishing-program decision-making: M-Trends annual threat report (published annually since 2010, the primary industry-vendor source for IR-trend data including median dwell time, top initial-access vectors, ransomware-affiliate tracking and sector-specific intrusion patterns); Mandiant Threat Intelligence (commercial threat-intel subscription used by SOC teams for IOC feeds and attribution); Mandiant Attack Lifecycle model. Threat-actor naming taxonomy: Mandiant's APT-numbered groups (APT1, APT28, APT29, APT40, etc.) are the canonical industry naming convention for nation-state and advanced cybercrime threat actors, used alongside CrowdStrike's animal-named groups (BEAR, PANDA, etc.) in threat-intelligence feeds. Phishing-program relevance: M-Trends data is cited alongside Verizon DBIR and IBM Cost of a Data Breach for IR-trend benchmarking; Mandiant attack-attribution informs simulation-template freshness for sector-specific threat-actor TTPs; APT-naming taxonomy is the lingua franca for SOC threat-intel briefings. Often cited alongside CrowdStrike, Verizon DBIR and FBI IC3 in industry research synthesis reports as the commercial-IR-firm reference source. Read more ->

CrowdStrike

A cybersecurity company headquartered in Austin, Texas, founded in 2011 by George Kurtz, Dmitri Alperovitch and Gregg Marston. NASDAQ-listed (CRWD) since 2019. Best known for the Falcon endpoint protection platform (EDR/XDR), Falcon Threat Intelligence service and incident-response practice. Key publications used in phishing-program decision-making: Global Threat Report (annual, the primary industry-vendor source alongside Mandiant M-Trends for adversary-tracking trend data); CrowdStrike Threat Intelligence (commercial threat-intel subscription used by SOC teams for adversary feeds and named-group attribution); OverWatch managed-threat-hunting reports. Threat-actor naming taxonomy: CrowdStrike's animal-named adversary groups (BEAR for Russia, PANDA for China, KITTEN for Iran, BUFFALO for Vietnam, CHOLLIMA for North Korea, SPIDER for organized cybercrime, JACKAL for hacktivists) are the lingua franca for SOC threat-intel briefings, used alongside Mandiant's APT-numbered groups for threat-actor attribution. Phishing-program relevance: Global Threat Report annual data is cited alongside Verizon DBIR + Mandiant M-Trends for IR-trend benchmarking; eCrime adversary tracking informs simulation-template intent-mix; animal-named adversary taxonomy familiar to SOC and threat-intel teams. Often cited alongside Mandiant, Verizon DBIR and FBI IC3 in industry research synthesis reports as the commercial-vendor reference source. Read more ->

Modern attack techniques

MFA fatigue

Also called MFA bombing or push-bombing. An attack where a phisher who has stolen a user's credentials triggers repeated MFA push notifications, hoping the target eventually approves one out of fatigue or to make the prompts stop. One of the five MFA-bypass phishing patterns. Mitigated by number-matching MFA and conditional-access policies. Read more ->

Adversary-in-the-Middle (AiTM)

A phishing technique where the attacker runs a reverse-proxy server between the victim and the legitimate authentication service. The user types credentials and completes MFA on the attacker's proxy, which forwards everything to the real service in real time and captures the resulting session cookie. The attacker imports the cookie and is logged in - bypassing standard MFA entirely. Major attacker toolkits include Evilginx, Tycoon, EvilProxy and Caffeine; these are sold as Phishing-as-a-Service products with subscription pricing. AiTM is the central pattern in MFA-bypass phishing; the cryptographic defense is passkeys/FIDO2 (the WebAuthn ceremony cannot be relayed across origins) - see phishing-resistant MFA for the defense walkthrough. Read more ->

Callback phishing (TOAD)

Also known as TOAD (telephone-oriented attack delivery) or hybrid phishing. A phishing email or SMS that contains no malicious link or attachment, only a phone number; the victim is induced to call and is then social-engineered on the phone call. Bypasses URL-scanning email gateways entirely because the email contains no inspectable URL. Common pretexts: fake subscription-renewal cancellations (Geek Squad, McAfee, Norton), fraudulent invoice queries, fake refund processing. Once the victim calls, the attacker-staffed line runs scripted social engineering: remote-access install (AnyDesk, ScreenConnect, TeamViewer), banking-screen-share fraud, MFA-code harvest, or information harvest for follow-on attacks. The phone call is the actual attack vector; the email was just the lure. Defense: out-of-band verification through a known number, no-cold-call vendor allowlists, simulation training that includes the email-with-phone-number pattern. Read more ->

OAuth 2.0

An open authorization framework (IETF RFC 6749 plus the OAuth 2.1 consolidation draft) that lets an application access resources on a user's behalf without handling the user's password. Standard pattern: the user authenticates to an identity provider (Microsoft Entra, Google Workspace, Okta, Auth0, GitHub), then grants the third-party application a set of scopes (Mail.Read, Files.Read.All, openid, profile, offline_access). The authorization server issues an access token (typically 1-hour lifetime) and optionally a refresh token (longer-lived persistence). The third-party app uses the access token in subsequent API calls; when it expires, the refresh token mints a new one without further user interaction. **Phishing-program relevance:** OAuth is the protocol that makes consent phishing possible -- attackers register malicious applications with legitimate identity providers, request high-impact scopes, and trick users into granting consent through the IdP's own consent screen. Because the attacker uses the legitimate OAuth flow, the user never types credentials on an attacker site and MFA is never relayed. **Phishing-resistant MFA does not stop consent phishing** -- the attack operates after authentication. **Defenses:** OAuth admin-policy restricting user consent to admin-approved apps (Azure AD "User consent settings: Do not allow user consent" or "Allow user consent for verified publishers"; Google Workspace "App access control" with allowlist), continuous-access evaluation (CAE) for risk-signal token revocation, OAuth-app audit and lifecycle review, and IR-runbook coverage for consent-phishing incidents including the token-revocation step (password reset alone is insufficient). Major identity providers (Entra, Workspace, Okta, Auth0, GitHub) all expose OAuth-app inventory and admin-policy controls in their consoles. Read more ->

Consent phishing

An OAuth-based attack where the attacker registers a malicious application with the identity provider (Microsoft Entra, Google Workspace, Okta) and tricks the user into clicking through the legitimate consent screen ("App XYZ wants permission to read your mail and files. Allow / Cancel."). The user authenticates legitimately, then grants the attacker permanent API access via the OAuth flow - no password is stolen, no MFA is bypassed. High-impact scopes attackers commonly request: Mail.Read, Mail.Send, Files.ReadWrite.All, offline_access (refresh-token persistence past password rotation). The grant survives password changes; only an admin revoking the OAuth grant in Entra/Workspace stops it. Phishing-resistant MFA does not stop consent phishing because the attack routes around the credential ceremony. The defense layer is OAuth admin-policy: restrict user consent at the IDP, build admin-approval workflow, audit OAuth grants continuously. Read more ->

Phishing kit

A pre-built toolkit (HTML, CSS, JavaScript and server scripts) that recreates the login page of a target service, typically sold on cybercrime forums or distributed via underground marketplaces. The kit is uploaded to attacker-controlled hosting (compromised legitimate sites, fast-flux DNS, bulletproof hosting) and immediately ready to capture credentials submitted to the cloned login form. Five major feature categories in modern 2026 kits: (1) credential exfiltration to attacker email, Telegram bot, or remote C2 endpoint - usually configurable from a single PHP variable; (2) MFA-bypass capability via AiTM reverse-proxy integration that captures the live session cookie post-MFA; (3) anti-detection - filter visitors by IP geolocation, user-agent string, ASN (block security-vendor crawlers like Microsoft, Google, Trend Micro) and randomize URL paths so URL-blocklists go stale; (4) reCAPTCHA-bypass via captcha-solving services or by serving a fake captcha that just records keystrokes; (5) anti-analysis - obfuscated JavaScript, dynamic loading from CDN-hosted dependencies, server-side payload mutation. Well-documented examples NAMED: 16Shop (Indonesian-origin, multi-brand impersonation including Apple/Amazon/PayPal/American Express, ~150,000 phishing sites at peak per Trend Micro 2023 takedown), Tycoon (Microsoft 365-focused, sold as PhaaS with subscription tiers $50-$500/month), Greatness (M365-focused with high-fidelity targeting based on victim's actual organization), Caffeine (multi-language PhaaS popular among Russian-speaking operators), EvilProxy (AiTM-style with Microsoft/Google/Apple targeting). Kits are increasingly bundled with infrastructure as Phishing-as-a-Service products that handle hosting, DNS rotation and exfiltration on the operator's behalf. Defense layers: enterprise email gateways with brand-resemblance and visual-similarity detection (Microsoft Defender for Office 365, Mimecast, Proofpoint TAP), DNS-layer threat-intelligence feeds, browser-side phishing protection (Google Safe Browsing, Microsoft SmartScreen), DMARC at p=reject for the impersonated brand domains and continuous simulated phishing campaigns that include kit-style high-fidelity templates. Read more ->

Phishing as a Service (PhaaS)

A subscription model in the cybercrime economy where attackers rent ready-to-use phishing infrastructure (credential kit, sending infrastructure, AiTM reverse proxy for MFA bypass, anti-detection features, template library) instead of building their own. Major platforms include Tycoon, EvilProxy, Greatness, 16Shop and Caffeine. Pricing ranges from $50-$500/month for low-tier kits to thousands per campaign for premium AiTM platforms. Read more ->

DLP (Data Loss Prevention)

A category of security tooling that detects and blocks the unauthorized exfiltration of sensitive data (PII, PHI, payment card data, intellectual property, regulated content). DLP operates at three primary inspection points: (1) **endpoint DLP** -- agent installed on workstations and servers, inspects file operations, USB copy events, print actions, screenshot capture and clipboard transfer; (2) **network DLP** -- inline appliance or cloud-proxy inspecting outbound traffic at gateway egress, blocking matched content over HTTP/SMTP/FTP; (3) **cloud DLP** -- API-based scanning of SaaS storage (M365, Google Workspace, Box, Dropbox, Salesforce) for at-rest and in-flight sensitive content. Major commercial platforms in 2026: Microsoft Purview DLP (M365 native), Symantec / Broadcom DLP, Forcepoint DLP, Trellix DLP, Netskope DLP, Zscaler DLP. **Phishing-program relevance:** DLP is the downstream control that fires when a successful phishing-led account takeover leads to exfiltration -- the attacker uses the compromised mailbox or SaaS account to download / forward / share data. Modern DLP rules detect bulk download patterns, anomalous cross-tenant sharing, attachment-to-personal-email forwarding, and rapid sequential queries to data stores. DLP does NOT defend against the initial phishing click; it constrains the impact of a successful one. Compliance citations: HIPAA Security Rule 164.312(b)/(c) integrity controls, PCI DSS Requirement 4 (encryption in transit) and 3 (storage limitation), GDPR Article 32 organizational measures, NIST SP 800-53 SC (System and Communications Protection) family. Cyber-insurance underwriting in 2026 routinely asks about DLP coverage at the egress layer and the integration between DLP alerts and the IR runbook. Read more ->

Attack surface

The total set of entry points through which an unauthorized actor can attempt to enter, manipulate or extract from a system, environment or organization. Three primary attack-surface categories: (1) **digital attack surface** -- internet-facing assets (web apps, APIs, exposed cloud services, public endpoints, third-party SaaS integrations) plus internal services accessible post-perimeter; (2) **physical attack surface** -- on-premise devices, USB ports, badge readers, equipment with embedded interfaces; (3) **human attack surface** -- the workforce as a target population, attackable via phishing, vishing, smishing, social engineering, pretext interactions and OAuth consent abuse. The human attack surface is consistently the largest and most-exploited per Verizon DBIR human-element data, which is why security awareness training and simulated phishing programs are positioned as primary attack-surface-reduction controls at the user layer. Mature programs measure attack-surface reduction quantitatively: declining click-through rate trend, rising report rate trend, shrinking repeat-clicker rate cohort. NIST CSF Identify function (ID.AM-2 software inventory, ID.RA-1 vulnerability identification, ID.RA-5 risk-prioritization) maps to digital attack-surface management; the PR.AT awareness-training subcategory maps to human attack-surface management. MITRE ATT&CK enumerates the techniques attackers use after they breach a particular attack-surface vector, but the framework presupposes that an attack surface exists in the first place. Cyber-insurance underwriting in 2026 commonly weights both the attacked-surface reduction posture (attack-surface management tooling, vulnerability scanning cadence) AND the human-surface posture (phishing-simulation cadence, completion-rate trend) as paired program-quality signals. Read more ->

Malicious PDF

A PDF file weaponized for credential theft, malware delivery or reconnaissance, used as a phishing attachment because PDFs are intrinsically trusted in business workflows (invoices, contracts, reports) and bypass URL-scanning email gateways because the payload is encoded inside the document rather than as anchor text. Five common technical patterns: (1) embedded JavaScript calling `app.launchURL` to redirect the user to an attacker-controlled credential-harvest page; (2) `/OpenAction` with `/SubmitForm` to exfiltrate form data to attacker URL on first open; (3) `/Launch` actions that auto-execute embedded payloads (largely deprecated in modern viewers but still effective against legacy infrastructure); (4) embedded QR codes in PDF images (a quishing-PDF crossover that bypasses both URL-scanning AND text-based gateway detection); (5) embedded HTML form pages that render inside the PDF and post credentials to a remote endpoint. Modern Acrobat prompts users for most external actions, but Chrome's built-in PDF viewer and many mobile readers historically execute silently, which is why some malicious PDFs successfully fingerprint targets (track which user opened them, when, from which IP) without user interaction. Common malware families delivered via PDF lures NAMED: Emotet (banking trojan, frequently chained with QakBot via embedded macros in PDF-embedded Office attachments), QakBot/Qbot (banking + reconnaissance trojan, ransomware initial-access vector), IcedID (banking trojan, ransomware affiliate use), BazarLoader (ransomware initial-access loader). Defense layers: enterprise email gateway sandbox detonation (Microsoft Defender for Office 365 Safe Attachments, Mimecast Attachment Protect, Proofpoint TAP all detonate PDFs and observe execution behavior pre-delivery), attachment-stripping policies for high-risk lures (PDFs from external senders converted to images or rendered preview-only), Adobe Acrobat hardening (disable JavaScript globally, restrict embedded URLs, enable Protected View by default), Microsoft Defender for Endpoint or equivalent EDR with PDF-specific behavioral signatures, and continuous simulated phishing programs that include attachment-bearing lures alongside link-based campaigns. Read more ->

Ransomware

Malware that encrypts an organization's data (and increasingly exfiltrates it for double-extortion leverage) and demands payment to restore access. Phishing is the #1 initial-access vector for ransomware per the Verizon DBIR and FBI IC3 - the user-click that delivers the credential, the malicious attachment that drops the loader or the callback-phishing pretext that installs the remote-access tool. Modern variants run as Ransomware-as-a-Service (RaaS) where affiliates pay the operator a cut for use of the encryption infrastructure. Cyber-insurance carriers price ransomware coverage explicitly against an organization's phishing-program maturity. Read more ->

Deepfake

AI-synthesized audio or video that convincingly impersonates a specific person. In phishing, the dominant operational form is voice cloning - a few minutes of public audio (earnings calls, podcast appearances, conference talks) is enough for modern open-source models to generate convincing real-time speech in the target's voice. Used to amplify vishing attacks, particularly CEO/CFO impersonation calls instructing finance teams to authorize wires, change vendor banking details or buy gift cards. Defense is not detection-based (the audio quality has crossed the human-discrimination threshold for most users); it is process-based - mandatory callback verification through a known channel, code-word challenge, two-person approval on wires above a threshold and continuous vishing simulation. Read more ->

AI-generated phishing

Phishing emails, SMS messages or websites authored by large-language models (ChatGPT, Claude, Gemini, open-source Llama derivatives) and adversary-tuned variants (WormGPT, FraudGPT, EvilGPT) sold on cybercrime forums. Distinguishing operational characteristics: (1) grammatically clean output across non-English locales (eliminates the historical "broken English" tell that anti-phishing training relied on); (2) high-volume personalization where the LLM scrapes LinkedIn / corporate sites / press releases and fits the lure to the named target's role, projects and writing style; (3) iterative spam-filter evasion where the attacker A/B tests subject lines and body copy against commercial gateway-detection until detection rate drops; (4) fake voice and video deepfake components for hybrid email-plus-call lures. Tooling has democratized authorship: a single attacker with API credit can produce thousands of convincing locale-tailored lures per hour, where the same volume previously required a phishing-kit team. Defense is not detection-based at the content layer (the text is grammatically valid by definition); it is structural - phishing-resistant MFA (FIDO2/passkeys) for credential theft, OAuth admin-policy for consent phishing, sandbox detonation for attachments, behavior analytics for cookie replay, and continuous simulation programs that include AI-generated spear-phishing templates so users encounter the modern reality before adversaries hit them. Reflected in updated guidance: NIST SP 800-63 supplementary identity-proofing notes, ENISA 2024 threat report and FBI IC3 2024 annual public-service announcement on generative-AI-enhanced fraud all explicitly call out AI-generated phishing as the post-2023 baseline.

MFA-bypass phishing

A class of phishing attacks engineered to defeat multi-factor authentication rather than just steal a password. The five major patterns: AiTM (adversary-in-the-middle proxy that captures the live session cookie post-MFA), OAuth consent grants (user is tricked into authorizing a malicious app, no MFA challenge required), MFA push fatigue (repeated approval prompts until user gives up and approves), SIM swap (carrier-side phone-number transfer that intercepts SMS codes) and session-cookie theft (post-authentication cookie exfiltrated from a compromised browser, replayed by the attacker). Standard MFA is necessary but no longer sufficient against modern phishing; the phishing-resistant controls that actually defeat each pattern are FIDO2/passkeys, hardware-bound credentials, number-matching MFA, conditional access policies and continuous simulation that exercises the patterns directly. Read more ->

Session cookie theft

The attacker outcome where stolen browser session cookies or refresh tokens grant access to an authenticated session WITHOUT having to re-complete the credential and MFA ceremony. MITRE ATT&CK Technique T1539 (Steal Web Session Cookie); T1606 covers the broader Forge Web Credentials category. Two primary harvest mechanisms: (1) AiTM reverse-proxy phishing where the proxy completes the user's auth and MFA on their behalf in real time, captures the resulting session cookie post-ceremony and ships it to the attacker; (2) info-stealer malware running on the endpoint (RedLine, Vidar, Lumma, Raccoon and similar families) that extracts session cookies from browser stores (Chrome cookies database, Edge token store, Firefox profile) and exfiltrates them. The captured cookie is imported into the attacker's browser via developer-tools cookie-edit or a session-replay extension and the attacker is logged in as the user. Standard MFA does not block this attack pattern because the MFA challenge was already completed before the cookie issued; the attacker bypasses the credential layer entirely. Defenses: phishing-resistant MFA (defeats AiTM by binding the auth ceremony to the legitimate origin), token binding (binds the session cookie to the originating TLS connection/device), short session lifetimes for sensitive apps, conditional access with risk-based re-authentication, endpoint EDR that catches info-stealer execution, and continuous-access evaluation that revokes tokens on detected anomalies. Verizon DBIR and ENISA threat landscape both flag session-cookie theft as a top 2024-2025 initial-access pattern, particularly via AiTM kits sold through PhaaS operators (Tycoon 2FA, EvilProxy, Greatness). Related to MFA-bypass phishing as one of its five mechanisms. Read more ->

Want a deeper read on any of these? Start with our blog, or jump straight to the cyber-insurance buyer guide if you are headed into a renewal. Ready to run a campaign? Start a free trial up to 25 users - no credit card.