Phishing & email
Phishing has more variants than most people expect. These terms cover the delivery channels, the kits behind the pages, and the email standards that limit the damage.
16 terms
Account takeover (ATO)
Account takeover (ATO) is fraud in which an attacker gains control of a legitimate user account, typically using stolen or phished credentials, to steal funds, data, or further access.
Business email compromise (BEC)
Business email compromise (BEC) is a fraud in which an attacker impersonates an executive, employee, or vendor over email to trick a company into transferring money or data.
CEO fraud
CEO fraud is a scam in which an attacker impersonates a company chief executive, usually by email, to order an urgent payment or data transfer that an employee carries out without checking.
Clone phishing
Clone phishing copies a real, previously delivered email, then resends it with the links or attachments swapped for malicious ones, so it looks like a familiar message the recipient already trusts.
Credential harvesting
Credential harvesting is the large-scale collection of usernames and passwords, usually through phishing pages that imitate a real login, for use in fraud or account takeover.
DMARC
DMARC is an email authentication standard that tells receiving servers how to handle messages that fail SPF and DKIM checks, and reports who is sending mail using your domain. It is the main defence against email spoofing.
Email spoofing
Email spoofing is forging the sender address of an email so it appears to come from a trusted domain. It is the technical basis for most phishing and BEC.
Phishing
Phishing is a social-engineering attack that tricks people into revealing credentials, payment data, or other sensitive information by impersonating a trusted brand, person, or service.
Phishing kit
A phishing kit is a ready-made package of code and templates that lets a low-skill attacker stand up a convincing fake login or payment page in minutes.
QR phishing (quishing)
QR phishing, or "quishing", hides a malicious link inside a QR code so victims scan their way to a fraudulent page, bypassing many email and URL filters in the process.
Reverse proxy phishing (AiTM)
Reverse proxy phishing, also called adversary-in-the-middle (AiTM), sits between the victim and the real site, relaying the login in real time to steal the session and defeat multi-factor authentication.
SEO poisoning
SEO poisoning is the manipulation of search rankings so malicious or impersonating pages appear high in results for trusted brand or topic queries, luring users into clicking them.
Smishing
Smishing is phishing delivered via SMS or messaging apps: a text that impersonates a brand, such as a bank, courier, or tax office, and links to a fraudulent page.
Spear phishing
Spear phishing is a targeted phishing attack tailored to a specific person or small group, using personal or organizational details to make the lure highly convincing.
Vishing
Vishing is voice phishing: a phone call or voicemail that impersonates a trusted organization or person to pressure the target into revealing information or making a payment.
Whaling
Whaling is a phishing attack aimed at senior executives, the most valuable targets, using highly tailored messages to trigger high-value actions like large wire transfers or the release of sensitive data.
See who is impersonating your brand
The free nebty report scans the web for lookalike domains and fake profiles targeting your brand, with no obligation.
Get your free report