Phishing
Learn about the latest phishing tactics, how they work, and proven strategies to protect your organization from cyberthreats.
Understanding Phishing
Phishing needs no introduction. If you use the internet or a smart device, you’ve seen a phishing attack, whether it was an email, text message, phone call, social media post, or all of the above.
The threat of phishing is as serious as its reputation suggests. The rise of generative AI has led to a massive spike in phishing using more sophisticated techniques, and at a greater volume, than ever before.
Social Engineering: How Phishing Weaponizes Trust
We’re inclined to believe what we see, especially if it comes from a reliable source. This means a key part of a successful phishing attack is a convincing lie. That’s social engineering. Attackers may pose as our colleagues, friends, law enforcement, or trusted brands—whatever it takes to convince us to let our guard down. And it works: 90% of cyberattacks involve social engineering.¹
Read more: What Is Phishing?
Types of Phishing Attacks
Phishing attacks all have similar goals: trick victims into downloading malware, following malicious links, or divulging privileged information. But phishers can use many approaches and types of media to make their attacks feel more convincing, personal, or urgent. Explore some of the most common types below.
Email phishing is the most traditional kind of phishing, in which phishers send fraudulent emails encouraging victims to take action. This method has a low barrier for entry because emails are easy to distribute widely, and many parts of them (sender, headers) are easy to spoof.
Vishing (voice phishing) is conducted over the phone or VoIP. As a direct interaction in real time, vishing plays strongly into our sense of urgency and social instincts. Sophisticated vishing attacks today often combine techniques like caller ID spoofing and voice deepfakes. Learn more.
Smishing (SMS phishing) is done through text messages or social media DMs. Although similar to email phishing, smishing can be highly effective because of the perceived personal nature of text messages, and because most people read texts before deleting them. Learn more.
Spear phishing is a highly targeted attack on a small group of victims, or even a single victim. Not specific to any one medium, spear phishing is personalized, using specific details related to the victim(s) to make its fraudulent requests more credible and deceptive. Learn more.
Man-in-the-middle (MiTM) phishing is an advanced attack in which phishers stealthily intercept and manipulate communications between two parties in real time. They may change messages, redirect victims to malicious websites, collect sensitive data, and more. Learn more.
Phishing Techniques and Tactics
Phishing attackers will use any means at their disposal—exploiting their victims’ trust, fear, or simple carelessness—to encourage action.
Today, attackers have more options available to them than ever.
Quishing (QR code phishing)
Uses malicious QR codes in place of standard hyperlinks. While a QR code is functionally the same as a hyperlink, victims are less likely to carefully scrutinize them.
Business email compromise (BEC)
Uses compromised or spoofed email addresses of victims’ colleagues or leadership to request sensitive information, financial transfers, or privileged access.
AI-Powered Phishing Attacks: A Growing Threat to Cybersecurity
LLM-assisted phishing
Uses GenAI models like ChatGPT to produce accurate translations with minimal errors, helping phishers better target victims who speak other languages.
Cybersecurity trends in 2025: AI-powered threats and insider risks
The median time to a successful phish is just 49 seconds.² With the global average cost of a data breach nearing US$5 million,³ the best way to fight phishing is to prevent it.
Detection and Prevention Strategies
Zscaler provides a suite of solutions to prevent successful phishing at every stage of an attack.
Zscaler Internet Access™ helps identify and stop malicious activity by routing and inspecting all internet traffic through a cloud native, proxy-based zero trust platform, effectively blocking:
- Malicious and risky URLs and IPs—including policy-defined, high-risk URL categories commonly used for phishing
- IPS signatures developed from Zscaler ThreatLabz analysis of phishing kits and pages
- Novel phishing sites identified by AI/ML-powered content scans
Advanced Threat Protection blocks all known command-and-control (C2) domains to prevent malware from communicating with or exfiltrating data to bad actors.
Zero Trust Firewall extends C2 protection to all ports and protocols, including emerging C2 destinations.
Zscaler ITDR (identity threat detection and response) reduces the risk of identity-based attacks through continuous visibility, risk monitoring, and threat detection.
Zero Trust Browser streams malicious or risky content to users as pixels for a near-native experience that eliminates data leaks and prevents delivery of active threats.
Cloud Sandbox prevents unknown malware delivered in second-stage payloads.
DNS Security defends against DNS-based attacks and exfiltration attempts.
Zscaler Private Access™ limits lateral movement by enforcing least-privileged access, user-to-app segmentation, and full inline inspection of private app traffic.
AppProtection inspects entire application payloads to expose threats.
Tools
Understand gaps in your security that could be leaving you exposed to phishing, botnets, drive-by downloads, and more:
Start an Internet Threat Exposure Analysis
Tens of thousands of new phishing sites appear every day. Analyze any URL to confirm it’s safe in just a few seconds:
1. Gen Digital, Q2 2024 Cybersecurity Trends.
2. Verizon, 2024 Data Breach Investigations Report.
3. IBM, Cost of a Data Breach Report 2024.