← All resources
Reference

The phishing glossary: every term, in plain language

AiTM, BitB, quishing, ClickFix, BEC, zero-day — 34 phishing and scam terms defined in under 80 words each, with linkable anchors for every entry.

Reference · 12 min read · By SafeToOpen Research · July 2026

Security writing is full of jargon that assumes you already know the jargon. This glossary defines the terms you’ll actually meet — in news coverage, in vendor claims, and in our own guides — in plain language, each in under 80 words. Every entry is linkable: use the anchor links to cite a definition directly.

Last reviewed: July 2026. New techniques get names fast; we add them as they earn one.

A

Adversary-in-the-middle (AiTM)

A phishing technique where the fake site sits between the victim and the real one, relaying the genuine login — including the MFA prompt — in real time. The kit captures the authenticated session token at the end, so the attacker logs in as the victim, MFA and all.

B

Blocklist

A list of web addresses or senders already identified as malicious, used by browsers, filters and DNS tools to block known threats. Structurally reactive: a page created an hour ago is on nobody's blocklist yet.

Brand impersonation

Any attack that borrows a trusted brand's identity — its logo, layout, domain lookalikes or email style — to trick that brand's customers or staff. The brand's systems aren't breached; its reputation is used as the weapon.

Browser-in-the-browser (BitB)

An attack that draws a fake browser window — address bar included — inside a normal web page. The 'trusted' URL the victim checks is just a picture, defeating the standard advice to verify the address bar.

Business email compromise (BEC)

A targeted scam in which an attacker poses as an executive, employee or supplier — often from a compromised or lookalike account — to trick staff into transferring money or changing payment details. Usually contains no malware or malicious link at all, which is why filters miss it.

C

CEO fraud

A form of BEC where the attacker impersonates a senior executive, typically emailing finance staff with an urgent, confidential payment request. Relies on authority and time pressure rather than technology.

ClickFix

A social-engineering technique using a fake verification page ('prove you're human') that instructs the victim to paste a command into their own computer. The pasted command runs malware — the victim performs the infection themselves, so no attachment is ever scanned.

Clone phishing

Re-sending a legitimate email the victim has already received, with the original link or attachment swapped for a malicious one — often framed as a 'resend' or 'updated version'.

Credential harvesting

Collecting usernames and passwords at scale, most commonly through fake login pages. Harvested credentials are used directly, sold on, or tested against other services the victim uses (credential stuffing).

D

Deepfake

AI-generated audio, image or video that convincingly imitates a real person. Increasingly used to add a 'voice confirmation' or video call on top of a phishing email, defeating verify-by-phone habits.

DKIM (DomainKeys Identified Mail)

An email authentication standard that cryptographically signs outgoing mail so receivers can verify it wasn't altered and genuinely comes from the signing domain. One of the three checks (with SPF and DMARC) behind sender verification.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

A policy layer on top of SPF and DKIM that tells receiving mail servers what to do with messages that fail authentication — and reports abuse back to the domain owner. A DMARC failure is a strong phishing signal.

Domain spoofing

Forging or imitating a domain to make a message or site appear to come from a trusted source — via lookalike registrations, subdomain tricks, or forged headers where authentication is weak.

Drive-by download

A download that starts without the victim knowingly requesting it, triggered by visiting a compromised or malicious page. Modern browsers block most, which is why attackers now prefer tricking users into acting.

H

Homoglyph / lookalike domain

A domain built from characters that resemble another's — 'rn' for 'm', Cyrillic 'а' for Latin 'a' — or that embeds a brand name in a subdomain. Often visually indistinguishable from the real address.

M

Malvertising

Malicious advertising: attackers buy legitimate ad space to deliver scam pages or malware, including fake brand ads placed above the real result in search engines.

MFA fatigue (push bombing)

Flooding a victim with authentication push notifications until they approve one out of annoyance or confusion — a way of beating MFA that requires no technology at all.

Multi-factor authentication (MFA)

Requiring a second proof of identity — a code, a push approval, a hardware key — beyond the password. Blocks most password attacks, but modern AiTM phishing kits capture the session after MFA succeeds.

P

Pharming

Redirecting victims from a legitimate address to a fake site by tampering with DNS or the victim's device, so even a correctly typed address lands on the attacker's page.

Phishing

The umbrella term: tricking someone into revealing credentials, data or money by impersonating a trusted party — via email, text, phone, QR code or fake website. Named for 'fishing' with bait; the 'ph' comes from early hacker jargon.

Phishing kit / Phishing-as-a-Service (PhaaS)

A ready-made package — fake pages, hosting scripts, evasion tools, often AiTM MFA bypass — sold or rented (typically around US$120) so non-technical criminals can run professional campaigns.

Pretexting

Building a believable scenario ('I'm from IT', 'your CEO needs this before the board call') to justify an unusual request. The narrative backbone of BEC and vishing.

Pig butchering

A long-con investment scam: the attacker builds trust over weeks (the 'fattening'), then steers the victim into a fake investment platform and takes everything. Frequently begins with a 'wrong number' text.

Q

Quishing

Phishing delivered by QR code, usually in an email attachment, invoice or poster. Email filters can't read the code's destination, and scanning moves the attack to a phone, where URLs are harder to inspect.

S

Stealing the small file a site issues after successful login — the session cookie — so the attacker can resume the victim's authenticated session without ever knowing the password or passing MFA themselves.

Smishing

Phishing by SMS text message: fake delivery notices, bank alerts, toll fees, 'wrong number' openers. Effective because texts feel personal, arrive on a trusted device, and hide the usual warning signs.

Social engineering

Manipulating people, rather than software, into breaking security — through urgency, authority, fear or helpfulness. Phishing is social engineering's highest-volume form.

SPF (Sender Policy Framework)

An email standard listing which servers are allowed to send mail for a domain. An SPF failure means the message came from somewhere the domain owner never authorised.

Spear phishing

Phishing aimed at a specific person or small group, using researched details — names, projects, suppliers — to make the lure credible. Lower volume, far higher success rate than mass phishing.

T

Typosquatting

Registering misspellings and near-misses of popular domains to catch mistyped visits or to serve as convincing phishing addresses.

V

Vishing

Voice phishing: fraud by phone call, increasingly using AI voice cloning. Often paired with an email or text ('our fraud team will call you shortly') to manufacture legitimacy.

W

Watering hole attack

Compromising a website the target group already visits and trusts, then using it to serve malware or harvest credentials — bringing the trap to the victims instead of luring them out.

Whaling

Spear phishing aimed at the biggest targets — executives, board members, finance leaders — where a single success can authorise very large transfers. Executive-grade protection exists for exactly this tier.

Z

Zero-day phishing

A phishing page or email so new that no blocklist, filter or browser warning has ever seen it. Most phishing pages live only hours — long enough to catch victims, short enough to stay off every list.

Keep going

See these techniques in the wild: the latest phishing techniques in 2026, the numbers behind them in phishing statistics 2026, or test your eye with the spot-the-fake quiz.

faq

Frequently asked questions

The channel: phishing is the umbrella term (usually email), smishing is phishing by SMS text, and vishing is phishing by voice call. The goal — tricking you into giving up credentials, data or money — is the same.

Adversary-in-the-middle (AiTM) kits, because they defeat MFA by stealing the session token after you authenticate, and browser-in-the-browser attacks, because they defeat the advice to check the address bar.

A phishing page or email so new that no security tool has seen it before. Since most defences rely on recognising known threats, the first hours of a zero-day page are when most victims are caught.

See it for yourself

SafeToOpen adds real-time, zero-day protection in your browser and inbox — free to start.

See plans →

Sources

  1. BlackBerry, Global Threat Intelligence Report 2025, cited in Bolster, “Real-Time Brand Protection Alerts.” bolster.ai
  2. Verizon, 2025 Data Breach Investigations Report (DBIR) — median time to click a phishing link. verizon.com
  3. Interisle Consulting Group, Phishing Landscape 2025, cited in Bolster and NetDiligence. netdiligence.com
  4. Check Point Research / industry analysis on HTTPS use in phishing, cited in ControlD, “Phishing Statistics & Industry Trends.” controld.com

External statistics are attributed to their original publishers and were accurate at the time of writing. Figures from industry reports vary by methodology and period; we link to primary sources so you can verify them.

test yourself

Could you spot the fake?

Put this into practice: 12 real-world scams and genuine messages, two minutes, no sign-up.