Phishing Attacks: How to Detect, Prevent & Mitigate Threats

What is Phishing?

Phishing is a deceptive form of cyberattack in which criminals impersonate trusted entities to trick victims into revealing confidential information or installing malware.

Phishing attacks:

• Arrive as fraudulent communications – commonly emails or text messages – that appear to come from legitimate sources.
• Urge the recipient to take action (click a link, download a file, or provide credentials) to steal login credentials, financial services data, or compromise an organization’s network.
• Exploit trust and fear, using urgent language or enticing promises to prompt victims into doing something that is against their interests.

Phishing examples include receiving an email that looks like it’s from your bank, warning of an “account verification issue,” and urging you to click a link to verify your identity. The link then goes to a fake site that steals your login credentials.

The consequences of falling for a phishing attack include stolen passwords leading to data breaches, unauthorized bank transfers, identity theft, malware infections (like ransomware), and costly business email compromise (BEC) incidents.

In 2024, Group-IB identified more than 80,000 phishing websites (a 22% increase compared to 2023). Ongoing high-profile efforts to combat large-scale phishing scams, such as Operation Contender 2.0, further highlight just how much of a challenge this threat poses to organizations across industries, from logistics and travel to online services.

Different Types of Phishing Attacks

The number of tricks used to deceive victims into phishing is limited only by malicious actors’ imagination. However, in most cases, the following types of scam or phishing attacks are used:

1. Email Phishing (Mass Phishing)

This is a classic phishing attack where an email is sent to as many people as possible with generic messages like fake network security alerts, invoice attachments, or “confirm your account” requests.

Phishing email examples in this category include messages about “suspicious login attempts” or “bank account updates” that urge you to click a link and log in.

These emails often spoof well-known companies (from PayPal to Microsoft) to appear authentic. However, many include misspelled words, poor grammar, or bogus-looking URLs and are easily spotted as phony.

2. Spear Phishing

Instead of blasting thousands of random recipients, spear phishing attacks are aimed at a specific person or organization. A spear phishing email will address you by name, reference your company and job role, or appear to come from a colleague or vendor you know.

In 2022, Group-IB uncovered a large-scale spear phishing campaign dubbed 0ktapus. The campaign targeted over 130 organizations across various industries, including technology, telecom, financial institutions, and retail.

Using simple phishing kits (pre-packaged tools), the attacks combined social engineering and technical tactics to compromise corporate credentials and two-factor authentication (2FA) codes. For a comprehensive analysis of the 0ktapus spear phishing campaign, refer to our detailed report, “Roasting 0ktapus”.

3. Whaling Phishing

Whaling attacks are a more specialized form of spear phishing that targets “big fish”—high-ranking individuals (executives, senior manager-level employees, etc.).

A whaling attack is carefully crafted to exploit the authority or access of prominent individuals and uses various methods to deceive targets, including spoofed email and websites. Whaling often overlaps with BEC scams, with phishing examples involving attackers impersonating a CEO or CFO and tricking employees into sending large wire transfers.

In May 2024, an elaborate deepfake scam targeted WPP CEO Mark Read. The attackers created a fake WhatsApp account featuring a public photo of Read. They then arranged a Microsoft Teams call, using AI-generated voice and video deepfakes, to solicit money and personal details from a senior agency leader. Fortunately, the scheme failed due to the vigilance of the targeted executive and WPP staff.

Explore Group-IB’s analysis of deepfake fraud for further insights into AI-powered phishing, risk management, and social engineering tactics.

4. Smishing (SMS Phishing)

Smishing uses text messages (SMS) or messaging apps (such as Whatsapp and Telegram) to send malicious links or codes.

Users on mobile devices are less vigilant, and a phone’s limited display can hide telltale signs of fraud. Also, SMS as a channel is far less secure than email since mobile operators’ spam filters are inferior in flexibility and accuracy to similar email technologies.

Phishing examples include fake text messages that impersonate a bank (“Your account information is locked, verify here”), a delivery service (“Package undeliverable, update address via this link”), or another service provider. These messages often contain an urgent request with a shortened URL to lure victims into following the link.

5. Voice Phishing (Vishing)

In vishing attacks, scammers use phone calls or voice messages to con victims. Attackers pretend to be tech support, government officials, or bank fraud departments, and the call creates panic to pressure the victim.

In January 2025, a social engineering scam in the Middle East combined vishing with remote access software to steal credit card information and OTP (one-time password) codes.

The scheme involved impersonating government agencies or legitimate companies and targeting individuals who have lodged complaints online via a government portal, taking advantage of their trust and willingness to cooperate to process a refund.

Social Media Phishing

This phishing attack is distributed in personal messages, posts, comments, groups, social media account descriptions, etc.

Social media phishing usually involves scammers sending malicious links through Facebook or LinkedIn messages, impersonating a friend or connection who “needs help,” or creating fake customer support profiles on Instagram to catch victims (a tactic sometimes called angler phishing).

According to Group-IB’s High-Tech Crime Trends Report 2025, many Advanced Persistent Threats (APT) groups utilize social networks, messaging platforms, and cloud services to distribute malware and evade detection in multiple phases.

6. Advertisement Fraud

Many phishing campaigns use online ads or search results to reach victims. In malvertising, attackers buy ad space (or compromise ad networks) to display ads that redirect users to phishing sites.

Similarly, SEO poisoning involves creating fake websites that rank high on search engines for specific keywords (like “popular software download”). Users click the top result and end up on a fake site that prompts them to log in or download malware.

For example, fraudsters have placed phishing sites in Google search ads masquerading as cryptocurrency exchanges to dupe those who click.

In 2019, Classiscam was launched on classified sites. Scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards. Since then, Classiscam campaigns have become highly automated via Telegram bots and chat groups, allowing attackers to create convincing phishing sites within seconds.

See Group-IB’s latest report,  “Demystifying Classiscam,” to learn how Classiscam became one of the most popular scam schemes today. It involves more than 384 criminal groups and uses 169 brands from 64 countries.

Common Indicators of a Phishing Attempt

Phishing techniques constantly evolve, but most attempts contain red flags to help you spot a phishing email or message before it’s too late.

Here are common indicators of a phishing attempt:

1. Abnormalities in Email Addresses and Domain Names

Scammers often impersonate legitimate brands and resources to increase the credibility of their phishing emails and websites. Even the slightest abnormalities in email addresses or domain names should alert you.

2. Newly Registered Domain

Phishing websites rarely exist for a long time as they’re being regularly blocked. Thus, sites created less than a month ago can be considered dangerous. The domain registration date may be checked in any Whois service.

3. Irregularities in the Website or Email Content

Attackers rarely use a full copy of the website; thus, some sections may be missing or redirect a user to the official site. Also, poor image quality and wording, grammatical errors, and typos may indicate phishing.

4. Unfamiliarity of the Sender or the Mentioned Resources

Legitimate mailing services forbid mailings to recipients who didn’t agree to receive the emails. If a user’s got an email from a sender or brand they didn’t subscribe to, it may be a phishing attempt.

5. Suspicious Links in Emails

Email attachments are a surefire way to exfiltrate the victims’ infrastructure and dump a payload. Some email services check the attachments and block suspicious ones. However, the best tactic is not to download anything attached to the suspicious emails.

6. Sense of Urgency

Phishing emails or websites aim to make a victim click and perform the desired action. The best way to do so is to put pressure of urgency or exploit emotions and feelings, such as greed, fear, compassion, or liking.

Promises of easy money, expiring-soon offers, notifications about the device being infected, celebrity endorsements, or messages related to current affairs may be signs of a phishing attack.

Phishing Techniques

Threat actors are always looking for more convincing tactics to deceive a victim and more efficient ways to protect phishing websites from being blocked. Below are the most popular phishing techniques currently known.

1. Traditional Phishing

This phishing technique implies that the domain name is created solely for phishing. At the same time, the website wholly or partially mimics the legitimate resource of the organization under attack.

The following parameters can recognize traditional phishing:

• The domain name registration date does not exceed a few days.
• The domain name is wholly or partially consonant with the name of the resource that is being attacked;
• Visually, the page entirely or very closely repeats the user input form of a legitimate resource.

2. Website Hack

For this phishing attack technique, threat actors hack legitimate resources and upload phishing content to a vulnerable server. Distinctive features of website hack:

• If the victim doesn’t use a full phishing URL, a legitimate resource is opened;
• The domain name was created a long time ago.
• Often, the owner of a website is a legitimate, well-known organization with a good reputation.

3. Technical Domain Usage

Another popular phishing technique is using technical domains of various registrars and hosting providers. The easy and free registration of such domains allows threat actors to create large volumes of web resources quickly.

A hallmark of technical domains is the large number of unrelated sites on their subdomains. They can be checked by analyzing the search results for the second-level domain.

4. Multi-Brand Phishing

In this case, the user encounters a phishing page listing multiple brands. For example, a fake e-commerce payment page displays a list of banks or payment services and asks the victim to choose their provider. This approach lets attackers target customers of many institutions simultaneously, increasing the chances of ensnaring victims regardless of which option they choose.

A multi-brand phishing campaign was uncovered by Group-IB researchers in Vietnam. Every phishing website displayed the logos of 27 major banks in the form of a single page or as a drop-down option where victims can pick their registered bank. These sites then redirected users to a fraudulent login portal as part of an OTP hijacking scheme.

5. Form Builder Usage

For this phishing technique, legitimate tools for building web pages with forms are used. Adversaries often employ these services to create surveys, tricking victims into sharing sensitive data.

Threat actors take full advantage of this technique, bypassing security solutions easily. The surveys or other pages are created on trusted domains with a high reputation, so they are perceived as legitimate.

6. Browser-in-the-Browser (BitB)

BitB is one of the most deceptive and effective phishing techniques. It implies showing a victim an additional phishing window with a fake resource name display string.

The latter includes an SSL certificate icon and the URL of a legitimate resource. This makes it similar to the legitimate website in all aspects. CERT-GIB analysts rigorously examine this type of phishing attack in the blog post  “Letting off Steam.”

Techniques Attackers Use to Bypass Phishing Detection

Threat actors typically ensure that only specific targets can view phishing content. This limited access makes phishing attacks significantly harder to detect for anti-phishing specialists and hosting providers.

Below are the evasion techniques attackers use to prolong the lifespan of phishing sites and increase the likelihood of successful attacks.

1. Restriction by IP or Geolocation

Visitors in specific locations may be limited in accessing some phishing pages. To apply this method, threat actors restrict access to IP addresses in a particular country. Often, if this parameter is chosen incorrectly, the user is redirected to an official or even third-party resource.

To counter this tactic, anti-phishing specialists carefully examine phishing campaigns and the phishing kits used by threat actors. First of all, attention is paid to the following parameters:

• Resource domain zone
• Domain language
• Country of the attacked object

2. Access via One-Time or Temporary Links

This technique implies using a URL created specially for the victim and available for a limited amount of time. Another variation of this method is making a link to the phishing page available only for the duration of a particular session.

Usually, such links are generated via a specific script uploaded to another page (this can be a hacked legitimate resource), or a link redirecting a user to a one-time URL, or certain paths generating the final link.

3. Restriction by Device Settings

A phishing campaign can target users of specific devices. In such cases, the phishing page opens correctly only with the appropriate User-Agent (an HTTP request header that identifies the visitor’s device). Sometimes, threat actors restrict access to a phishing resource from specific web browsers.

4. Stub Page

Stub pages are websites, usually of an advertising or informational nature, that look like legitimate resources without any malicious attachments. However, this disguise hides the phishing webpage, which is available only to potential victims.

Domain names and registration dates expose the phishing nature of these pages. Analysis of phishing campaigns and constant monitoring for new domains allow us to prevent the spread of phishing pages that use this technique, even when there is no final content on them.

Evolution of Phishing Attacks: Key Trends

The term “phishing” was first coined in the mid-1990s as hackers on America Online (AOL) fooled users into divulging passwords and credit card numbers. Early phishing scams were relatively crude, involving mass-distributed emails or messages rife with typos.

Fast-forward to today, and phishing attacks have become more widespread and damaging, driven by technological advancements and the growth of underground cybercrime services.

Key trends highlighting the evolution of phishing attacks include:

From Basic Emails to Advanced Phishing Kits

A phishing kit is a set of tools that enables cybercriminals to create and operate several phishing pages at once. Group-IB’s Computer Emergency Response Team (CERT-GIB) reported a 25% increase in the use of phishing kits in 2022, with over 6,000 phishing kits analyzed.

Other critical insights from the research include:

• Phishing kits can readily be bought or downloaded on the dark web, typically targeting popular products and services such as Microsoft Live, Office 365, OneDrive, and Outlook.
• These kits allow scammers with poor developer skills to launch sophisticated phishing scams. Approximately 10% of phishing kits contain hidden backdoors, allowing kit developers to access stolen personal data or hijack hosting resources.
• While email remains the primary method for extracting stolen credentials, attackers increasingly use alternatives such as Telegram bots and Google Forms.
• Modern phishing kits incorporate advanced anti-detection techniques such as dynamic directories, fake 404 pages, randomization, and anti-bot technologies to avoid detection and prolong the lifespan of phishing campaigns.

Discover how Group-IB’s phishing kit database helps us stop brand impersonation attacks and investigate phishing campaigns more effectively with security awareness.

Rise of Phishing-As-A-Service (PhaaS)

Much like the ransomware-as-a-service model, PhaaS platforms sell access to phishing campaigns and infrastructure. This includes ready-made phishing pages/templates, hosting for fake sites, email/SMS delivery tools, etc.

Many PhaaS operations run on tiered subscription plans while others use affiliate-style programs or profit-sharing, allowing attackers to launch convincing phishing campaigns at scale. PhaaS providers shield their customers through security measures like bulletproof hosting and mandatory cryptocurrency payments.

In early 2024, Group-IB was involved in a global operation to cripple Canadian Phishing-as-a-Service provider, LabHost. While numerous PhaaS platforms exist, LabHost stands out due to its unique business model, which includes not only phishing services but also avenues for monetizing stolen credit cards and banking credentials through services like LabRefund.

Multichannel Phishing Attacks

Attackers increasingly combine multiple communication channels like email, SMS (smishing), voice calls (vishing), and social media to maximize their deception. Multichannel phishing campaigns often begin with a phishing email followed by a text message or phone call, reinforcing the urgency of the request.

This expanding attack surface adds credibility and confusion, making scams harder to detect and prevent. Social media platforms are also leveraged to gather personal information about targets to craft more convincing messages. In some cases, attackers use QR codes in physical locations to direct victims to malicious websites.

The integration of AI has further enhanced the effectiveness of these multichannel attacks. AI tools help attackers analyze vast amounts of data to personalize messages, mimic communication styles, and automate the delivery of phishing content across various platforms. Our Cybersecurity X AI e-guide explores AI-powered phishing threats to help you understand these challenges.

Abuse of Trusted Brands and Platforms

One of the more insidious trends is fraudsters leveraging trusted domains to mask attacks. Phishing emails often look legitimate, using familiar logos and branding to mimic the emails employees regularly receive.

Threat actors primarily use trusted domains to bypass Secure Email Gateways (SEGs) and spam filters designed to block suspicious activity, malicious software, or unknown domains. SEGs are less likely to flag URLs that belong to reputable platforms because these domains have established a history of trustworthiness.

In December 2024, Group-IB’s Digital Risk Protection revealed how cyber threat actors exploit trusted domains and platforms by embedding phishing URLs inside Adobe.com, DocuSign, and Google AMP links. Users see a link beginning with “https://indd.adobe.com/…” and assume it’s safe. The embedded document pretends to deliver an important PDF message (e.g., “New PDF Document Received”) but includes a phishing link to steal user credentials.

Best Practices to Stop and Block Phishing Attacks

To effectively defend your organization against phishing threats, we recommend combining proactive prevention with rapid response measures. 91% of all cyber incidents begin with a single phishing email, demonstrating how phishing attacks remain stubbornly practical because they exploit human behavior rather than technological vulnerabilities.

Here are the best practices to stop and block phishing attacks, combining human awareness, early detection, and accelerated response:

1. Conduct Regular Phishing Awareness Training Programs

Strengthen your security teams and in-house expertise with cybersecurity education programs to:

• Report common phishing indicators such as urgent or unusual requests, misspellings, or suspicious attachments and links.
• Recognize scammers’ behavior, tools, and techniques based on real-life attack scenarios.
• Stop attacks before they escalate when clicking a phishing link or opening a suspicious attachment.

2. Strengthen Email and Access Security

Deploy advanced email security controls, endpoint detection and response (EDR), and authentication protocols to block phishing emails from reaching users by:

• Securing email gateways with spam/malware filters and URL sandboxing to block malicious URLs
• Email authentication standards like DKIM, DMARC, and SPF are used to verify senders and prevent email spoofing.
• Enforce multi-factor authentication on all accounts to limit unauthorized access, even if credentials are compromised.

Determine your email security posture with Group-IB Trebuchet, an automated security assessment tool for testing email and network protection against targeted cybersecurity attacks.

3. Regularly Monitor and Quickly Take Down External Threats

For deeper visibility and security threat detection, proactively monitor your digital presence and detect brand impersonation, suspicious messages, or domain registrations early.

This best practice includes implementing a process to report and take down phishing sites and security issues by:

• Deactivating domain names for phishing or removing phishing content as soon as possible.
• Sending notifications to the registrar, hoster, and owner, and collecting the evidence of phishing activity. The contact information of those responsible can be found on Whois services. If a phishing resource is hosted on a hacked domain, the owner of the resource is first notified about it.
• Contact other CERT teams and hosting providers with a request to influence the responsible party (registrar/hosting) to expedite the suspension of the phishing resource.

Group-IB Digital Risk Protection enforces a three-stage takedown process to maximize the success of phishing violations. This approach helped AVO Bank successfully identify and eliminate 90% of fraudulent resources at early stages, even catching threats like rogue Telegram channels and executive-targeted scams that would otherwise go unnoticed.

Additionally, Group-IB’s Managed Extended Detection and Response (Managed XDR) solution helped AVO Bank minimize internal risks. Even if a bank employee accidentally downloads a malicious file or runs a malware program received via email, the files are blocked before any damage is done.

4. Deploy Fraud Prevention as a Safety Net

Some attacks may still slip through even with strong phishing defenses. Effective fraud prevention tools help quickly detect and stop phishing attempts by:

• Using device fingerprinting and behavior analytics to flag suspicious logins and credential stuffing attacks. This helps to detect session fraud and prevent the theft of customer funds in real time.
• Allowing security teams to detect and respond immediately to unauthorized use of stolen credentials.
• Aligning with your risk profile and regulatory needs with custom rules evaluated against past data.

Group-IB’s Fraud Protection leverages response automation to instantly counter account takeover attempts. When a compromised account initiates high-risk actions (like an unusual fund transfer from a new device after a phishing attack), the platform automatically triggers protective measures (freezing the account or blocking the transaction). It alerts the fraud team to prevent any loss.

Looking ahead, Group-IB’s CEO, Dmitry Volkov, predicts that phishing will become even more dangerous with the rise of AI-driven manipulations and deepfake-enabled fraud. We may soon see attackers routinely using deepfake audio and video to impersonate trusted individuals, reinforcing the need for advanced detection and prevention strategies.

How Group-IB Protects Organizations from Phishing Attacks

As long as humans remain the weakest link, phishing attacks cannot be eliminated completely. However, with the right knowledge and phishing detection capabilities, you can stay one step ahead of fraudsters and break the attack cycle.

Group-IB offers dedicated Phishing and Scam Protection solutions to counter phishing across email, web, and social media. Here’s how our approach goes beyond blocking to include early detection, swift takedowns, and proactive defense:

• Group-IB’s Digital Risk Protection (DRP) is a comprehensive solution that continuously monitors the internet for phishing sites, fake domains, and scam campaigns targeting your brand or employees. This technology detects up to 90% of violations and performs takedowns in seconds. The DRP solution automatically blocks the vast majority of phishing and scam resources, while others are removed with the help of our extensive network of partners.
• Thanks to our patented retroactive analysis technology, group-IB’s Business Email Protection can automatically detect and block scams, remove malicious email content even after your mail delivery, and regularly monitor your company’s email security status.
• Group-IB’s Threat Intelligence Platform includes phishing detection capabilities, providing organizations full visibility into the fraud landscape for actionable anti-phishing strategies. We also empower customers with targeted fraud intelligence across the entire cyber-fraud kill chain to break down complex phishing attacks into stages and techniques.
• Group-IB’s Fraud Protection solution contains all seven key functionalities: bot detection, behavioral biometrics, explainable AI, and API security. It has reduced the rate of false-positives by 20% and the need for OTPs by 30%, enabling up to 20% more fraud attempts to be detected and prevented.

With growing threats like synthetic identity fraud, deepfakes, and advanced phishing attacks, adopting multifactor verification is essential, particularly for the finance and banking sectors. Group-IB anti-fraud technologies facilitate this through behavioral biometrics, device fingerprinting, Anti-Money Laundering (AML) systems, and more.

Our platform protects over 500 million users worldwide across banking, fintech, e-commerce, and online gaming platforms. Get in touch with our experts today to get phishing protection.