Phishing and account takeover

Phishing is the most common cybercrime pattern by volume. The attacker sends an email, text, or DM that looks like it's from a service you use (bank, email provider, Microsoft, Google, Apple, Amazon, Netflix). It contains a link to a fake login page. You enter your credentials. The attacker now has your password — and increasingly, your MFA code, harvested in real time via reverse-proxy phishing kits.

Once in, the attacker exfiltrates contacts, sets up email forwarding rules to monitor responses, resets passwords on linked services (banks, exchanges, cloud storage), and often pivots to BEC against your colleagues. A single phished email account can produce months of damage.

Phishing also evolves: spear phishing targets specific individuals with personalized lures; whaling targets executives; smishing is SMS-based; vishing is voice-based; quishing uses QR codes.

• Bank login alert. "Suspicious activity detected. Verify your identity."
• Email account verification. "Your Outlook / Gmail / iCloud password expires tomorrow."
• Microsoft 365 mailbox-full notice. "Mailbox at 95% capacity. Click to clean up."
• DocuSign / Adobe Sign request. "Document awaiting your signature."
• Shipping notification. "Your USPS / UPS / FedEx package has a delivery problem."
• Tax / payroll notice. "Your W-2 is ready" / "Direct deposit needs to be re-verified."
• HR / 401(k) review. Spear-phishing variant for corporate targets.
• Voicemail transcription email. "You have a new voicemail — click to listen."

• The sender domain is not the company's real domain (lookalike, free email, slight misspell).
• The URL hovered or long-pressed shows a different domain than displayed.
• Urgency: "expires in 24 hours," "your account will be locked."
• Generic greeting ("Dear customer") rather than your name — or oddly personalized for a service that should know more.
• The email asks you to "verify" credentials, account details, or 2FA codes.
• The page after the link looks correct but the URL bar shows an unrelated domain.
• Attachments you didn't expect, especially .htm, .html, .zip, .iso, or .lnk files.
• QR code lures — "scan to verify" via QR pushes the URL to your phone, where you're less likely to inspect it.

• Email phishing. Highest volume. Mass and targeted.
• Spear phishing. Targeted at one person with personalized content. Often the precursor to BEC.
• Smishing. SMS text. Often pretends to be your bank, USPS, or a 2FA code request.
• Vishing. Voice. The "Microsoft support" or "bank fraud department" caller.
• Quishing. QR-code phishing. The QR sends you to a phishing site on your phone.
• Calendar phishing. Malicious meeting invites that include phishing links.
• Search-ad phishing. Attacker buys Google ads for "[bank] login" or "Coinbase support" and ranks above the real result.
• OAuth consent phishing. Instead of stealing your password, tricks you into authorizing a malicious app on your real account.

1. Use a password manager. Password managers refuse to auto-fill on phishing domains. That's a free, passive defense.
2. Move to phishing-resistant MFA. Passkeys and hardware keys (YubiKey, Google Titan) cannot be relayed by phishing kits. SMS and push MFA can.
3. Don't click links in unexpected emails. Open the service directly in your browser by typing the URL or using your bookmark.
4. Hover-then-look before clicking. On mobile, long-press to preview the URL.
5. Treat urgency as a flag. Real services give you reasonable timelines.
6. For QR codes, treat them like links — preview the destination before opening if your phone supports it.
7. Report phishing internally when it happens at work — your security team can block the domain enterprise-wide.

• Change the password immediately, from a different device.
• Enable phishing-resistant MFA if you haven't.
• Sign out of all sessions on the affected service.
• Check email forwarding rules and remove any unfamiliar ones.
• Check connected apps / OAuth grants and revoke unknown ones.
• Review recent account activity for password resets, mail rules, or actions you didn't take.
• Change passwords on any other accounts sharing that password.
• If financial accounts are involved: notify the bank and place credit freezes.
• If a work account is involved: notify your security team immediately. The damage scope is usually larger than it appears.

• Do not reuse passwords across services. Reuse is the most common cause of follow-on damage.
• Do not enter credentials on a page you reached via a link in an email or text.
• Do not assume "the page looks identical" means it's real. Phishing kits render pixel-perfect clones.
• Do not ignore the breach because "I changed the password fast." The attacker may already have set up forwarding rules.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

The phishing email has my real password from years ago. Doesn't that prove it's legitimate? No — it proves your password leaked in a previous breach. Visit haveibeenpwned.com to see which breaches you appeared in. The phisher is using known data to add credibility.

My password manager wouldn't autofill on the phishing page. Is that the saver? Yes. The password manager only autofills on domains it recognizes. If autofill is missing, treat it as a warning that the domain doesn't match.

What's "OAuth consent phishing"? Instead of stealing your password, the attacker tricks you into clicking "Allow" on a permission dialog for an app you don't recognize. They get an OAuth token that grants them access to your Gmail / Microsoft 365 — even after you change your password. Review OAuth grants regularly.

Can the attacker bypass MFA? SMS and push MFA can be bypassed via real-time phishing kits (Evilginx, Modlishka) that relay codes. Passkeys and hardware keys cannot be bypassed this way. If you only do one security upgrade this year, make it passkeys for your most important accounts.