What is phishing ?

Phishing is the most common form of social engineering carried out by email. Unlike cyberattacks on systems and software, it requires little to no hacking expertise, making it a quick and easy way for cybercriminals to get access to a business’s most sensitive data.

Download Solution Brief
Vade - Phishing
Vade - phishing definition

Phishing definition

Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, it involves luring a victim with a link to a fake website or including an email attachment laced with malware.

Vade - phishing vs spear phishing

Phishing vs spear phishing

Phishing attacks impersonate brands to trick users, whereas spear phishing attacks impersonate individuals. Most phishing emails include a subject line that causes either alarm or intrigue, which encourages victims to act quickly. With the exception of highly targeted attacks, phishing is typically a one-off event. Often, hackers will send a single email to multiple recipients—known as a wave—at once to improve the chances of success.

Spear phishing emails do not include links or attachments and are designed to trick a recipient into completing a financial transaction, such as making a wire transfer, purchasing gift cards, or changing direct deposit information.

Elements of phishing

All phishing emails include one of two components: a link or an attachment. Getting victims to click the link or open the attachment requires a sophisticated set of tools and techniques. Below are some of the most important elements :

Vade - Subject line

Subject line

Perhaps the most critical element of a phishing email, the subject line is designed to entice, alarm, or frighten the victim the victim into opening the email. Hackers who have done their research write highly targeted subject lines to entice victims into opening emails.

Vade - against Email spoofing

Email spoofing

Email spoofing involves creating an email address that looks like that of a trusted business. With display name spoofing, the hacker adds the desired display name in the sender field of the email. In other cases, a hacker will use an email address resembling a legitimate business email as the display name.

Vade - against brand impersonation

Brand impersonation

Hackers impersonate the brands you trust the most. When attacking businesses, hackers impersonate brands that a business has a relationship with, such as a bank or a software vendor. To create the illusion of legitimacy, phishers use real business and product logos and other visual elements of the brand’s identity.

Vade - against phishing link

Phishing link

A link is typically placed in the body of the email, but it can also be placed inside an attachment or inside a legitimate hosted file on a service like OneDrive or SharePoint to avoid detection from email filters scanning for known phishing links. Victims are lured into clicking on the link by the email itself, which directs the user to visit a fake website to log into an account.

Vade - phishing email attachment


Attachments are included either to conceal the phishing link from an email filter or to deliver malware/ransomware. Often in the form of a Word document, PDF, or .zip file, the attachment appears to be legitimate business correspondence, such as an invoice. The link might lead to a phishing website or result in an automatic download of malware or ransomware.

Vade - against phishing page

Phishing page

A phishing page is a fraudulent webpage that impersonates a brand. Unsophisticated pages are easy to spot, but advanced phishers use real CSS from brand webpages to make their webpages identical to the real thing. Phishing pages impersonate login pages where victims enter their username and password to access their account. When they do so, their credentials are stolen.

Vade - Phishing examples

Phishing examples

Urgency is at the essence of phishing. Hackers use a variety of scams to create a sense of concern and even fear to motivate users to click on links and divulge credentials and sensitive information.

    • Verify/update account
      This email alerts a user that they must verify their account or their password must be reset, whether as a matter of routine or because of an issue with an account.

    • Update payment alert
      The victim is informed that their current form of payment, typically a credit card, is either not working or must be updated in order to continue receiving a service.

    • Invoice attached
      This attack includes an attachment posing as an invoice or other piece of business correspondence. The attachment might include a link to a phishing page, or the attachment might unleash malware/ransomware when opened.

    • Security alert
      Phony security alerts alert victims that their passwords have been compromised, that there is suspicious activity on an account, or that they recently signed into an account from an unknown device.

  • Social media phishing
    Social media phishing involves stealing account credentials for a social media platform through one of the above schemes. Hackers sometimes steal the victim’s personal information and sell it on the black market. In other cases, the hacker will use the compromised account to conduct attacks on the victim’s friends and followers.

  • Sextortion
    Sextortion scams are designed to trick victims into believing a hacker is in possession of compromising information, such as webcam video of the victim watching online pornography. The victim is instructed to pay the hacker in Bitcoin to avoid the information being leaked to the public and to acquaintances

Free phishing tools

Vade - Phishing threat detection

Phishing threat detection

Try IsItPhishing
Vade - Phishing IQ test

Phishing IQ test

Try IsItPhishing IQ Test

The rise of coporate phishing

Phishing was once considered a consumer problem. But as hackers grew more sophisticated, they began targeting businesses. The growth of cloud computing made businesses an even bigger target, with sensitive files and data suddenly up for grabs. As a result, phishers began impersonating high-profile  that corporations do business with, including cloud services providers and financial institutions.

PF Fav 2022 - Image Pillar page

Phishers’ Favorites Year-in-Review

Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, it involves luring a victim with a link to a fake website or including an email attachment laced with malware.

Vade for M365

Vade for M365 blocks advanced attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire phishing email, including any URLs and attachments. Leveraging data from more than 1.4 billion inboxes, our AI-based threat detection stops threats before, during, and even after phishing attacks.

Learn more about Vade for M365 ›
Vade - Phishing techniques

Phishing techniques

Most email security filters use signature-based detection methods, including scanning for blacklisted domains and IPs. This makes it impossible for these types of filters to detect unknown attacks or phishing kits that include built-in protections from being identified by URL scanners.

Hackers use a number of techniques to bypass fingerprint and reputation-based filters. With a simple MX record lookup, hackers can see which email security solution is in use and create scripts to bypass MX rules or develop techniques to bypass the solution itself. Below are some of the most common and advanced techniques :

Targeted emails

  • Victims are chosen by their job position, experience level, and other factors that indicate their ability to provide access to sensitive data.
  • Phishers mine social media and past data breaches for information that could assist in personalizing the email and understanding what would motivate a victim to respond to a phishing email.
  • Hackers research the target company to learn which brands they do business with, including their business partners, software providers, and banks or other financial partners.

Brand impersonation

  • Brand logos and images are downloaded from the web and inserted into emails, adding authenticity and authority to the email.
  • CSS and JavaScript are copied from legitimate brand webpages and used to develop phishing pages, making them indecipherable from the real thing.
  • Legitimate reply-to email addresses from the brand are added to emails to convince the user that the email originates from the brand.


  • URLs that lead to fake websites are either inserted into the email or hidden in an attachment, such as a PDF or Word doc, to avoid detection from email filters that cannot parse documents.
  • Legitimate URLs that lead to safe webpages are included in the email, along with the link, to fool email filters that may deem the email safe after scanning a number of legitimate URLs.
  • Time-bombed URLs are URLs that lead to safe, legitimate webpages and are then redirected to phishing pages once the email has been delivered.
  • URL shorteners, such as Bit.ly and TinyURL are used to create aliases of the phishing URL to avoid detection by filters scanning for known phishing links.

Image insertion and distortion

  • Slight changes or distortions to images will change their crypotographic hash or “fingerprint.” This can cause a blacklisted phishing email appear like a new, safe email to a filter.
  • QR codes are often inserted in place of phishing URLs to evade filters that cannot extract QR codes. Typically used in sextortion scams, QR codes direct victims to Bitcoin sites where they can make the extortion payment.
  • Text-based images, such as screenshots of emails, are inserted into the email body in place of text. This avoids content scanning by the email filter, which may deem the email safe if there is no content to scan.
Vade - Phishing prevention

Phishing prevention

With new attacks being launched every day and even sophisticated filters sometimes missing attacks, prevention is an ongoing effort that requires constant diligence and intelligent anti-phishing software with advanced protection :

  • User training

    As attacks become more sophisticated, users must be continually trained in the latest attacks and techniques. In addition to recurring phishing awareness training, contextual training delivered at the moment a user clicks on a malicious email provides instant feedback on the behavior.

    Training content that is personalized for the user based on the brand used in the attack gives the training context, unlike annual trainings that are typically conducted in a group setting and based on generic emails. Ultimately, the training experience will be more significant, and the attack more memorable than the simulations used in simulations.

    Equally important to phishing prevention is encouraging users to report suspicious emails. This gives IT the opportunity to warn the company about incoming attacks and gives the security operations team the opportunity to use the phishing email to strengthen the email filter.

  • Artificial Intelligence

    Unlike fingerprint and reputation-based technology, artificial intelligence identifies unknown attacks by scanning the content, context, and origin of emails. Supervised machine learning algorithms are trained by data scientists to recognize various features of phishing emails. Unsupervised algorithms do not require a trainer but learn over time to recognize anomalies in emails, or suspicious events that differ from the majority of data.

  • Image detection

    Trained to detect images and logos from brands, Computer Vision algorithms can detect slight distortions in images, scan text-based images, and extract QR codes that conceal malicious links. Unlike other machine learning algorithms, Computer Vision algorithms interpret and view images as humans do, recognizing known phishing emails that have been distorted to look like new emails.